General
-
Target
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.18733.11009
-
Size
1.8MB
-
Sample
210111-aznttj1xl2
-
MD5
f4230f83573dbf097b3219588cd656f2
-
SHA1
276874cf73eea9c561525b4f45e23acb84a59e33
-
SHA256
970aa1ea39079684830789ad8c5c9cbf9777b65fdb44130aa8bbe4b88245e6fc
-
SHA512
2933e892851cfdec1c3a12880b29e5426259857a657471ee2410bb5bda1ec2ed11223a03a1b7924e85dcab8d3975c50b8caed271962abe583cd52ae227dee7e2
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.18733.11009.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.18733.11009.rtf
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.familyof2.com/p3c/
scsykt.com
333999dy.com
soaringhood.net
thejaxstar.com
sakura-wedding.com
ussalesmarketing.com
mathworksheetsforkids.net
bestchinesefoods.com
theparkchi.com
cb6333.com
xldd0817nt15vkr6.xyz
joyousheartphotography.com
kittylol.com
caufooding.com
pippamalmgren.life
saveitall.today
connect-clarity.info
smartestgift.com
nilshana.com
arkpropertysolutions.com
iircad.com
theidahojosh.com
theperfect-date.com
roboeditor.com
battlebornbourbon.net
supermarioplumbing.net
ingrid4u.com
kirkwoodexecutive.com
centroufologicosiciliano.info
opostoriesfromthenba.com
issuingsolution.com
coronakite.com
money-beast.com
adboozl.com
ideasdelvino.com
betwho.site
wanshanglian.com
nehyam.com
mohdaziz.com
niagateknik.com
archivosr.com
appositedocument.club
cleanviser.com
the1099guy.com
beautyprorecommends.com
shireprojectservices.com
crony-resolute.info
lnlenqin.com
task-center.com
wherecanidropoffmyballot.net
goroito-glashaus.com
collegiate-services.com
putrajayamall.com
dodiblunts.com
amusingsbyamber.com
lifelongcart.com
nuestravida.site
braidwood-uk.com
sirg-consulting.com
farleymullen.com
cchidwick.xyz
nutritionaldonuts.com
dbf.network
comercializadorasepter.net
Targets
-
-
Target
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.18733.11009
-
Size
1.8MB
-
MD5
f4230f83573dbf097b3219588cd656f2
-
SHA1
276874cf73eea9c561525b4f45e23acb84a59e33
-
SHA256
970aa1ea39079684830789ad8c5c9cbf9777b65fdb44130aa8bbe4b88245e6fc
-
SHA512
2933e892851cfdec1c3a12880b29e5426259857a657471ee2410bb5bda1ec2ed11223a03a1b7924e85dcab8d3975c50b8caed271962abe583cd52ae227dee7e2
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-