General
-
Target
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.813
-
Size
1.8MB
-
Sample
210111-ldy9ygv7sx
-
MD5
fdeb0e464d28dffb8a6af124394c3603
-
SHA1
5870451a561fc8756e967489a72a8425f37c75ef
-
SHA256
e5506151004fb2bc61a295691922fb4501b5fcd02447ab2ba85fd75cd5f2e90f
-
SHA512
a493a808b7a329e8845f82a2492f95f7da828d18cef8c83865a91a021eec7722726168a4d8f8a7c9edb5e58ba57231164c8c17633818da91019fcf0c1b8f153d
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.813.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.813.rtf
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.lisetteperez.media/th9/
rnbgreenstreet.com
martinsburgusedcars.com
wellstamas.com
makingmeaningwithdoug.com
daqiangtouzi.com
balansfx38.com
sumershoping.com
snatcher-za.com
sanacora.world
smartlifeinternational.com
timelessthinkers.com
lineage521.com
lqesnr.com
takedaitos.com
bestcombodeals.com
dyczwkg68.com
tejaratbadrmaham.com
blockonechicago.com
buylittledreamers.com
abdulsalamyafi.com
emlvh.net
tullaculturecenter.com
buletinkampung.com
vitoschinhhang247.online
simmetrypcs.com
fpt247.com
hellopaperapparel.com
joeslurpee.com
motopizza.net
uitvaartverzorgingamsterdam.com
buyleasenames.com
fix-the-future.world
weirdmixer.com
internatonalliving.com
theexpressreview.com
female-faktur.com
comebs.net
mah-trading.com
orlandoterry.com
dakory.com
diwaterclean.com
rides4vets.com
room1212.online
continuumsourcing.com
fivethirtyyeight.com
54zzy.com
shipu228.com
earthwiseair.com
fourwheelcustom.com
hallhunter.properties
intelemeder.com
refrigerator-repair.site
rokuen.team
pinpongclub.com
ecrire-online.com
piahomewares.com
xaydungcnd.com
bookaustinslens.com
cnwjyp.com
timhenderson-ai.com
ffpgv.top
indorepropertytree.com
mrdark.club
fineartphoenix.com
Targets
-
-
Target
SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.813
-
Size
1.8MB
-
MD5
fdeb0e464d28dffb8a6af124394c3603
-
SHA1
5870451a561fc8756e967489a72a8425f37c75ef
-
SHA256
e5506151004fb2bc61a295691922fb4501b5fcd02447ab2ba85fd75cd5f2e90f
-
SHA512
a493a808b7a329e8845f82a2492f95f7da828d18cef8c83865a91a021eec7722726168a4d8f8a7c9edb5e58ba57231164c8c17633818da91019fcf0c1b8f153d
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-