General
-
Target
IMG-CMR.xlsx
-
Size
2.0MB
-
Sample
210111-yjb921d83s
-
MD5
507d646c9dafa980a1f39c911ed5086a
-
SHA1
e90c1561a6f1af214ef41cd1bfc03e8eb774412d
-
SHA256
faaeac08804e5737076cfef12e58a3375c8233a477b3f64b0c5ecb9b752954c3
-
SHA512
37c7b2ed8d7739c1c24bcde0c56f3a0325eed24a65cf638a88c5a33c05cb332798c5b829f0a4a77e54ecb247dabbad21b3d0e7daba613ccffc7288745ec03ae9
Static task
static1
Behavioral task
behavioral1
Sample
IMG-CMR.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG-CMR.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.thesiromiel.com/kgw/
valentinakasu.com
soyelmatador.com
collaborativeprosperity.com
power8brokers.com
nexus-ink.com
manpasandmeatmarket.com
the-ethical-forums.today
maryannpark.com
bikininbodymommy.com
pxwuo.com
bigbangmerch.com
okaysinger.com
shopcarpe.com
rainbowhillsswimclub.com
crifinmarket.com
ebl-play.net
forceandsonsequipment.com
viagraytqwi.com
latashashop.com
suffocatinglymundanepodcast.com
metanoria.com
camera-kento.com
hotsaledeals.store
outlawgospelshow.com
saisaharashipping.com
buyiprod.com
pestigenix.com
opendesignpodcast.com
patentml.com
covaxbiotech.com
youjar.com
domvy.xyz
remodelmemphis.com
milehighdistributionllc.com
merchandisingpremium.com
fallguysmovile.com
actuelburo.xyz
nedlebow.com
shopcryptocurrency247.com
riellymoore.com
affinitymotorsales.com
akmh.pro
hsrrxs.com
atlanticdentallab.com
sagarpantry.com
murinemodel.com
karybeautycare.com
boshangkeji.com
dailynewstodays.com
oregonpyramids.com
dsjmzyz.com
gidagozlemevi.com
tribelessofficial.com
cyberonica.com
onehourcheckout.com
tenaflypedatrics.com
nbworldfire.com
setyourhead.com
manticore-habitat.com
iqftomatoes.com
fejsearesete.com
gregsgradeaappliancerepair.com
sfmfgco.com
directprnews.com
Targets
-
-
Target
IMG-CMR.xlsx
-
Size
2.0MB
-
MD5
507d646c9dafa980a1f39c911ed5086a
-
SHA1
e90c1561a6f1af214ef41cd1bfc03e8eb774412d
-
SHA256
faaeac08804e5737076cfef12e58a3375c8233a477b3f64b0c5ecb9b752954c3
-
SHA512
37c7b2ed8d7739c1c24bcde0c56f3a0325eed24a65cf638a88c5a33c05cb332798c5b829f0a4a77e54ecb247dabbad21b3d0e7daba613ccffc7288745ec03ae9
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-