General
-
Target
Payment Advice.xlsx
-
Size
2.4MB
-
Sample
210112-6ql9yyp972
-
MD5
90e24d9354f74d28a4b5edd8238e8fdb
-
SHA1
473f33184394bb97dc6625e4b7c7a35c01bd5ceb
-
SHA256
4bf43d358ffe48a24655d1667c8dbcf9ad5f0d41c835dbd80e3e348198db081a
-
SHA512
79ff76634239186e56560c9387eb874eeeda6788bffbd2e3314b69d96d998c10939a0cbe27ea18003bbe38326cf396207080437c3fe27b7b3fa5878810a13287
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment Advice.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.zglvyouzaixian.com/nki/
igo-digiworld.com
infrahiit.com
herhealingwater.com
inspiredbytradition.com
onlinepropertyworld.com
rvwdj.com
mudahbikinsuhi.online
multipleofferonline.com
striveyouthministry.com
affectiveneuro.net
f21m.com
perfumefashion.icu
instantcash4rvs.com
help-verifiedbadge.com
solomonislandsblog.com
vipshoppingwizard.com
doggybargains.com
fjyaoxi.net
luxpropertyandassociates.com
companyfinders.com
alifeflooring.com
watermeloncrypto.com
internationalaid.global
petrosu.net
fireyourschool.com
gofawerunebe.com
lazystorage.com
tgasstore.com
adoniskitchenbath.com
it4cracks.com
revsharez.com
radioroutiers.com
szalun.com
theacademylife.com
jackcdoherty.com
theselfcaremenu.com
arentist.com
skyfun.asia
kroumoda.com
brodskikonetejneri.com
citestmansoon3445.com
laalianza.net
lwfenterprises.com
changeledger.com
x-box2send15.club
postraducion.xyz
kpybevx.icu
lolamind.com
jaipurethnic.com
candixenergy.com
degreespoint.com
311tac.com
donationwheel.com
ps3e.com
hyderabadcycles.com
nehyam.com
eversouthhangzhou.com
modaemira.com
k2bsi.com
jiopan.com
wheelerfamilyhistory.net
htaxbiz.com
somethinggotmestarted.com
aprilsbookkeeping.com
Targets
-
-
Target
Payment Advice.xlsx
-
Size
2.4MB
-
MD5
90e24d9354f74d28a4b5edd8238e8fdb
-
SHA1
473f33184394bb97dc6625e4b7c7a35c01bd5ceb
-
SHA256
4bf43d358ffe48a24655d1667c8dbcf9ad5f0d41c835dbd80e3e348198db081a
-
SHA512
79ff76634239186e56560c9387eb874eeeda6788bffbd2e3314b69d96d998c10939a0cbe27ea18003bbe38326cf396207080437c3fe27b7b3fa5878810a13287
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-