General
-
Target
RFQ.xlsx
-
Size
1.2MB
-
Sample
210113-dyl4xbq7mx
-
MD5
6d15e3fa6531d655568411b2f2386f57
-
SHA1
d0d75807dac5812ff5a8f750a27a30c0bb4a1988
-
SHA256
818220205205240d3372acfecafd1a44859b249fced60a9a5511318306ff1aa4
-
SHA512
e7c4ff1ae95696a32b612058f1a78e7294cb36138b38ce5352a2c3cf9c09d9f5463fe2d87483a1bff8d83610ab65605fa16370a65f30dc14f286a07835daca3a
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.bytecommunication.com/aky/
jeiksaoeklea.com
sagame-auto.net
soloseriolavoro.com
thecreatorsbook.com
superskritch.com
oroxequipment.com
heart-of-art.online
liwedfg.com
fisherofsouls.com
jota.xyz
nehyam.com
smart-contact-delivery.com
hoom.guru
dgryds.com
thesoakcpd.com
mishv.com
rings-factory.info
bero-craft-beers.com
podcastnamegenerators.com
856379813.xyz
ruinfectious.com
wdcsupport.com
youngbrokeandeducated.com
shpments75.com
louisbmartinez100th.com
shining.ink
hkexpresswaterford.com
quickcashoffersatl.com
180cliniconline.com
mainriskintl.com
clinicadosorriso.com
kuxueyunkeji.com
smart-acumen.com
maisonkerlann.com
jewishposter.com
xn--w52b77ujva.com
antoniodevivo.com
diversitypatriots.com
tiotacos.company
ventumgi.com
ip-tv.online
smithvilletexashistory.com
amruta-varshini.com
wildpositive.com
alifezap.com
nczjt.net
palmsvillaswhitneyranch.com
experiencemoretogether.com
dewitfire.com
scruffynotfluffy.online
bazarsurtidorico.com
dayscosmetics.com
tpsvegas.com
externalboard.com
2125lynchmere.com
agroplenty.com
easterneuropemall.com
whtoys888.com
writehousepoint.com
ppeaceandgloves.com
sadtire.press
jj3994.com
smokenengines.com
offplanprojects-re.com
Targets
-
-
Target
RFQ.xlsx
-
Size
1.2MB
-
MD5
6d15e3fa6531d655568411b2f2386f57
-
SHA1
d0d75807dac5812ff5a8f750a27a30c0bb4a1988
-
SHA256
818220205205240d3372acfecafd1a44859b249fced60a9a5511318306ff1aa4
-
SHA512
e7c4ff1ae95696a32b612058f1a78e7294cb36138b38ce5352a2c3cf9c09d9f5463fe2d87483a1bff8d83610ab65605fa16370a65f30dc14f286a07835daca3a
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-