General
-
Target
RFQ.xlsx
-
Size
1.4MB
-
Sample
210114-ef22mkwmfe
-
MD5
c15273784bc0bf72b8c4a1118be6aa58
-
SHA1
6eca54832d4acd388a69a53ba5b8059e8cc2c29c
-
SHA256
d2139bcc2f4a4ac6e91de5f9f55d23743f61023e494fac3e13817a9f558d959e
-
SHA512
0c89c44fe4f2d9e0af857773d6a4d71e7311a1b44ea7b780cdb34f2ea38984e4d74876f0c9d608d8a30a331be295454d75baa51ef4dbdcb33e6d51c97cda1a7b
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.bytecommunication.com/aky/
jeiksaoeklea.com
sagame-auto.net
soloseriolavoro.com
thecreatorsbook.com
superskritch.com
oroxequipment.com
heart-of-art.online
liwedfg.com
fisherofsouls.com
jota.xyz
nehyam.com
smart-contact-delivery.com
hoom.guru
dgryds.com
thesoakcpd.com
mishv.com
rings-factory.info
bero-craft-beers.com
podcastnamegenerators.com
856379813.xyz
ruinfectious.com
wdcsupport.com
youngbrokeandeducated.com
shpments75.com
louisbmartinez100th.com
shining.ink
hkexpresswaterford.com
quickcashoffersatl.com
180cliniconline.com
mainriskintl.com
clinicadosorriso.com
kuxueyunkeji.com
smart-acumen.com
maisonkerlann.com
jewishposter.com
xn--w52b77ujva.com
antoniodevivo.com
diversitypatriots.com
tiotacos.company
ventumgi.com
ip-tv.online
smithvilletexashistory.com
amruta-varshini.com
wildpositive.com
alifezap.com
nczjt.net
palmsvillaswhitneyranch.com
experiencemoretogether.com
dewitfire.com
scruffynotfluffy.online
bazarsurtidorico.com
dayscosmetics.com
tpsvegas.com
externalboard.com
2125lynchmere.com
agroplenty.com
easterneuropemall.com
whtoys888.com
writehousepoint.com
ppeaceandgloves.com
sadtire.press
jj3994.com
smokenengines.com
offplanprojects-re.com
Targets
-
-
Target
RFQ.xlsx
-
Size
1.4MB
-
MD5
c15273784bc0bf72b8c4a1118be6aa58
-
SHA1
6eca54832d4acd388a69a53ba5b8059e8cc2c29c
-
SHA256
d2139bcc2f4a4ac6e91de5f9f55d23743f61023e494fac3e13817a9f558d959e
-
SHA512
0c89c44fe4f2d9e0af857773d6a4d71e7311a1b44ea7b780cdb34f2ea38984e4d74876f0c9d608d8a30a331be295454d75baa51ef4dbdcb33e6d51c97cda1a7b
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-