General
-
Target
MV. XIN YU.xlsx
-
Size
1.6MB
-
Sample
210114-ezddfmzy6j
-
MD5
d715d4d4a61b5f887a208c9bddafb9da
-
SHA1
6cdfe2b35e2418f634a2ab2f0b0edb1cef68faac
-
SHA256
7ef5f3085a43a8ab9c302aa9127d13fea92daa426d999181eeba1bc2d8643c44
-
SHA512
af47a4d74577e847cee79e082036bead674054192161eb747c6f6ceaed7de578dde2186ccd0c1a6ad642244e25675b548b3733a3abefcac172cc13cc9f062092
Static task
static1
Behavioral task
behavioral1
Sample
MV. XIN YU.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
MV. XIN YU.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.huynhanhdung.com/kna/
lawrencefiredepartment.com
executivehomeoffices.com
solfed.world
oshawaexchange.com
webdavlexstore.com
youpieb.com
chiller-master.com
bearstoragetn.com
daf90x16.com
gewhacaalouine.com
simplyezi.com
cstechnologyservices.com
nosyboats.com
thecocomarie.com
vetinaryeco.club
americangoselfilm.com
gdsuhejia.com
verbunden-sein.net
the-minerva.com
loctrantv.com
casualluvonline.com
groups3usa.com
ncdcnow.com
qrastenmap.online
ltjxw.net
crystalblueboating.com
51adcn.com
abrasto.com
smokegas.com
schofieldoutpost.com
sh-ruidiclub.com
zzyxgl.com
qpremodeling.com
ayzvyeco.icu
modestartgallery.com
ref478.com
astutetopshop.com
pinebarrenfarms.com
webprofiji.com
purfect-air.com
transformesuasaude.com
oz-men.com
mpjjpwp.icu
zeinabiohouse.com
shopwaterlemon.com
radiohebron.com
americanheraldnews.com
clinicadentalfika.com
throughthelorgnette.com
carte-diem.com
elderstatesmanarchive.com
nanhulove.com
melonicwater.com
streamingdads.com
indrapandhari.com
dc-prices.com
xstarconnect.com
weninse.com
atlantavirtualmeetings.com
jobhelpseekers.com
freisaq.com
viajeaatenas.com
worldparcel.net
qcc3.com
Targets
-
-
Target
MV. XIN YU.xlsx
-
Size
1.6MB
-
MD5
d715d4d4a61b5f887a208c9bddafb9da
-
SHA1
6cdfe2b35e2418f634a2ab2f0b0edb1cef68faac
-
SHA256
7ef5f3085a43a8ab9c302aa9127d13fea92daa426d999181eeba1bc2d8643c44
-
SHA512
af47a4d74577e847cee79e082036bead674054192161eb747c6f6ceaed7de578dde2186ccd0c1a6ad642244e25675b548b3733a3abefcac172cc13cc9f062092
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-