General
-
Target
RFQ TK011821.doc
-
Size
1.5MB
-
Sample
210118-vfrg1lqbc2
-
MD5
ec733578c8fccf0e3930ddcb2b337228
-
SHA1
df8b20801a5ee07f8de71679bb434c94858b0f9e
-
SHA256
ef25940acecd4fd916e53386f63b8fb69102f2f13e2b7b9e89f64775da9afa08
-
SHA512
2af97e61aa4b3efbf1e1027f7a937130bf2e31ef21f123beff209dd72a0adbad3d1da6e8244e5ffffc3838c3439d4aa2492498866b4a5d9ba87cfd4d1cda3a59
Static task
static1
Behavioral task
behavioral1
Sample
RFQ TK011821.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ TK011821.doc.rtf
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.sob.xyz/p7v/
angelksuperstar.com
yuchujiaoyu.com
beachmister.com
thebetterleadsacademy.com
maskednun.com
supermarsds.com
cutecvv.com
farmacycharcuterie.com
all-blacknyc.com
supremenursery.com
rcadefurniture.com
efreshlaser.com
quincyit.net
yasalexis1234.com
coachpayment.com
mustgift.com
kolakosaat.xyz
soltecmaredm.info
682n.com
trecommunications.com
yourdailybazar.com
allwebcamsex.com
thyhandywoman.com
arescsg.com
holisticskincarebyjanine.com
shotgun-life.net
qwemalls.com
santantoniabatcanals.com
bhmioxe.icu
webselfs.com
tryhotgirls.com
findmyiphone.services
kilanohitched.com
cbdwithcare.com
katysans.com
seem-elsewhere.info
lashprotool.com
nehyam.com
fnpleveledbooks.com
xn--maison-tmoin-ieb.com
farmacyrussia.com
wnlsgame.com
ortharizona.com
medizinazakon.online
salski.cymru
spidermanskateboards.com
stirsoda.com
kroeget.com
mytherapies.net
wealthforyounow.net
jeveuxreussirmavie.com
babllon.com
brevardcountyfl.com
920happfielddr.info
catalizresearch.com
acid-gaming.net
worldcar-sales.com
buckhead-meat.com
quomic.com
blogkatalog.com
hyfinery.com
ebnfnleoba.club
movecbus.com
globalvantop.com
Targets
-
-
Target
RFQ TK011821.doc
-
Size
1.5MB
-
MD5
ec733578c8fccf0e3930ddcb2b337228
-
SHA1
df8b20801a5ee07f8de71679bb434c94858b0f9e
-
SHA256
ef25940acecd4fd916e53386f63b8fb69102f2f13e2b7b9e89f64775da9afa08
-
SHA512
2af97e61aa4b3efbf1e1027f7a937130bf2e31ef21f123beff209dd72a0adbad3d1da6e8244e5ffffc3838c3439d4aa2492498866b4a5d9ba87cfd4d1cda3a59
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-