General
-
Target
SHEXD201990876_SHIPPING_DOCUMENT.xlsx
-
Size
2.5MB
-
Sample
210119-bmnpxk3gfj
-
MD5
2c9db0d5c6a4be66adb184938d9db249
-
SHA1
1e69dfa4b0658e2ebc4e0dc1f2af49b64461e961
-
SHA256
722cdd01068078065b845e83ae2bb9da3683de4f756cf2a8a894a2780f42013d
-
SHA512
14fb97dce253ebbddccdbe8a437869d60177695ae5e550173b3fad18ea5cdfb1a795c328c52d7f0e58def26c25dfa85f358f87d69115554860b0c1344d0b9261
Static task
static1
Behavioral task
behavioral1
Sample
SHEXD201990876_SHIPPING_DOCUMENT.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SHEXD201990876_SHIPPING_DOCUMENT.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.theatomicshots.com/xle/
tknbr.com
loyaloneconstruction.com
what-where.com
matebacapital.com
marriedandmore.com
qiemfsolutions.com
graececonsulting.com
www7456.com
littlefreecherokeelibrary.com
tailgatepawkinglot.com
musheet.com
tesfamariamtb.com
1728025.com
xceltechuae.com
harperandchloe.com
thepamperedbarber.com
5050alberta.com
supplychainstrainer.com
lacorte.group
ringingbear.com
dwerux.com
localeastbay.com
zhongyier.com
liamascia.com
bigdudedesign.com
agilearccreations.com
clxkxmk.com
articlesforthehome.com
prestiticadalanu.com
mayanroofingsystems.com
homeherbgardener.com
ricardoinman.com
xrhaoqilai180.xyz
queromake.com
holywaterfoundation.com
modacicekevi.com
beardeco.com
universityhysteria.com
lastguytogetcorona.com
winton.school
sanborns.xyz
bbluebay3dwdshop.com
mateingseason.com
oro-iptv.com
pdlywh.com
fallgus.com
dezignercloset.com
dasarelektronika.info
cyberparkplace.com
serenshiningarts.com
edgecase.pro
binhminhgarrden.net
fansofads.com
fortykorp.com
shastaestatesseniorliving.com
raksrecording.com
mack-soldenfx.com
freisaq.com
sesaassociates.com
calerconsult.com
sarahpyle.xyz
threepeninsulas.com
proficienthomesalesandloans.com
floridasoapwork.com
Targets
-
-
Target
SHEXD201990876_SHIPPING_DOCUMENT.xlsx
-
Size
2.5MB
-
MD5
2c9db0d5c6a4be66adb184938d9db249
-
SHA1
1e69dfa4b0658e2ebc4e0dc1f2af49b64461e961
-
SHA256
722cdd01068078065b845e83ae2bb9da3683de4f756cf2a8a894a2780f42013d
-
SHA512
14fb97dce253ebbddccdbe8a437869d60177695ae5e550173b3fad18ea5cdfb1a795c328c52d7f0e58def26c25dfa85f358f87d69115554860b0c1344d0b9261
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-