General
-
Target
SwiftMT1O3.xlsx
-
Size
2MB
-
Sample
210122-83svrnz1ba
-
MD5
01a88cf9ab93b715387c2f3ba777cf6e
-
SHA1
19fad6f30f2b31fec8708a9897c630f8065f61a5
-
SHA256
970c5c7c04d9f838897c5914b840f40c0bf1dbf61503ba093a68552336952345
-
SHA512
2dca7bbb27e320a43d04adc3d118bbb6a2c3ce0494c10a5d39805350d0cea5852b57e354aedc10b8f5d2eec54ece38caeb458d6e536166bb3958764513aba4ba
Static task
static1
Behavioral task
behavioral1
Sample
SwiftMT1O3.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SwiftMT1O3.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.huynhanhdung.com/kna/
lawrencefiredepartment.com
executivehomeoffices.com
solfed.world
oshawaexchange.com
webdavlexstore.com
youpieb.com
chiller-master.com
bearstoragetn.com
daf90x16.com
gewhacaalouine.com
simplyezi.com
cstechnologyservices.com
nosyboats.com
thecocomarie.com
vetinaryeco.club
americangoselfilm.com
gdsuhejia.com
verbunden-sein.net
the-minerva.com
loctrantv.com
casualluvonline.com
groups3usa.com
ncdcnow.com
qrastenmap.online
ltjxw.net
crystalblueboating.com
51adcn.com
abrasto.com
smokegas.com
schofieldoutpost.com
sh-ruidiclub.com
zzyxgl.com
qpremodeling.com
ayzvyeco.icu
modestartgallery.com
ref478.com
astutetopshop.com
pinebarrenfarms.com
webprofiji.com
purfect-air.com
transformesuasaude.com
oz-men.com
mpjjpwp.icu
zeinabiohouse.com
shopwaterlemon.com
radiohebron.com
americanheraldnews.com
clinicadentalfika.com
throughthelorgnette.com
carte-diem.com
elderstatesmanarchive.com
nanhulove.com
melonicwater.com
streamingdads.com
indrapandhari.com
dc-prices.com
xstarconnect.com
weninse.com
atlantavirtualmeetings.com
jobhelpseekers.com
freisaq.com
viajeaatenas.com
worldparcel.net
qcc3.com
Targets
-
-
Target
SwiftMT1O3.xlsx
-
Size
2MB
-
MD5
01a88cf9ab93b715387c2f3ba777cf6e
-
SHA1
19fad6f30f2b31fec8708a9897c630f8065f61a5
-
SHA256
970c5c7c04d9f838897c5914b840f40c0bf1dbf61503ba093a68552336952345
-
SHA512
2dca7bbb27e320a43d04adc3d118bbb6a2c3ce0494c10a5d39805350d0cea5852b57e354aedc10b8f5d2eec54ece38caeb458d6e536166bb3958764513aba4ba
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-