General
-
Target
Evaluation quoter.docx
-
Size
10KB
-
Sample
210427-gvn4zn73zs
-
MD5
2c30e2c8829b2dce3aeebe20182b7be4
-
SHA1
9ce579b42d60563fcb85f6e2e9d7aa32a985d386
-
SHA256
ea6f660d6c4499c7a446ac3bfde1cd02bd74dfe9194fd16e5c876d5c38ff56ca
-
SHA512
a62f890137a55f5c38085272475028f6510ee3f2717a638861a94ef7d2d3c8b2c7511080413bd6ad804015139b0d77765000d75276f5b99a36ad8a0dd3df3581
Static task
static1
Behavioral task
behavioral1
Sample
Evaluation quoter.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Evaluation quoter.docx
Resource
win10v20210408
Malware Config
Extracted
https://is.gd/EAkEcx
Extracted
formbook
4.1
http://www.unclechef.website/pmc/
poolbuilderhighlandpark.com
zgqcmrdswlw.com
rivalrepublic.net
vowseries.com
papmbeachcountymusic.com
unitedmarguisa.com
sparetimr.net
mmmfccynp.icu
blossom123.com
rkd6.com
luewhhedre.com
rwproducedeliveryknoxville.com
bqg5000.com
xn--jvrr98g37n88d.com
15slotozlo.site
experthairstylist.site
udalastar.com
avenstoredetailing.com
americanmicron.com
fineprintlaw.com
coolblue.digital
harfeakharkonkur.com
syinga-auto.com
tripmaker-japan.xyz
showtownapparel.com
daskonveyor.com
zibeicao.com
kirkvanpropertiesllc.info
sedekahbungkus.net
worldjpns.com
eagleswiftcourierservice.com
litbk.com
nextkineti.com
universallogisticvd.com
bowlesscottages.com
casey-key-real-estate.com
beamconcordlogistics.com
theaccountableteamscoach.com
cheikh-faye.com
adbhutrahsya.com
t-vcb.com
brikissell.com
organizingbypaty.com
zuisyoraku.com
inspiredpractice.net
nickstradi.pro
nelivo.com
expedientedurango.com
kasrax.com
thebespokelaboratory.com
riverwayfarm.com
adecquo.com
avizory.com
awaywegoo.com
mohamedsaad.net
abbbbha13.art
plazafaro.com
thetechnicalgeeks.com
confiercollection.com
msvpoa.com
centreatmillenniumpark.com
billboardnext.tech
sanfranciscoliving.info
cybernacle.website
Targets
-
-
Target
Evaluation quoter.docx
-
Size
10KB
-
MD5
2c30e2c8829b2dce3aeebe20182b7be4
-
SHA1
9ce579b42d60563fcb85f6e2e9d7aa32a985d386
-
SHA256
ea6f660d6c4499c7a446ac3bfde1cd02bd74dfe9194fd16e5c876d5c38ff56ca
-
SHA512
a62f890137a55f5c38085272475028f6510ee3f2717a638861a94ef7d2d3c8b2c7511080413bd6ad804015139b0d77765000d75276f5b99a36ad8a0dd3df3581
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-