General
-
Target
Refno.191938.xlsx
-
Size
319KB
-
Sample
210504-sz29hyk642
-
MD5
a6ea0794f2791f9f2bdfcdb467122e6b
-
SHA1
83815a1977485c3fabdd49c91926d0482e3b78e1
-
SHA256
db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
-
SHA512
8e9d56848c8e9dc03676348ebc0b57b650cfe4a8c61d1d8825b68e7989f29eb83509e9a1d5d35fcdf9e81e1ddcd8ed6a80d7a947e5906965f9d42f89f7d6fc6d
Static task
static1
Behavioral task
behavioral1
Sample
Refno.191938.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Refno.191938.xlsx
Resource
win10v20210410
Malware Config
Extracted
formbook
4.1
http://www.kelurahanpatikidul.xyz/op9s/
playsystems-j.one
exchange.digital
usaleadsretrieval.com
mervegulistanaydin.com
heavythreadclothing.com
attorneyperu.com
lamuerteesdulce.com
catxirulo.com
willowrunconnemaras.com
laospecial.com
anchotrading.com
mycreditebook.com
jiujiu.plus
juniperconsulting.site
millionairsmindset.com
coronaviruscuredrugs.com
services-office.com
escanaim.com
20svip.com
pistonpounder.com
lasecrete.com
sabaimeds.com
madinatalmandi.com
jumlasx.xyz
smartspeicher.net
punkyprincess.com
herren-pharma.com
belfastoutboard.com
safifinancial.info
xn--15q04wjma805a84qsls.net
washingtonrealestatefinder.com
jewishdiaspora.com
aerinfranklin.com
taylorglennconsulting.com
fartoogood.com
samjinblock.com
minianimedoll.com
saporilog.com
littlebirdwire.com
xn--farmasi-kayt-c5b.com
purifiedgroup.com
purifymd.com
renewedspacesofva.com
pilardasaude.com
varietycomplex.com
leadsprovider.info
streamxvid.com
manuelbriand.com
hellosunshinecrafts.com
hellodecimal.com
4980057280880200.xyz
dynmit021.digital
hotdogvlog.com
fairyrugs.com
ievapocyte.com
prospecsports.com
proteknical.com
36rn.com
mongdols.com
rentportals.com
drcpzc.com
h59h.com
sonjowasi.com
nalanmeat.com
Targets
-
-
Target
Refno.191938.xlsx
-
Size
319KB
-
MD5
a6ea0794f2791f9f2bdfcdb467122e6b
-
SHA1
83815a1977485c3fabdd49c91926d0482e3b78e1
-
SHA256
db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
-
SHA512
8e9d56848c8e9dc03676348ebc0b57b650cfe4a8c61d1d8825b68e7989f29eb83509e9a1d5d35fcdf9e81e1ddcd8ed6a80d7a947e5906965f9d42f89f7d6fc6d
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-