General
-
Target
14.xlam
-
Size
15KB
-
Sample
210506-gqhf3ewnq2
-
MD5
11e9376ee19889ee5c08e816b1d3b231
-
SHA1
d22b56bedc58de7da73d647a5f3048b9cabc17d7
-
SHA256
cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
-
SHA512
fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b
Static task
static1
Behavioral task
behavioral1
Sample
14.xlam
Resource
win7v20210408
Malware Config
Extracted
formbook
4.1
http://www.111bjs.com/ccr/
abdullahlodhi.com
jevya.com
knoxvillerestaurant.com
mekarauroko7389.com
cricketspowder.net
johannchirinos.com
orangeorganical.com
libero-tt.com
lorenaegianluca.com
wintab.net
modernmillievintage.com
zgdqcyw.com
jeffabildgaardmd.com
nurulfikrimakassar.com
findyourchef.com
innovationsservicegroup.com
destek-taleplerimiz.com
whfqqco.icu
kosmetikmadeingermany.com
dieteticos.net
savarsineklik.com
newfashiontrends.com
e-mobilitysolutions.com
spaced.ltd
amjadalitrading.com
thejstutor.com
zzhqp.com
exoticomistico.com
oklahomasundayschool.com
grwfrog.com
elementsfitnessamdwellbeing.com
auldontoyworld.com
cumhuriyetcidemokratparti.kim
thetruthinternational.com
adimadimingilizce.com
retreatwinds.com
duoteshop.com
jasonkokrak.com
latindancextreme.com
agavedeals.com
motz.xyz
kspecialaroma.com
yuejinjc.com
print12580.com
ampsports.tennis
affordablebathroomsarizona.com
casnop.com
driftwestcoastmarket.com
bjsjygg.com
gwpjamshedpur.com
reserveacalifornia.com
caobv.com
culturaenmistacones.com
back-upstore.com
jjsmiths.com
iamxc.com
siobhankrittiya.com
digitalakanksha.com
koatku.com
shamushalkowich.com
merplerps.com
fishexpertise.com
sweetheartmart.com
nqs.xyz
Targets
-
-
Target
14.xlam
-
Size
15KB
-
MD5
11e9376ee19889ee5c08e816b1d3b231
-
SHA1
d22b56bedc58de7da73d647a5f3048b9cabc17d7
-
SHA256
cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
-
SHA512
fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Use of msiexec (install) with remote resource
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-