General
-
Target
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
-
Size
10KB
-
Sample
210604-7sbhm3e2p6
-
MD5
cbe2bf1df01f128648e5fb90bb3f3c5f
-
SHA1
8917dd86f3c03bb10a4df45ef6a1bf012e10a897
-
SHA256
fd4201668cc230dca3ada4023264462745d786fdf81c4547cc41ef291fda318f
-
SHA512
8afc7de3a0d5659eecca7490a61c6963789d1d27bda501401242c8b58b333febf3be8efba609737188c2319043b6d0366bb7a54a5f8c2b5fb91840854b4f54da
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
Resource
win10v20210408
Malware Config
Extracted
http://37.120.206.70/dom/d.wbk
Extracted
formbook
4.1
http://www.rocketschool.net/nf2/
avlholisticdentalcare.com
coolermassmedia.com
anythingneverything.net
maimaixiu.club
veyconcorp.com
rplelectro.com
koch-mannes.club
tecknetpro.com
getresurface.net
mertzengin.com
nbppfanzgn.com
508hill.com
ourdailydelights.com
aimeesambayan.com
productstoredt.com
doublelblonghorns.com
lucidcurriculum.com
thegoddessnow.com
qywqmjku.icu
yonibymina.com
fair-employer.institute
loundxgroup.com
grandcanyonbean.com
gmailanalytics.tools
e-deers.tech
gxbokee.com
saimeisteel.com
walnutcreekresidences.com
catalinaislandlodging.com
financassexy.com
wtuydga.icu
agrestorationil.com
guidenconsultants.com
annazon-pc.xyz
trinamorris.com
dealwiththeboss.com
touchedbyastar.com
myenduringlegacy.com
livegirlroom.com
managainstthegrain.com
wikige.com
muyiyang233.com
dopegraphicz.com
varietyarena.com
henohenomohej.com
wx323.com
k1ck1td0wn.com
fundsvalley.com
ebike-ny.com
xn--yedekparaclar-pgb62i.com
vidssea.com
wifiultraboostavis.com
exploitconstruction.com
freddeveld.com
kslux.com
couplealamo.icu
touchwood-card.com
k8vina51.com
thrivwnt.com
earlybirdwormfarm.com
hayyaabaya.com
holidayhomeinfrance.com
ssalmeria.com
nivxros.com
Targets
-
-
Target
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
-
Size
10KB
-
MD5
cbe2bf1df01f128648e5fb90bb3f3c5f
-
SHA1
8917dd86f3c03bb10a4df45ef6a1bf012e10a897
-
SHA256
fd4201668cc230dca3ada4023264462745d786fdf81c4547cc41ef291fda318f
-
SHA512
8afc7de3a0d5659eecca7490a61c6963789d1d27bda501401242c8b58b333febf3be8efba609737188c2319043b6d0366bb7a54a5f8c2b5fb91840854b4f54da
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-