General
-
Target
INV2021-20800.docx
-
Size
10KB
-
Sample
210621-pmwccpjwns
-
MD5
c8c485325d6cc53942722aa48c280d4f
-
SHA1
61b8fd6e92c390481e4a2386e87bc9437896af53
-
SHA256
7912137590e4d0a4bcd3fdb006b37ba59aad20e6c27db10618f165870f817128
-
SHA512
d68f8ce4ed8e7133451a5bd55b5283129f671d38076382284332a4928f8ca58935410bf0fa09ce8ad7c7ba681add0445747f9056a0e0efb438b90f83ab826e9c
Static task
static1
Behavioral task
behavioral1
Sample
INV2021-20800.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
INV2021-20800.docx
Resource
win10v20210408
Malware Config
Extracted
https://win32indexdummy_username@itsssl.com/TyPzK
Extracted
formbook
4.1
http://www.rocketschool.net/nf2/
avlholisticdentalcare.com
coolermassmedia.com
anythingneverything.net
maimaixiu.club
veyconcorp.com
rplelectro.com
koch-mannes.club
tecknetpro.com
getresurface.net
mertzengin.com
nbppfanzgn.com
508hill.com
ourdailydelights.com
aimeesambayan.com
productstoredt.com
doublelblonghorns.com
lucidcurriculum.com
thegoddessnow.com
qywqmjku.icu
yonibymina.com
fair-employer.institute
loundxgroup.com
grandcanyonbean.com
gmailanalytics.tools
e-deers.tech
gxbokee.com
saimeisteel.com
walnutcreekresidences.com
catalinaislandlodging.com
financassexy.com
wtuydga.icu
agrestorationil.com
guidenconsultants.com
annazon-pc.xyz
trinamorris.com
dealwiththeboss.com
touchedbyastar.com
myenduringlegacy.com
livegirlroom.com
managainstthegrain.com
wikige.com
muyiyang233.com
dopegraphicz.com
varietyarena.com
henohenomohej.com
wx323.com
k1ck1td0wn.com
fundsvalley.com
ebike-ny.com
xn--yedekparaclar-pgb62i.com
vidssea.com
wifiultraboostavis.com
exploitconstruction.com
freddeveld.com
kslux.com
couplealamo.icu
touchwood-card.com
k8vina51.com
thrivwnt.com
earlybirdwormfarm.com
hayyaabaya.com
holidayhomeinfrance.com
ssalmeria.com
nivxros.com
Targets
-
-
Target
INV2021-20800.docx
-
Size
10KB
-
MD5
c8c485325d6cc53942722aa48c280d4f
-
SHA1
61b8fd6e92c390481e4a2386e87bc9437896af53
-
SHA256
7912137590e4d0a4bcd3fdb006b37ba59aad20e6c27db10618f165870f817128
-
SHA512
d68f8ce4ed8e7133451a5bd55b5283129f671d38076382284332a4928f8ca58935410bf0fa09ce8ad7c7ba681add0445747f9056a0e0efb438b90f83ab826e9c
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-