General
-
Target
PO20210723.xlsx
-
Size
1.2MB
-
Sample
210723-mhh6d4r7bs
-
MD5
13481df252e0eed6eea3f219a47d42f3
-
SHA1
916c441582321287167e51f987ae719d75892ae8
-
SHA256
b78a8643cd8001537207ddfaa47ac46e68a7d5c38d2b1eb1a1ca216101152eb9
-
SHA512
e51dcac2395e751f4cb99014097c3e6b235a46d4a4b24d68e9191282583b5bd64854aff0d4078c13676b034b540c76b24e652d08efad8dfe1bc71808ba4681e7
Static task
static1
Behavioral task
behavioral1
Sample
PO20210723.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO20210723.xlsx
Resource
win10v20210408
Malware Config
Extracted
formbook
4.1
http://www.howmucharemyrarecoinsworth.com/jn7g/
mojketering.com
signinsimple.com
theartclouds.com
xmartmanagement.com
akademisantri.com
knitsu.com
funeralhomeswarrensburgil.com
formatohd.xyz
ortetiles.com
myeduhubs.com
twinpiques.com
itpaystobefashionable.com
3drinkminimum.com
wanpoo1.com
crystalclearlifecoachingcc.com
dronerealestate.net
langers.email
konstela.com
enteratecondanielvelasquez.com
graceinhomeschoolchaos.com
wanxin1.com
comma-la.store
egedenportreler.com
foslandlawfirm.site
oarange.xyz
mellatt.xyz
helgrooup.com
cartucce-toner.com
lalucacreative.com
salivasolve.com
hughesconsulting.agency
sundowntownthemovie.com
sacredsexacademy.com
riseandgrindcle.com
wildflowervtg.com
bienchezvous.net
alterduosrl.online
3jsgj.com
cleanwarrenton.com
redpenguy.com
undiscri.club
austincitytexas.com
terrenutra.com
lvbaoshan.com
tallercolombo.com
applicableturnout.club
arboledacoaching.com
stevewinchmusic.com
benandsara.com
denlasvegas.com
pragocoptertour.com
cyvape.com
alicehollywood.com
jokysun.com
856380176.xyz
umamipost.com
cod16.com
negociosconvictortorres.com
wabizo.net
46thpresidentofusa.com
timer-pooh.com
trademarkrates.com
transemmiconductor.com
groovepafes.com
Targets
-
-
Target
PO20210723.xlsx
-
Size
1.2MB
-
MD5
13481df252e0eed6eea3f219a47d42f3
-
SHA1
916c441582321287167e51f987ae719d75892ae8
-
SHA256
b78a8643cd8001537207ddfaa47ac46e68a7d5c38d2b1eb1a1ca216101152eb9
-
SHA512
e51dcac2395e751f4cb99014097c3e6b235a46d4a4b24d68e9191282583b5bd64854aff0d4078c13676b034b540c76b24e652d08efad8dfe1bc71808ba4681e7
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-