General
-
Target
excel.DLLW32
-
Size
24KB
-
Sample
210727-cb5gck1wpa
-
MD5
c79d67e385569c8e4f090f0dc188cfff
-
SHA1
68ee64c9f281aa0dd0479c8e89289b2af0bf72e8
-
SHA256
7a7a4887dcc86e8b6a576ae2acf805881586ee672be261a2a91a8d7a6e78c5bd
-
SHA512
4b4b906e5089816e7c7fb09c594e72bdf751ddd0cc2276b1a01a4915233983814a2463ac7648300362505128c5198882248f05fb5a3483b4702daedbed92b918
Static task
static1
Behavioral task
behavioral1
Sample
excel.DLLW32.dll
Resource
win7v20210410
Malware Config
Extracted
formbook
4.1
http://www.happylittlexplorers.com/glgd/
cdcbullies.com
qidajixie.com
bgimlv.com
sunflowerhybrid.com
kemal.cloud
canadadirect.net
mickey2nd.com
fastjobssearcher.com
tiny-tobi.com
inmedixequus.com
coollifeideas.com
triadelectronicsupply.com
lambyo.com
zxyoo.com
spokanemusicmag.com
sortporn.com
deadroomnyc.com
313mail.com
hexiptv.net
stanbiccargo-express.com
hggt.net
theheilene.com
imbibetheculture.com
magnifiscentsbydarien.com
mcfarlanenterprises.com
chapsgrilletogo.com
startfortoday.com
sincamareros.com
bleacheater.com
elnurtic.com
finefoodandcooking.com
1931jones.com
buybetadeal.com
yourfavoredhairextensions.com
piaenglish.com
blockifysystems.com
atlerz.com
southernedgewaterdesigns.com
jamsole.net
wedyounow.com
gasesysoldaduras.com
st894.com
raquelbeckford.com
momdoduk.com
homeworkoutnow.com
maskintelligence.com
dahiyaa.com
dcsublease.com
fearlesslymiddleaged.com
thelittlereclaimedworkshop.com
johanarivero.com
differentlypun.life
frederickseyecare.com
sabortradicion.com
odptqfqxl.icu
socalseamlessgutters.com
rbhealthy.com
danielsdonuteria.com
cotswoldvehiclehire.com
ujenzihypermarket.com
farendofthebench.com
uniquelypotted.com
moddy.pro
soilhelp.com
Targets
-
-
Target
excel.DLLW32
-
Size
24KB
-
MD5
c79d67e385569c8e4f090f0dc188cfff
-
SHA1
68ee64c9f281aa0dd0479c8e89289b2af0bf72e8
-
SHA256
7a7a4887dcc86e8b6a576ae2acf805881586ee672be261a2a91a8d7a6e78c5bd
-
SHA512
4b4b906e5089816e7c7fb09c594e72bdf751ddd0cc2276b1a01a4915233983814a2463ac7648300362505128c5198882248f05fb5a3483b4702daedbed92b918
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-