General
-
Target
Proof of payment for overdue invoice.doc
-
Size
1.0MB
-
Sample
210727-xzf1xwn8bn
-
MD5
fef57f1f8bc2bc336fa0fe4f1d5e3f30
-
SHA1
c0169f4d359c5e889d6dc19a3559e1a4dd8bacc8
-
SHA256
ef5b81d7eebf08ed869799e9022ca82ff0a5c781b72bb6652fbc1fe7f0e4ebcc
-
SHA512
0009f9fb516136f198b09e5a64fa128be5d4aa1442a1d0d48a8308326c36ff6d2f9bbe394bbeb25245899dc65732f42bd1183770d1aba57ec0ef49c137fc1a4b
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment for overdue invoice.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Proof of payment for overdue invoice.doc
Resource
win10v20210410
Malware Config
Extracted
httP://136.144.41.61/KLcaCYuAidZMbBJ.exe
Extracted
formbook
4.1
http://www.yjhlgg.com/grve/
jrvinganimalexterminator.com
smallsyalls.com
po1c3.com
mencg.com
aussieenjoyment.today
espace22.com
aanmelding-desk.info
gallopshoes.com
nftsexy.com
ricosdulcesmexicanos.com
riseswift.com
thechicthirty.com
matdcg.com
alternet.today
creativehuesdesigns.com
rjkcrafts.com
lowdosemortgage.com
adoptahamster.com
wellness-sense.com
jacardcapital.com
pastiindonesia.com
lindsaynathan2021.com
brisbanemagicians.com
tvglanz.com
388384.com
mitgrim.com
endonelatrading.com
political.singles
ganjegirls.com
democratscancelled.com
ytzhubao.com
roiskylands.com
zamlgroup.com
winstonsalemathleticclub.com
62qtz2.com
caddyys.com
ecorarte.com
coonier.com
cbgmanhattan-hub.com
givanon.com
tioniis11.com
variceselite.com
tasaciona.com
hiphopeconomicdevelopment.com
citrixfile.com
piebuilder.com
drmetalpublishing.com
themesthatyoulike.com
vinhomes-phamhung.info
ardecentro.com
gameshowsatwork.com
go-rillathebrand.com
virtualppo.com
nogodbeforeme.net
fabrezeairpurifiers.com
roorisor.com
elaraberentcar.com
rugpat.com
renewalbyheather.com
innocox.com
ztsj10086.com
channelarmor.info
thecarbonbox.store
edicionesvita.com
Targets
-
-
Target
Proof of payment for overdue invoice.doc
-
Size
1.0MB
-
MD5
fef57f1f8bc2bc336fa0fe4f1d5e3f30
-
SHA1
c0169f4d359c5e889d6dc19a3559e1a4dd8bacc8
-
SHA256
ef5b81d7eebf08ed869799e9022ca82ff0a5c781b72bb6652fbc1fe7f0e4ebcc
-
SHA512
0009f9fb516136f198b09e5a64fa128be5d4aa1442a1d0d48a8308326c36ff6d2f9bbe394bbeb25245899dc65732f42bd1183770d1aba57ec0ef49c137fc1a4b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-