General
-
Target
PO-AWSCOP.xlsx
-
Size
1.2MB
-
Sample
210812-14aw9em8d2
-
MD5
d412ca9b87a56bffb27f3f8479e10aef
-
SHA1
af824f6bcbf67326b92ae2513f3251986fd19c59
-
SHA256
82b5b3932d32d3c91730bad9dda00f872835609cbc922fc4e70dbf2d21f8c52a
-
SHA512
2df2f1380982545b9480e64fef69b0c497e39930be8c0bb38a03c51042e501fd15a501389c91405f5f3c46c33bf310a3afb89652d4ef401598f9469d58759cf2
Static task
static1
Behavioral task
behavioral1
Sample
PO-AWSCOP.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO-AWSCOP.xlsx
Resource
win10v20210408
Malware Config
Extracted
formbook
4.1
dd2v
http://www.fortmyerscruisevacation.com/dd2v/
jkrqzmeyd.icu
cbluedottvwdshop.com
yhchen.space
premierhealthnwellness.com
szkuyaju.com
harvestmoonloans.net
dadematerial.com
mariaclarahairstudio.com
hwunvy.online
puloutjbmere.com
kossu1989.com
dubbedos.com
ncylis.com
hybrid-sol.com
travelature.com
gracefulcounts.com
66secretgarden.com
eslonyourcell.com
wisersponsorship.com
sepn3.com
mozambiquematrimony.com
valvulasyconexiones.com
drinksupercofee.com
universe-direct.com
alvesdeabreu.info
sitepew.life
tentenflower.net
jqclean.com
lotusinplay247.com
safaricaretransportation.com
bosscheschool.com
rentahome.online
syeddropship.com
dsavohv.icu
mainspaceforcontenting.club
onlinemedsus.com
getueaqaredre.com
raregirlgem.net
cohenone.com
luxsot.com
levelupbbqcleaning.com
bttjagalan.xyz
nisheying.com
2299diamond301.com
soilfoodwebofcolorado.com
postcomanetwork.com
directivewellness.com
adewalesolarin-maths.com
kumarendran.com
wgan3rdpartyserviceprovider.com
kidsclothing.center
lielm.com
codebcodeenforcement.net
cash4monero.com
greatlookingmom.com
laconices.com
q99f.com
olimpobarberiaspa.com
urockoffroad.com
bestselfcoachingforfitpros.com
collectionbypaty.com
hindustanpu.com
atlerz.com
strategyonerealty.com
Targets
-
-
Target
PO-AWSCOP.xlsx
-
Size
1.2MB
-
MD5
d412ca9b87a56bffb27f3f8479e10aef
-
SHA1
af824f6bcbf67326b92ae2513f3251986fd19c59
-
SHA256
82b5b3932d32d3c91730bad9dda00f872835609cbc922fc4e70dbf2d21f8c52a
-
SHA512
2df2f1380982545b9480e64fef69b0c497e39930be8c0bb38a03c51042e501fd15a501389c91405f5f3c46c33bf310a3afb89652d4ef401598f9469d58759cf2
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-