General
-
Target
PO530CB.docx.zip
-
Size
7KB
-
Sample
210914-qkwt2afgd7
-
MD5
81cffef843647d970aa96e8597319992
-
SHA1
ebe7945f92a0810faea759c75f9b4fc022e6e9e0
-
SHA256
4962762dd4dcce5b1d4d8f7b85456bd60b1dba05acf1ca787a652b51e9264eb7
-
SHA512
2c4fe72b6258db545303b962f1ee5d68b02abd6f1c9f093ba0965fc4eaddfb1bfd8cc08fcc6d7750dc7e0c584cf2fe87717539dfb9043c1fddd0b9cafac9494f
Static task
static1
Behavioral task
behavioral1
Sample
PO530CB.docx
Resource
win7-en
Behavioral task
behavioral2
Sample
PO530CB.docx
Resource
win10-en
Malware Config
Extracted
http://cml.lol/uy8fey
Extracted
formbook
4.1
by65
http://www.boygirlthing.com/by65/
corporation-dtc.com
themarshallgroup100.com
charitypodcasts.com
greensystemwebstudio.com
jmmartijezyasociados.com
flyspares.com
leslyshop.com
changemeleadsource.com
hamiltonneighbourhood.com
hanlinny.com
slr-es.com
rebeccazqmolo.com
thehustlersapparel.com
samibaker.com
hatesk8.com
kkcindia.com
agirlsministry.com
lojashouse.com
jsm-property.com
savoryfarecafe.com
kaijushield.com
sml-uniform.com
seniorlivingukhomes.com
sharkfins.info
cellshellmobiles.com
easttracking.com
tickettotragedymovie.com
champagnekrug.wine
vs88123.com
triumphantlytransformedbk.com
dactoztravellers.com
chaconespuny.com
baguni.online
reyuvifylifespan.com
mybabysisterscloset.com
powertransnl.com
zsmlchina.com
robsdiy.com
culturalwisdomandart.net
twentythirdbydeanne.com
idanadi.com
saasoutreach.com
dc-harmony.com
accordingtoaaron.com
itctree.com
techsmiths.asia
bokzer.com
automotivesemltd.com
masonsmithphotography.com
portofalat.com
nsidenoutpi.com
jmxymesbassl.mobi
devdna.tools
tsebcy.com
paradisepoolsami.com
catclubauvergne.com
360yab.com
bostonhemorrhoidclinic.com
totaloffice-alaska.com
eequalh.com
clothingbypear.com
londonnetworking.com
lumperstat.com
ferreteriablanco.com
Targets
-
-
Target
PO530CB.docx
-
Size
10KB
-
MD5
3309466af9b380f4d0a61e831da5dd5b
-
SHA1
a3814f7118cfd43093a8150cb1deffb3481ac90b
-
SHA256
7d112a9306ba2121e14956533476d52466a26a08300651d51ddeed035d9c8451
-
SHA512
f062a4fd1d2097beffbba3667afcf738ac8b62107c84e2e267852bb6eb00d9a4a622a60766d6cda8d01a9fcbe2e8a3a0cfa55a04ff7478fd2d3f9296399c67fa
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-