General
-
Target
RFQ REF R22017582.xlsx
-
Size
369KB
-
Sample
211019-q9vchagggl
-
MD5
8a959de9e01eae75fac8172084d75fc5
-
SHA1
91bcc1a394d36aa8e1450b6cc397a754f51fa5c5
-
SHA256
af0ab38a688694a2ea791589baec0094b22b7692600e1ce2da2ba375aad37c9b
-
SHA512
ff961e3c11303af4d9f3847c9f6bd8fa62c99b444b699d8171c1596f81e5325e796d03d5d447c1d4f765c012ce1f50a0cdc85d72a96491aec2a12f4f18b264e8
Static task
static1
Behavioral task
behavioral1
Sample
RFQ REF R22017582.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ REF R22017582.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.1
og2w
http://www.wakecountyrealtyexpert.com/og2w/
patriotxf.com
thecreagles.com
riverdenim.com
cybqo.com
zzfangnan.com
empowerhis.com
resiliencewearmiami.com
myticketly.com
pistachio.land
13055.club
millennialsofacertainage.com
jnxdsgc.com
pixelsandplastic.digital
bugroster.com
chargedockz.com
gzyazsp.com
sintec-consultores.com
pourtonmobile.com
upmhss.com
amkanalrajhi.com
tenloe076.xyz
sisoow.quest
coil.company
suddennnnnnnnnnnn32.xyz
foolands.com
americanslinked.com
comprerapido.net
shock.agency
daomogul.com
brightsandstudio.net
paycourtf.com
cheaterbnuahe.xyz
atencionespecializada24.store
hyperado.com
tournusol.com
tamzeedhossain.xyz
h5aolyhh6.com
bytroletu.quest
ergobear.com
teamfsu.club
royallecleaning.com
sarrosh.com
cuvedevelopment.com
gb2022-club.com
liberbankrtes.com
journeyresearchstudy.com
laundryexpressoakland.com
mainmanmemories.com
learnliberate.com
syktxny.com
enterprisedaasit.enterprises
odontolcae.xyz
camilamentoria.online
camacho.one
wildlifehabitatfederation.com
macheamme.space
bamko.link
protected-rental.com
china-kajafa.com
papafluffysandfriends.com
alfonsoovens.com
riqnahbww-tui.net
ovatsolutions.com
topotostar.com
Targets
-
-
Target
RFQ REF R22017582.xlsx
-
Size
369KB
-
MD5
8a959de9e01eae75fac8172084d75fc5
-
SHA1
91bcc1a394d36aa8e1450b6cc397a754f51fa5c5
-
SHA256
af0ab38a688694a2ea791589baec0094b22b7692600e1ce2da2ba375aad37c9b
-
SHA512
ff961e3c11303af4d9f3847c9f6bd8fa62c99b444b699d8171c1596f81e5325e796d03d5d447c1d4f765c012ce1f50a0cdc85d72a96491aec2a12f4f18b264e8
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-