General
-
Target
Specifications.xlsx
-
Size
369KB
-
Sample
211021-wlbhdabeaq
-
MD5
9abd666a51d09d4a0cb9d052f3195c06
-
SHA1
89582118e5ef2d9323952f73c68280e4758c4022
-
SHA256
20f79144ae40eeda47760ce798f28c98c93211f2ecc38e8a626760848bb9f3a1
-
SHA512
5a3cde307f726f81962aecddd7c372501ba7752501721f276241e50021ccccf3ecdb831d84ca578ed69adc6fde156f144739f4bbbc80b8b4ffd7d163c14db0af
Static task
static1
Behavioral task
behavioral1
Sample
Specifications.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Specifications.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.1
og2w
http://www.wakecountyrealtyexpert.com/og2w/
patriotxf.com
thecreagles.com
riverdenim.com
cybqo.com
zzfangnan.com
empowerhis.com
resiliencewearmiami.com
myticketly.com
pistachio.land
13055.club
millennialsofacertainage.com
jnxdsgc.com
pixelsandplastic.digital
bugroster.com
chargedockz.com
gzyazsp.com
sintec-consultores.com
pourtonmobile.com
upmhss.com
amkanalrajhi.com
tenloe076.xyz
sisoow.quest
coil.company
suddennnnnnnnnnnn32.xyz
foolands.com
americanslinked.com
comprerapido.net
shock.agency
daomogul.com
brightsandstudio.net
paycourtf.com
cheaterbnuahe.xyz
atencionespecializada24.store
hyperado.com
tournusol.com
tamzeedhossain.xyz
h5aolyhh6.com
bytroletu.quest
ergobear.com
teamfsu.club
royallecleaning.com
sarrosh.com
cuvedevelopment.com
gb2022-club.com
liberbankrtes.com
journeyresearchstudy.com
laundryexpressoakland.com
mainmanmemories.com
learnliberate.com
syktxny.com
enterprisedaasit.enterprises
odontolcae.xyz
camilamentoria.online
camacho.one
wildlifehabitatfederation.com
macheamme.space
bamko.link
protected-rental.com
china-kajafa.com
papafluffysandfriends.com
alfonsoovens.com
riqnahbww-tui.net
ovatsolutions.com
topotostar.com
Targets
-
-
Target
Specifications.xlsx
-
Size
369KB
-
MD5
9abd666a51d09d4a0cb9d052f3195c06
-
SHA1
89582118e5ef2d9323952f73c68280e4758c4022
-
SHA256
20f79144ae40eeda47760ce798f28c98c93211f2ecc38e8a626760848bb9f3a1
-
SHA512
5a3cde307f726f81962aecddd7c372501ba7752501721f276241e50021ccccf3ecdb831d84ca578ed69adc6fde156f144739f4bbbc80b8b4ffd7d163c14db0af
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-