General
-
Target
PO doc 42782.xlsx
-
Size
369KB
-
Sample
211021-wlbhdabear
-
MD5
9c5486b2167c91562d09db0f5b1025e2
-
SHA1
535baeb13752700a26bda678a6c85d003db29397
-
SHA256
bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380
-
SHA512
975cc30ee83aee5feb1987321134599d97c5e1a12c739b5e1efaf627879c90ce5e5ca8fbc919c1a4fe4afe07e03e71c75f62e98c81e3871b880eb094f389ad8c
Static task
static1
Behavioral task
behavioral1
Sample
PO doc 42782.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO doc 42782.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.1
kzk9
http://www.yourmajordomo.com/kzk9/
tianconghuo.club
1996-page.com
ourtownmax.net
conservativetreehose.com
synth.repair
donnachicacreperia.com
tentfull.com
weapp.download
surfersink.com
gattlebusinessservices.com
sebastian249.com
anhphuc.company
betternatureproducts.net
defroplate.com
seattlesquidsquad.com
polarjob.com
lendingadvantage.com
angelsondope.com
goportjitney.com
tiendagrupojagr.com
self-care360.com
foreignexchage.com
loan-stalemate.info
hrsimrnsingh.com
laserobsession.com
primetimesmagazine.com
teminyulon.xyz
kanoondarab.com
alpinefall.com
tbmautosales.com
4g2020.com
libertyquartermaster.com
flavorfalafel.com
generlitravel.com
solvedfp.icu
jamnvibez.com
zmx258.com
doudiangroup.com
dancecenterwest.com
ryantheeconomist.com
beeofthehive.com
bluelearn.world
vivalasplantas.com
yumiacraftlab.com
shophere247365.com
enjoybespokenwords.com
windajol.com
ctgbazar.xyz
afcerd.com
dateprotect.com
northeastonmusic.com
fourwaira.com
forschungsraumtheater.com
islameraloke.com
mavericksone.com
whguideinfrared.com
akomandr.com
experts-portail.com
ambassadorworldnews.com
case-kangaroo.com
theglobalbusinessmentor.com
igforoldpeople.com
royalglossesbss.com
merxeduct.com
Targets
-
-
Target
PO doc 42782.xlsx
-
Size
369KB
-
MD5
9c5486b2167c91562d09db0f5b1025e2
-
SHA1
535baeb13752700a26bda678a6c85d003db29397
-
SHA256
bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380
-
SHA512
975cc30ee83aee5feb1987321134599d97c5e1a12c739b5e1efaf627879c90ce5e5ca8fbc919c1a4fe4afe07e03e71c75f62e98c81e3871b880eb094f389ad8c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-