General
-
Target
P-202110293029384.doc
-
Size
520KB
-
Sample
211029-vej1haadbk
-
MD5
5d70f853c62e03f61e0ad43f4a96db4c
-
SHA1
9d42c23efbe67ec377e77b694c6d2782ac9d24da
-
SHA256
8ae5bb65fe97959f7ff2f34fbf055a94a35fb0c9853448ddf8d20b25dc4e4889
-
SHA512
f42bf029c30375046178a681f90ed0b011c2ecd970f48ed39f1c9d0d3e993efdf2a0f15cd02f89097d7bc302d41259bfa67a772c35d60845f244a824909b57f4
Static task
static1
Behavioral task
behavioral1
Sample
P-202110293029384.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
P-202110293029384.doc
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.1
ob7y
http://www.metanewsroom.net/ob7y/
ipsdjf.com
mlphntec.com
restaurant-day.store
writeramylong.com
flokigamefi.com
usetianyi.xyz
punishstrikebreaker.quest
ericnfleming.com
dhhwtieen.xyz
milfhackers.com
fewefie.store
pithstsdiet.store
kirsten-hemmerich.com
casinolopoca.com
sigag.xyz
geilepoes.com
metawhatsapp.art
sarjin.xyz
toprabatte.net
lotofbrave.club
ladydunyasi.com
oeooaoio.xyz
ifarh.com
geovaluablehack.com
heatherwoodrealestate.com
788027.com
groweth2gloweth.com
corryandbee.com
chatech.community
defholdingsus.com
gymandsports213.sbs
safaknet.com
rnisk.store
yhsps.com
taxlawyeral.com
liberiathelandofreturn.net
beniclothingstore.com
onecashadvance.com
metawhatsapp.delivery
chseovx.xyz
fiftyix.com
ambassadorbed.com
doktorhelp.com
memoryck.com
ceto21.com
zomerubo.rest
tyoutrannyvidep.com
3cbzfhhx5.com
cryleo.com
thebigass.online
ofd-trade-sender.com
elchinazizov.com
shakilimam.com
soporhojecast.com
reyestacosrestaurant.com
supdeszka.com
kredit-option.com
sharonallenart.com
destockage-international.com
immediate-edge-pl.xyz
jmsjszc.com
mojuwangluo.com
tr4ders.com
zilingodigitize.com
Targets
-
-
Target
P-202110293029384.doc
-
Size
520KB
-
MD5
5d70f853c62e03f61e0ad43f4a96db4c
-
SHA1
9d42c23efbe67ec377e77b694c6d2782ac9d24da
-
SHA256
8ae5bb65fe97959f7ff2f34fbf055a94a35fb0c9853448ddf8d20b25dc4e4889
-
SHA512
f42bf029c30375046178a681f90ed0b011c2ecd970f48ed39f1c9d0d3e993efdf2a0f15cd02f89097d7bc302d41259bfa67a772c35d60845f244a824909b57f4
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-