General
-
Target
New order - C.S.I No. 04183.xlsx
-
Size
228KB
-
Sample
211125-vgv6jsbbh5
-
MD5
bc2d171f6ea23a58ce5cca820869295c
-
SHA1
dafd3a3276c12ee6d20206573d65d6fb10e6af7b
-
SHA256
408c41f67cc40208f1518b050db8b6d0f315dae817e26c5ae43efe917506c226
-
SHA512
f46d62b6cd47184db12bd302def63e945063e471bbab3f02483c9c66c83d751e65c97d3f4f4d1d5f4d08bad1e1fd3bb882f97a85f363945a1659913ce47077b3
Static task
static1
Behavioral task
behavioral1
Sample
New order - C.S.I No. 04183.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
New order - C.S.I No. 04183.xlsx
Resource
win10-en-20211104
Malware Config
Extracted
formbook
4.1
og2w
http://www.celikkaya.xyz/og2w/
drivenexpress.info
pdfproxy.com
zyz999.top
oceanserver1.com
948289.com
nubilewoman.com
ibizadiamonds.com
bosniantv-australia.com
juliehutzell.com
poshesocial.events
icsrwk.xyz
nap-con.com
womansslippers.com
invictusfarm.com
search-panel-avg-rock.rest
desencriptar.com
imperialexoticreptiles.com
agastify.com
strinvstr.com
julianapeloi.com
myproperty99.com
mahardikasantoso.com
pathway-strategies.com
runbusinessonline.com
facenbook.xyz
texasschnauzer.com
whoyummy.top
hiscomsvc.com
644557.com
shouyeshow.com
emtek.site
inspireabossglobal.us
sellmyhouse365.net
ambergrids.xyz
shoptrendyshop.com
b7eb8.com
crystalsbyzoe.com
awfullive.site
rebelgreens.com
depressiqwidv.xyz
mvp69bet.com
selectedandprotected.com
china-jiahe.com
brandonknicely.com
redrodventuresllc.com
tomafer.net
makemeorgasm.net
wihomeoffers.com
bamko.link
secure-01.net
fridayhabit.com
mudeevehkuwpitcicet.site
inversioneskomp.com
oojry.xyz
jibony.com
cellphoneplansiusaweb.com
lianemuhill.com
caroeventos.com
thucphamsachkhaihuy.com
musicjem.com
hbbtv.xyz
meltemilebaskalasim.com
xn--38j0b6c.com
checkupfromtheneckup.net
Targets
-
-
Target
New order - C.S.I No. 04183.xlsx
-
Size
228KB
-
MD5
bc2d171f6ea23a58ce5cca820869295c
-
SHA1
dafd3a3276c12ee6d20206573d65d6fb10e6af7b
-
SHA256
408c41f67cc40208f1518b050db8b6d0f315dae817e26c5ae43efe917506c226
-
SHA512
f46d62b6cd47184db12bd302def63e945063e471bbab3f02483c9c66c83d751e65c97d3f4f4d1d5f4d08bad1e1fd3bb882f97a85f363945a1659913ce47077b3
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-