General
-
Target
tmp/b0495e35ad16a70e70563fc8c36c6842836eda10bda0d76ba35d7c2b75aaca69.xls
-
Size
228KB
-
Sample
211126-rdz4jsgac6
-
MD5
54f45cff70eb95664f5a61bb70008bb6
-
SHA1
e78f47c1b8b21e5355d4975286fed750c29f56d9
-
SHA256
b0495e35ad16a70e70563fc8c36c6842836eda10bda0d76ba35d7c2b75aaca69
-
SHA512
d14d0f47453e9e328bd405e0e17095605b0c280b6e86f11c2f40e221c7f72fb769b68b55f4caf020bb86146e1fb555b09c0f80007d01f33b729b4467c32c05ac
Static task
static1
Behavioral task
behavioral1
Sample
tmp/b0495e35ad16a70e70563fc8c36c6842836eda10bda0d76ba35d7c2b75aaca69.xls
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
tmp/b0495e35ad16a70e70563fc8c36c6842836eda10bda0d76ba35d7c2b75aaca69.xls
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.1
og2w
http://www.celikkaya.xyz/og2w/
drivenexpress.info
pdfproxy.com
zyz999.top
oceanserver1.com
948289.com
nubilewoman.com
ibizadiamonds.com
bosniantv-australia.com
juliehutzell.com
poshesocial.events
icsrwk.xyz
nap-con.com
womansslippers.com
invictusfarm.com
search-panel-avg-rock.rest
desencriptar.com
imperialexoticreptiles.com
agastify.com
strinvstr.com
julianapeloi.com
myproperty99.com
mahardikasantoso.com
pathway-strategies.com
runbusinessonline.com
facenbook.xyz
texasschnauzer.com
whoyummy.top
hiscomsvc.com
644557.com
shouyeshow.com
emtek.site
inspireabossglobal.us
sellmyhouse365.net
ambergrids.xyz
shoptrendyshop.com
b7eb8.com
crystalsbyzoe.com
awfullive.site
rebelgreens.com
depressiqwidv.xyz
mvp69bet.com
selectedandprotected.com
china-jiahe.com
brandonknicely.com
redrodventuresllc.com
tomafer.net
makemeorgasm.net
wihomeoffers.com
bamko.link
secure-01.net
fridayhabit.com
mudeevehkuwpitcicet.site
inversioneskomp.com
oojry.xyz
jibony.com
cellphoneplansiusaweb.com
lianemuhill.com
caroeventos.com
thucphamsachkhaihuy.com
musicjem.com
hbbtv.xyz
meltemilebaskalasim.com
xn--38j0b6c.com
checkupfromtheneckup.net
Targets
-
-
Target
tmp/b0495e35ad16a70e70563fc8c36c6842836eda10bda0d76ba35d7c2b75aaca69.xls
-
Size
228KB
-
MD5
54f45cff70eb95664f5a61bb70008bb6
-
SHA1
e78f47c1b8b21e5355d4975286fed750c29f56d9
-
SHA256
b0495e35ad16a70e70563fc8c36c6842836eda10bda0d76ba35d7c2b75aaca69
-
SHA512
d14d0f47453e9e328bd405e0e17095605b0c280b6e86f11c2f40e221c7f72fb769b68b55f4caf020bb86146e1fb555b09c0f80007d01f33b729b4467c32c05ac
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-