General
-
Target
BD00752Q0048971BDDHK.xlsx
-
Size
229KB
-
Sample
211203-n9dzeagdgq
-
MD5
0a4933f2a8175aef114f1180ac2b97c2
-
SHA1
bcc928f2507bba21660fa2153aca0cc129682236
-
SHA256
37ba8d755d649a76052bf8225be259ee47e5ab35eeabb07b6d1988c22f7187f8
-
SHA512
46548a16f916292b958583162d83f274f05292d9e46d158dd98087cd1215bd6f965117c396232e75069bd651abf47d713a5d0649074502a70197d45bbc6fec1c
Static task
static1
Behavioral task
behavioral1
Sample
BD00752Q0048971BDDHK.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BD00752Q0048971BDDHK.xlsx
Resource
win10-en-20211104
Malware Config
Extracted
formbook
4.1
og2w
http://www.celikkaya.xyz/og2w/
drivenexpress.info
pdfproxy.com
zyz999.top
oceanserver1.com
948289.com
nubilewoman.com
ibizadiamonds.com
bosniantv-australia.com
juliehutzell.com
poshesocial.events
icsrwk.xyz
nap-con.com
womansslippers.com
invictusfarm.com
search-panel-avg-rock.rest
desencriptar.com
imperialexoticreptiles.com
agastify.com
strinvstr.com
julianapeloi.com
myproperty99.com
mahardikasantoso.com
pathway-strategies.com
runbusinessonline.com
facenbook.xyz
texasschnauzer.com
whoyummy.top
hiscomsvc.com
644557.com
shouyeshow.com
emtek.site
inspireabossglobal.us
sellmyhouse365.net
ambergrids.xyz
shoptrendyshop.com
b7eb8.com
crystalsbyzoe.com
awfullive.site
rebelgreens.com
depressiqwidv.xyz
mvp69bet.com
selectedandprotected.com
china-jiahe.com
brandonknicely.com
redrodventuresllc.com
tomafer.net
makemeorgasm.net
wihomeoffers.com
bamko.link
secure-01.net
fridayhabit.com
mudeevehkuwpitcicet.site
inversioneskomp.com
oojry.xyz
jibony.com
cellphoneplansiusaweb.com
lianemuhill.com
caroeventos.com
thucphamsachkhaihuy.com
musicjem.com
hbbtv.xyz
meltemilebaskalasim.com
xn--38j0b6c.com
checkupfromtheneckup.net
Targets
-
-
Target
BD00752Q0048971BDDHK.xlsx
-
Size
229KB
-
MD5
0a4933f2a8175aef114f1180ac2b97c2
-
SHA1
bcc928f2507bba21660fa2153aca0cc129682236
-
SHA256
37ba8d755d649a76052bf8225be259ee47e5ab35eeabb07b6d1988c22f7187f8
-
SHA512
46548a16f916292b958583162d83f274f05292d9e46d158dd98087cd1215bd6f965117c396232e75069bd651abf47d713a5d0649074502a70197d45bbc6fec1c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-