General
-
Target
tmp/9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9.xls
-
Size
1.4MB
-
Sample
211213-m26tsaefbp
-
MD5
bddbdf6c5ee73aa17771b839f06e5f5c
-
SHA1
1cd3640474adf50f43abc96c662e5b2fa1c7574a
-
SHA256
9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9
-
SHA512
4315212b8ad3931a0364f4193e9139bd57b216bd73c8b4494410aca0f30bad3a001b1d1cd7f3624295c2763bc8d3d72bdaf3e8f1bc3d2820c1b99b8df6662e9a
Static task
static1
Behavioral task
behavioral1
Sample
tmp/9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9.xls
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
h4d0
http://www.voxelsoxx.xyz/h4d0/
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
Targets
-
-
Target
tmp/9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9.xls
-
Size
1.4MB
-
MD5
bddbdf6c5ee73aa17771b839f06e5f5c
-
SHA1
1cd3640474adf50f43abc96c662e5b2fa1c7574a
-
SHA256
9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9
-
SHA512
4315212b8ad3931a0364f4193e9139bd57b216bd73c8b4494410aca0f30bad3a001b1d1cd7f3624295c2763bc8d3d72bdaf3e8f1bc3d2820c1b99b8df6662e9a
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-