General
-
Target
Proof of payment.doc
-
Size
25KB
-
Sample
220111-ra56dsgbbl
-
MD5
72b5faa2facec80772b70a01bae1c0b0
-
SHA1
86bbe9fbc76392d2e7faa5815b3bd134b3e5b50c
-
SHA256
cec9a413c1844c029f7801e4d74e941215d8f328169ccb37fb909c73651bde6b
-
SHA512
15206180022ec808a7d3d68677b162af126a4d5a1fb5967ce43e2d9163ea98c78409ad6159edbc5c3686da6799f95cd75f57ed4f067e56205580322b2521f7fc
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.doc.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Proof of payment.doc.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
a83r
comercializadoralonso.com
durhamschoolservces.com
onegreencapital.com
smartcities24.com
maquinas.store
brianlovesbonsai.com
xin41518s.com
moneyearnus.xyz
be-mix.com
fengyat.club
inspectdecided.xyz
paksafpakistan.com
orhidlnt.top
princesuraj.com
vietnamvodka.com
renewnow.site
imageservices.xyz
luxurytravelfranchise.com
kp112.red
royalyorkfirewood.com
azharrizvi.com
mtvamazon.com
stlouisplatinumhomes.com
ke6rkmtn.xyz
roomviser.xyz
rollcalloutfitters.com
jlautoparts.net
swipyy.xyz
handymansaltlakecity.com
tuespr.com
prelink.xyz
whrpky037.xyz
yoga-4-health.com
silvermoonandcompany.com
meg-roh.com
81218121.com
prayerteamusa.com
ocejxu.com
lopeyhomeimporvementservice.com
dcosearchandconnect.xyz
md-newspages.online
elinmex.online
traineriq.com
feministecologies.com
gyltogether.com
polyversed.com
rodolforios.com
bcfs0l.com
51dmm.com
metaverselivecasinos.com
csjsgk.com
impactincentivesregistry.com
firekim.space
jdzn.xyz
d6ybf7yj.xyz
sturt.xyz
serious-cam.com
stihl-gms.com
gentleman5.xyz
rustbeltcoders.net
hmarketsed96.com
cricfreelive.com
wellyounow.com
fwdrow.com
hstolchsjybyl.com
Targets
-
-
Target
Proof of payment.doc
-
Size
25KB
-
MD5
72b5faa2facec80772b70a01bae1c0b0
-
SHA1
86bbe9fbc76392d2e7faa5815b3bd134b3e5b50c
-
SHA256
cec9a413c1844c029f7801e4d74e941215d8f328169ccb37fb909c73651bde6b
-
SHA512
15206180022ec808a7d3d68677b162af126a4d5a1fb5967ce43e2d9163ea98c78409ad6159edbc5c3686da6799f95cd75f57ed4f067e56205580322b2521f7fc
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-