General
-
Target
DOC01252022.doc
-
Size
22KB
-
Sample
220125-ya98nsdefl
-
MD5
ab6c0bed424ecfa5fb3e12d2db6cd900
-
SHA1
5000499ab283e98530920937012d87153048bbae
-
SHA256
14f73cfcb1d6349374833372961d540b53a6b7ffc628e0d7f6c56f870d365581
-
SHA512
65efec298d8386c7fbc15f5d82bfaaa5d34ffbd0a8d09bfe4d94e8a43edfcbfb237f9ce73089b769f34dbd9b8f4c9fcf58232f439176fcebc0350afd4d60f86b
Static task
static1
Behavioral task
behavioral1
Sample
DOC01252022.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
DOC01252022.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
n0k1
tyupa.xyz
scion.xyz
smjacob.com
intelligentsiaunionyes.com
myartismytemple.com
roethlisburgers.com
burny-live-bar.com
amricanfamilyinsurance.com
barossavalleycollective.online
coinstarrevenue.com
ionablissfullife.com
worryfreeads.com
9xu5qkr1.xyz
julbera.xyz
denko-puro.com
boardsavorybeambark.club
coronarules.info
hailiangyinqing.com
pageonandroid.tech
1meqtaw8.xyz
studiojoanaduarte.com
trakaibatteries.com
gameworld.group
jinglaxin.com
zgcsqs.com
wu6hpihxe2la.xyz
oceanerebelo.com
cananincami.xyz
dongjiantangjituan.com
padilla.one
wellingtonsloupe.com
unioncountyhousevalues.com
chunbacard.com
sunvalleynutra.com
clarifyproduction.com
berlloques.com
castleorcabins.com
jurienbayfc.com
purusharth.foundation
digitalexperiencelive.com
tlccevent.com
dfsballoon.com
calendarlbs.com
ittechapp.com
leivisjuniormarinsdeabreu.com
danieljohnsonhomes.com
rapidemployeedeployment.com
hangzhuangyuan.com
hnlgdjxc.com
providerhealthnetcalifonia.com
teevenfajri.xyz
xin129.xyz
gymexfactory.com
wu6bntemghxr.xyz
growsilver.xyz
superbahis994.com
getertcapplication.com
techcaremassager.xyz
portraitmodelsco.com
hotelbestskip.com
suitjeans.com
zhuma.love
nmhelpingpower.com
mylivingreef.com
xmwn-adn.com
Targets
-
-
Target
DOC01252022.doc
-
Size
22KB
-
MD5
ab6c0bed424ecfa5fb3e12d2db6cd900
-
SHA1
5000499ab283e98530920937012d87153048bbae
-
SHA256
14f73cfcb1d6349374833372961d540b53a6b7ffc628e0d7f6c56f870d365581
-
SHA512
65efec298d8386c7fbc15f5d82bfaaa5d34ffbd0a8d09bfe4d94e8a43edfcbfb237f9ce73089b769f34dbd9b8f4c9fcf58232f439176fcebc0350afd4d60f86b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-