General
-
Target
PO 2463826 .doc
-
Size
1.7MB
-
Sample
220126-rf5f2sdehk
-
MD5
240abfcfdc4f102cd6ff271076e932b0
-
SHA1
eeef2cd6c2d659418a3458240b3ceebdf2157a7a
-
SHA256
4730874c95b68b146dc126f4b4a0ee2e1da32366e3027ae8021e2f5b7a7cdc48
-
SHA512
72ab19e0963727917a145d32ab2641259895e96f7b30a8a7e2ebd75ebc2e403688711835f21cd3bbf9e4192a5a454e10c277173c54f42e622db0e565fcbd3168
Static task
static1
Behavioral task
behavioral1
Sample
PO 2463826 .rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO 2463826 .rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
m8g9
jimmycamel.com
bestinvilnius.com
diana-jarvis.com
manabitown.net
luxuryremyhair.com
cavesage.com
wholequote.space
truckdrivingfuture.xyz
ptcouponspt.com
stainthree-shift.space
universalstaffingpros.com
alibi-music.com
iqjlylro.com
pinterestservice.com
soolehayeiran.com
youngplatformpro.com
fidelitysafesecure.com
af258.wine
theblissdynamic.com
aliciabrooksenglishmastiff.com
wemgo.online
xl306.com
kapi-tal.com
keskinyapidekorasyon.com
voderment.com
tonnixcosmetics.com
gelmakotomasyon.com
metaonion.xyz
godrejambivaliriviera.info
netxmart.com
indocoinexchange.com
thestreetbuy.com
a-wallet.space
dharmabuttons.com
leisuredelight.com
asonesystem.com
panartproperties.com
1573.xn--czru2d
robodevendasautomatico.com
thepocketrockstars.com
chiildrensplace.com
beehivewm.com
routtcountyjail.com
annexaestheticsinc.com
realhappyshopping.com
butikcars.com
universitymoves.com
trianglespas.com
itspossibleonline.net
thevantrips.com
bt4umvjk.xyz
highlandfinancex.com
y6x7upe.xyz
ufqeils.xyz
read-book.xyz
mediwearables.com
kimbolkphotography.com
earthmamavenice.com
eraerentertainmentsync.com
235959.xyz
considericon.com
purintou.com
validenquire.com
qhhotels.com
rucystore.com
Targets
-
-
Target
PO 2463826 .doc
-
Size
1.7MB
-
MD5
240abfcfdc4f102cd6ff271076e932b0
-
SHA1
eeef2cd6c2d659418a3458240b3ceebdf2157a7a
-
SHA256
4730874c95b68b146dc126f4b4a0ee2e1da32366e3027ae8021e2f5b7a7cdc48
-
SHA512
72ab19e0963727917a145d32ab2641259895e96f7b30a8a7e2ebd75ebc2e403688711835f21cd3bbf9e4192a5a454e10c277173c54f42e622db0e565fcbd3168
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-