General
-
Target
PO20220126.doc
-
Size
2.3MB
-
Sample
220126-rfkfwadeel
-
MD5
5cd86913d2c514fac26439557709aa96
-
SHA1
65f00339afb84c6c9e83c8a2fd4aa367d897102b
-
SHA256
534971b14abc0d7b16338f7a1c329d044d8d9352638b9f3bb5866d5dcd1799fa
-
SHA512
5404f7dd5fe2bb8256aa1c06968e5940a2adc2e92f5f15813155da50badfcbd0e3d7cb50947394e3b54aff61c70fa806a560328ee67d51640cf28f4fd4f51fed
Static task
static1
Behavioral task
behavioral1
Sample
PO20220126.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO20220126.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
jg17
oekaki-fujiwara.com
artigueslm.com
bachelordegrees.xyz
sheng-hongtec.com
escaperoommetaverse.com
absolutelyfrance.com
azgotbugs.com
mega2888.com
kx3evdh.com
conectservices.xyz
laisnova.space
nonton-video.xyz
cryptocurrency.promo
detalles432.net
rajaateknik.com
dnahomelab.xyz
leguokj.com
veocap.xyz
wu8etf5443sj.xyz
diet-plan-pros.today
stagflation-taisaku.com
simplywovenknots.com
maboboutique.xyz
benimhastamvar.xyz
mkconsulting.global
crackerbaerel.com
homesonyourterms.com
trustpadio.site
firstblingvote.com
digihytec.com
65q777q.xyz
glxy168.com
stoveornature.xyz
bingotencostlodge.com
innerpeaktea.com
ironnakaonomamablog.com
sexclues.com
ddkonaklama.com
zbphjs.com
randcheck.net
gotthespot.com
thestockmarket.xyz
involved.info
firstassemblyofgodoh.com
firm7clear.com
mestiero.com
1fxa9rsp4w.xyz
ucbdsnteg.com
kmkhyf8.com
tigitalconsulting.com
dinamyclunch.com
restorationardware.com
jupiter.party
wwwab6006.com
baf2018.com
realdealpreapproval.com
v-shp.xyz
lnbskincare.com
wimcan.com
bepresentbekind.com
floridaopinion.com
alter-u.com
metaversedaemon.com
jayadtours.com
hxbillion.com
Targets
-
-
Target
PO20220126.doc
-
Size
2.3MB
-
MD5
5cd86913d2c514fac26439557709aa96
-
SHA1
65f00339afb84c6c9e83c8a2fd4aa367d897102b
-
SHA256
534971b14abc0d7b16338f7a1c329d044d8d9352638b9f3bb5866d5dcd1799fa
-
SHA512
5404f7dd5fe2bb8256aa1c06968e5940a2adc2e92f5f15813155da50badfcbd0e3d7cb50947394e3b54aff61c70fa806a560328ee67d51640cf28f4fd4f51fed
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-