General
-
Target
NewOrder-PO300122.doc
-
Size
2.2MB
-
Sample
220131-h8za3agfer
-
MD5
a9c56c16c6c705510fea0b1419f87ec0
-
SHA1
b6274154f6f8301de35df1c346d534a0c782ec6d
-
SHA256
278a01105105ba46b8303bb8933c4a3010aa7098342460ab4090e3ddbafb19ab
-
SHA512
6f127ca937b147b616d563ab2eb1535488d0187a5bd8aa9b7d70ad3462a1d4899f7be47095a60251aaf1381a1f13fea8d247d1775995ed9f1c2b0d82f9788e32
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder-PO300122.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NewOrder-PO300122.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
uk83
wa7ajzar9hwa.xyz
adithyaimpacts.com
rdt2.xyz
clubexelb.com
tempo-liquido.com
vinciforever.com
hematechnoworld.com
pdswakl.com
nerdifiedsuckleheads.com
roadstartravel.com
selltobillingstoyota.com
tintaoficina.com
2ndo.net
gaiaindtech.com
scenicds.com
xn----8sbc0brcdie1aj.xn--p1acf
bettingsitesindia.online
nieruchomosci.fyi
josias-shop.com
martinismith.com
tparsinc.com
wfxkkl.com
medpscyh.com
kalpataruparkrivieraindigo.com
charlestonwra.com
vashmedkrasnodar.com
thedrarfisshow.com
milestonecord.com
testinytimate.com
omsmgmnt.com
crymsonenterprises.com
veselina-karagoz.com
campercarnival.com
kickwrld.com
zefix.xyz
desteklosemi.com
wlleye.com
abbycaskie.com
realnyyvoshitit.xyz
cytimeyoga.com
smallnamebigresults.com
mean5fruit.com
ecorize.technology
anjj01.com
hakonegate.com
timemycard.com
movies2watchcc.com
sumaho-otoku-jp.com
buylasvegasland.com
karsfotosafari.xyz
profxgear.com
mmjzjs.com
rrsav1.xyz
sustaionmics.com
nieuwdorpschoonmaakgroep.com
studiobeam.xyz
neprohodimo-diko.xyz
zoologist.xyz
ti978.com
netflixaideredirect.com
carvalhoconsultoriajuridica.com
povmall.com
magelrbdsd.xyz
donsikfilm.com
healinginterdependence.com
Targets
-
-
Target
NewOrder-PO300122.doc
-
Size
2.2MB
-
MD5
a9c56c16c6c705510fea0b1419f87ec0
-
SHA1
b6274154f6f8301de35df1c346d534a0c782ec6d
-
SHA256
278a01105105ba46b8303bb8933c4a3010aa7098342460ab4090e3ddbafb19ab
-
SHA512
6f127ca937b147b616d563ab2eb1535488d0187a5bd8aa9b7d70ad3462a1d4899f7be47095a60251aaf1381a1f13fea8d247d1775995ed9f1c2b0d82f9788e32
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-