General
-
Target
RFQ_20220131.doc
-
Size
2.2MB
-
Sample
220131-h8za3agffj
-
MD5
1003a3560932316f965eceb34ec38488
-
SHA1
ff874bf58b3d4e6563803c4c5353be46c937bb8d
-
SHA256
a2f34d41dae7d24e7a1e6c67b720266f3562fa588f9425bfd9d97db75fa69dac
-
SHA512
42b0b0577c285350487c0a0868de375914f1f5040ac3b02b689aaa060fa4a7aa010d4908aeee0671eaca46a03b97d0dbc34f10259ddf7d07dc5978b42b6c07ff
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_20220131.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RFQ_20220131.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
mz16
isletme.xyz
o7agj7.xyz
no-fucks-given.com
khaomaneecat.com
meta-medical.store
cxtopy.link
abcsquaredancing.com
zonaserbaserbi.com
enfgames.com
drakestonecapitalgroup.com
einfachstadtreiniger.com
nftsmartlicense.com
2333.site
archate.com
floridacoastwellness.com
garciawam.com
2022sg.xyz
offertntdjj.xyz
lightunclyuchand71.xyz
friv.asia
himvee.com
yz4dkipk.xyz
locatingasingletogrowwith.com
coolfluent.com
nidadns.xyz
boludogalurunlerpazari.com
otto2zhuhai.com
accbuzfy6.xyz
brockpeoplesphotography.com
marketinginspiration-2.biz
groylogistics.com
noeandofia.com
926396.com
hypnotizingrabbit.com
selfkindhub.com
boundlessblessings.net
streetport.net
wu8hwuvni045.xyz
doesitsparkgrief.com
y8uamh.xyz
alasdecancion.com
mtc-123.com
nashvillechickenwings.com
yoreminsesi.com
boujiebagel.com
xpxht.com
chivecapital.com
nutribullet.lat
urbanvsg.com
cnk753.com
storieswithoutaroof.com
nftentertainmentnetwork.com
omicronboostershots.com
prosoktooll.site
siemens-healthireers.com
bingblin.com
breakfastclubnft.com
agenciakolob.online
sostoyanie.moe
upgittas.com
pssfactory.com
auxfan.com
daimatsu.group
citizensreclamation.info
dream-river-street.com
Targets
-
-
Target
RFQ_20220131.doc
-
Size
2.2MB
-
MD5
1003a3560932316f965eceb34ec38488
-
SHA1
ff874bf58b3d4e6563803c4c5353be46c937bb8d
-
SHA256
a2f34d41dae7d24e7a1e6c67b720266f3562fa588f9425bfd9d97db75fa69dac
-
SHA512
42b0b0577c285350487c0a0868de375914f1f5040ac3b02b689aaa060fa4a7aa010d4908aeee0671eaca46a03b97d0dbc34f10259ddf7d07dc5978b42b6c07ff
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-