General
-
Target
GMC_310182973.doc
-
Size
2.2MB
-
Sample
220131-h8za3agffk
-
MD5
0d4881e7b37cf348025ff29b7c5e68c4
-
SHA1
9a74be8ce26251344f990e852ce1a782f73c7555
-
SHA256
1b5b296d23666b420cce79e0e953acc3ee864d7718ff7cfab7146ee85bb8b0f6
-
SHA512
7199b588a2ae25bf0968e04d05dfc71a2b7146b0fd8fda60363064272d625fe73ff3deedddcb7340b931c3e7c9ee29b27340e9d02ac0853cf6881ab002469161
Static task
static1
Behavioral task
behavioral1
Sample
GMC_310182973.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
GMC_310182973.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
m16a
ton-pool.sbs
upyourallydesigns.com
pse575.info
travelbucket.online
achievemint.club
qidashuixiang.com
amytreharne.com
gaadroo.store
parallelepc.info
vizminingcorp.com
orlandoheaslth.com
landsharksafterdark.com
sdjinmen.com
alpencruiser.biz
xn--ar-7ka.com
9avatar.xyz
changyixin.com
radiofreetotebag.com
emailmarketer.info
recomin.online
hasankaragol.com
tuanphongtourist.com
6iwdlw1.xyz
offerodknhp.xyz
samsung-service.xyz
irish89.com
streamingpremiumpty.xyz
jumpstart-africa.com
first-classcopy-toseetoday.info
ml5568.com
wu8jhxec7zxd.xyz
xbs8775.com
babylouwray.biz
fjrsweb.com
tvsp2.xyz
wu6eeijb908c.xyz
1h9md4yn.com
btwlhsp.com
yes5437.com
sdgljx.net
socialteers-cone.com
maneeventtravel.com
bntglobal.tech
next-greatdeals.com
heartexpandingbrightly.com
heikepallanca.com
sanyayulang.xyz
confusedmiddle.com
laboratoriobiobactpvca.com
auntmarysquiltshop.com
leonardpartners.com
feedwonders.com
regginelson.com
telefolies.com
eyefotos.com
deadsea.company
medicinalmushroomsreviews.com
1bdoor.com
ohmydearestdeer.com
repelis24.plus
xn--zelpeyzajhavuz-upb.com
bonseay.com
tpu-plastun.com
scotiamobileservice.com
mbcorp.xyz
Targets
-
-
Target
GMC_310182973.doc
-
Size
2.2MB
-
MD5
0d4881e7b37cf348025ff29b7c5e68c4
-
SHA1
9a74be8ce26251344f990e852ce1a782f73c7555
-
SHA256
1b5b296d23666b420cce79e0e953acc3ee864d7718ff7cfab7146ee85bb8b0f6
-
SHA512
7199b588a2ae25bf0968e04d05dfc71a2b7146b0fd8fda60363064272d625fe73ff3deedddcb7340b931c3e7c9ee29b27340e9d02ac0853cf6881ab002469161
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-