General
-
Target
PO-4015 DNX.doc
-
Size
2.2MB
-
Sample
220131-h9ja8sgffq
-
MD5
3f3c326776d1cca4140aec54899dd232
-
SHA1
22f2608fde8860771b405b82bea6ec7b90aa2e13
-
SHA256
a4f65315564c8a012c86e0f02d90d07246dbcf41347c37b93cad43b39d24f61e
-
SHA512
703e07ea7cc623deb50fc76b5edda62e11e26c5ac37024accb5c35031c514ca13183998d2810097018118bf4ff8da98911ff4e3ba604a671c216a0b511da39b8
Static task
static1
Behavioral task
behavioral1
Sample
PO-4015 DNX.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO-4015 DNX.rtf
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
n2t4
afvqag.icu
sharekhaneducation.co
celaty.xyz
charmingdat.com
trinitylegal.site
nuookh.site
stetnercreek.com
likeaduckinwater.xyz
yanhuan.icu
minxandmolly.com
tofindingwellness.com
sydneycemeteries.net
amethystwares.com
onglaprimaveradeljardin.online
majoroakdigital.com
xlr8s.net
jbrcvy.icu
decorator.company
compubonsai.com
seripo.com
sausvillebenson.com
valuationanalysismodel.com
tikitook.com
qa-proyectos.com
agentrobertdodson.com
kickscopper.com
wtacontigo.com
hr-tech-france.com
eminceliks.store
pomogaev.com
suppchoice.com
engwe-ebike.com
cavancookiestore.com
cccweb.net
lichenpism.store
boosock.com
crownkinglogistics.com
linktrustcapital.com
saisamarthrental.com
askmirian.com
hsgrupiletisim.com
cc-horizon.com
whiskyofmystery.com
mygoalt.com
trusugaming.tech
accesomx.com
iamihalo.com
baorlove.com
homedecoratrs.com
lesmonthaironsautrefois.com
mahdiayat.art
vulkan-casino.website
caregivig.com
otterchain.com
247services.site
satisfyfeel.com
codepromoleshameauxdu.com
imovilec.com
nft2211.com
zamboniteam.info
total4d3.com
portaltopdevendas.com
kyphrxcda.biz
marketingguys.net
originaldeed.com
Targets
-
-
Target
PO-4015 DNX.doc
-
Size
2.2MB
-
MD5
3f3c326776d1cca4140aec54899dd232
-
SHA1
22f2608fde8860771b405b82bea6ec7b90aa2e13
-
SHA256
a4f65315564c8a012c86e0f02d90d07246dbcf41347c37b93cad43b39d24f61e
-
SHA512
703e07ea7cc623deb50fc76b5edda62e11e26c5ac37024accb5c35031c514ca13183998d2810097018118bf4ff8da98911ff4e3ba604a671c216a0b511da39b8
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-