General
-
Target
PO.doc
-
Size
11KB
-
Sample
220131-n3fjnahfe5
-
MD5
e57459af29551726024c5248739a1971
-
SHA1
89494d2a840d5681b84a01767d42980eb3530003
-
SHA256
0da037449078eb28dffcd95733769019ee21831ac82b12d845fb051be22b33ec
-
SHA512
96712d136260118c87a906dc2066db875f18a5448f4fb0b9098ba5d46243410b41f041c745fbb1f086abb2ec38ec247ea63e8e466335d202237eeb5530f55854
Static task
static1
Behavioral task
behavioral1
Sample
PO.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO.rtf
Resource
win10v2004-en-20220112
Malware Config
Extracted
formbook
4.1
jy93
alexito.space
shitsthebalm.com
margaritavillemelbourne.com
vonahk.xyz
1960lawn.com
augustacrim.com
bancopec.com
batrainingstudio.com
kokofleks.store
w4-form-irs.com
putnamob.com
mickeysmotors.com
8181yd.com
wedmecreation.com
mischianti.com
gskpop.com
douvip303.com
unlimitedlyfestylez.com
originophthalmics.com
oandazx86.xyz
aflambooks.com
woningkeuren.com
qiyepin.com
referto-online.com
philadelphiaguitarnews.com
wilhelmenaagency.com
visionbox.xyz
exmarry.com
obtainfollowers.com
conationcrossing.com
podiatrybroker.com
natistyle.com
livingessencewater.com
highperformancevehicles.com
undangannikahku.xyz
longlakehomesales.com
pridecocapital.com
prolificgraph.com
greatbayhme.com
bestplant.xyz
lesbianparadise.com
tabvern.com
electronix101.com
mhw44.xyz
xn--arbetslivsaktren-ywb.com
starpromocoes.com
123387lx.com
gunwicam.com
christophergallaghermusic.com
hirevirtualexperts.com
sanjivanimart.com
xn--unww24c.xn--czru2d
xolegal.com
rfzjsb.com
aquaflor.online
masterstouchautomotive.com
comptechs2000.com
vgerlay.com
minifootball-promogive.com
newtech25.com
kilthiredirect.com
allinfobd24.com
mengabarkan.online
derva.link
expressingunderst.store
Targets
-
-
Target
PO.doc
-
Size
11KB
-
MD5
e57459af29551726024c5248739a1971
-
SHA1
89494d2a840d5681b84a01767d42980eb3530003
-
SHA256
0da037449078eb28dffcd95733769019ee21831ac82b12d845fb051be22b33ec
-
SHA512
96712d136260118c87a906dc2066db875f18a5448f4fb0b9098ba5d46243410b41f041c745fbb1f086abb2ec38ec247ea63e8e466335d202237eeb5530f55854
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-