General
-
Target
AWB_NO_9284730932.xlsx
-
Size
206KB
-
Sample
220505-fzt9msaaam
-
MD5
5d7eb39dcf8fb650cf9a5cb7f3c66f89
-
SHA1
f73f4854f32b82851e6537758900541772c2181b
-
SHA256
5d81ecea3ddb68a54c0bfdf6a5da1061ce81f3abb559032bf4cf1c412423454d
-
SHA512
29621937e83117e08ac9d75148bcba58226c4b0d2ff3139af4e1b105862ed9ad5270fdb6fd353347ff48063edd15b6756402ae603bb72d1321c6a69565647b79
Static task
static1
Behavioral task
behavioral1
Sample
AWB_NO_9284730932.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB_NO_9284730932.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Targets
-
-
Target
AWB_NO_9284730932.xlsx
-
Size
206KB
-
MD5
5d7eb39dcf8fb650cf9a5cb7f3c66f89
-
SHA1
f73f4854f32b82851e6537758900541772c2181b
-
SHA256
5d81ecea3ddb68a54c0bfdf6a5da1061ce81f3abb559032bf4cf1c412423454d
-
SHA512
29621937e83117e08ac9d75148bcba58226c4b0d2ff3139af4e1b105862ed9ad5270fdb6fd353347ff48063edd15b6756402ae603bb72d1321c6a69565647b79
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
200KB
-
MD5
9772d97019deb626f2582bc1d9164ac5
-
SHA1
6d929c049b0983c89edd5f2eb9caf30414e1f6d5
-
SHA256
d252d20addae437f4ce01e2207c36a0b589633fb2f3128b4c6c450c0a01b2715
-
SHA512
3a53cf67b02b7d20c7d3dd659844633c50a0f2ede46286c98935f2d780d2c858998ac7a9b448750f6dbf75cb7d124d0555bbb38af07573f74858f93e58ee2fae
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-