General
-
Target
DHL_AWB_NO#907853880911.xlsx
-
Size
183KB
-
Sample
220512-hqxdraahb6
-
MD5
bece4088b65375dedc691a405346fd23
-
SHA1
8460d896a3fc1adc72a28906421866bfb1d28605
-
SHA256
38ae577459ca9c000a1a5ae910e9b1768480a97aba71835caaa48ffdddc7622d
-
SHA512
42d0ed9ec6943231052f342a84ba2276e08a4e23c85f30fee0ba2de7b6785d2f35bb97a15145526b7ef43488172b5f3ef95b9941d16291a548780be48af2ca9d
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_AWB_NO#907853880911.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Targets
-
-
Target
DHL_AWB_NO#907853880911.xlsx
-
Size
183KB
-
MD5
bece4088b65375dedc691a405346fd23
-
SHA1
8460d896a3fc1adc72a28906421866bfb1d28605
-
SHA256
38ae577459ca9c000a1a5ae910e9b1768480a97aba71835caaa48ffdddc7622d
-
SHA512
42d0ed9ec6943231052f342a84ba2276e08a4e23c85f30fee0ba2de7b6785d2f35bb97a15145526b7ef43488172b5f3ef95b9941d16291a548780be48af2ca9d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
177KB
-
MD5
aa4955a1f9f886e93ee58db40340f6df
-
SHA1
617e147e2b7b552c98d32f55407f838b34c84f92
-
SHA256
8ff5e67aced69f849f9fa21e6c63085aa2882a77280ffae6eacd300ab3b0ba94
-
SHA512
ea229f2c51a700a6372d7e3b341cf654769c448d56748edd4dbf330c464c819e465be08744d2addcdcbc509967a03df9e60c2f9e0bf2e4a9ec9297402c20f046
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-