General
-
Target
PO_6305977.xlsx
-
Size
136KB
-
Sample
220602-vlk65scedr
-
MD5
bf43d6ef39e3ec80000aa17b5e1fa8ee
-
SHA1
a42be18ff81fefbb550d3789770aabd7f7b0a4b2
-
SHA256
a4c426f7bd1ff3a4292b8ee1e315d58f23a149901b1b245a0c774fa981d67afd
-
SHA512
ad3977db3960acaf5f21185ea303831b90f6dba497d762079bda5db598db021453e354d521d35e8b6102812a50e3ed8d0ee649a4d45fc53005568c884c85b495
Static task
static1
Behavioral task
behavioral1
Sample
PO_6305977.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO_6305977.xlsx
Resource
win10-20220414-en
Malware Config
Extracted
formbook
4.1
g14s
highnessmagazine.com
mokeyshop.com
remotedesktop.xyz
bicielettrica.xyz
addoncarzspa.com
ironesteem.com
asset-management-int.com
newportnewsaccounting.com
seriesyonkis2.com
hhivac.com
shrmgattlnow.com
yangzhenyu1.xyz
prettylittlenail.com
phyform.com
fggloballlc.com
gamecentertx.com
apriltoken.com
agalign.com
jointventurecoop.club
pengqianyue.tech
federleicht-restaurant.com
lollipop987.xyz
diamondbaybridgesweeps2022.com
burnaboy.net
affectionatelycrypto.com
anakastore.com
tsrtouring.com
ziyunyx.xyz
cognivegan.com
bigkumara.com
goldtickets.online
archermotorsportslogistics.com
bestsecurityvendor.com
remedybox.net
maxcarat.com
topseng.online
kmatsumoto.net
xn--ankrbikes-27a.store
inginetimetracking.com
uvej.xyz
elementbigwear.xyz
rebootxx.com
shzaonuo.com
cvwconference.com
jnadtech.com
wanaizhijia.com
marie69.xyz
onlyappsauthenpoint.online
darkfo.rest
lfzhitu.com
lesdelices2paris.com
rustygarages.com
idontcarewhatyouthink.net
qcg2.com
kreeplyfe.net
teethguardforme.com
teethguardforme.com
gentor.online
big79.pro
peifang8.com
homehs.net
whalsaycafe.com
remisemaroc.com
viqub.com
swiftsrecovery.com
Targets
-
-
Target
PO_6305977.xlsx
-
Size
136KB
-
MD5
bf43d6ef39e3ec80000aa17b5e1fa8ee
-
SHA1
a42be18ff81fefbb550d3789770aabd7f7b0a4b2
-
SHA256
a4c426f7bd1ff3a4292b8ee1e315d58f23a149901b1b245a0c774fa981d67afd
-
SHA512
ad3977db3960acaf5f21185ea303831b90f6dba497d762079bda5db598db021453e354d521d35e8b6102812a50e3ed8d0ee649a4d45fc53005568c884c85b495
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-