General
-
Target
LTL20I_order.xlsx
-
Size
255KB
-
Sample
220615-w4b7maagaj
-
MD5
bc64945d52b06b5a7f2259652722b4e6
-
SHA1
3e67f1d30e44c5f4b916165fb17944a168790b3b
-
SHA256
37321110b446c4565664a30d4729dfb08d8ee9a1d3b3c03a5203a851b831e0b2
-
SHA512
bb3685e9dedff8bbf4d1ad8c5fdeacef1efd538045da508f3232b418848d4052eb233020301b633b6328ac6cf011cc3c93234af28a81eb069c99a81aaa6b8fa2
Static task
static1
Behavioral task
behavioral1
Sample
LTL20I_order.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LTL20I_order.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
4.1
s3s3
tvielotus.com
teesta.xyz
talentrecruitor.com
pamaungipb.com
xn--90ahkh6a6b8b.site
910carolina.com
toyotaecoyouth-dev.com
invetnables.com
gdexc.com
ssw168.com
householdmould.com
mqttradar.xyz
t333c.com
thepausestudio.com
evershedsutherlands.com
asbdataplus.com
preddylilthingz.com
jepwu.com
tvlido.com
artovus.com
trainingmagazineme.com
rettar.net
underneathstardoll.com
babipiko21.site
getvpsdime.com
accentsfurniture.com
cutdowns.tech
teklcin.online
sunshareesg.com
eventrewards.site
lacomunaperu.com
a-tavola.online
gshund.com
monsterflixer.com
896851.com
carpetlandcolortileflint.com
filmproduction.management
cherie-clinique.com
medjoker.com
grant-helpers.site
sussdmortgages.com
solaranlagen-forum.com
freecustomsites.com
h7578.com
ideadly.com
backend360.com
podgorskidesign.com
zilinsky.taxi
ourelevatetribe.com
thefitnesswardllc.com
eficazindustrial.com
thecovefishcamp.com
niuxy.com
myluxurypals.com
clinicadentalvelinta.com
dis99.com
crosswealth.xyz
itopjob.com
oandbcleaningservices.com
afri-solutions.com
paradiseoe.com
versionespublicas.com
b2lonline.com
usdcmeta.xyz
bense003.xyz
Targets
-
-
Target
LTL20I_order.xlsx
-
Size
255KB
-
MD5
bc64945d52b06b5a7f2259652722b4e6
-
SHA1
3e67f1d30e44c5f4b916165fb17944a168790b3b
-
SHA256
37321110b446c4565664a30d4729dfb08d8ee9a1d3b3c03a5203a851b831e0b2
-
SHA512
bb3685e9dedff8bbf4d1ad8c5fdeacef1efd538045da508f3232b418848d4052eb233020301b633b6328ac6cf011cc3c93234af28a81eb069c99a81aaa6b8fa2
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-