General
-
Target
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
-
Size
584KB
-
Sample
220724-2fd9zabbbq
-
MD5
8b140506ec06ac39293346fe55fe9151
-
SHA1
4cb7f1b6b1aee0398a9fe7d6fa0ddfe21571655e
-
SHA256
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
-
SHA512
cac3f2579192fb9c2f79af7930875f6d1acc0e354cf4eb57dd96d135ff768cfdba2b5755afc6e6f63630f4664534a3b3b42e7efab4cd878651f8f613b9729105
Static task
static1
Behavioral task
behavioral1
Sample
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91.rtf
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91.rtf
Resource
win10v2004-20220721-en
Malware Config
Extracted
formbook
3.9
c134
rulo.ltd
stainremoval.solutions
thefashionvisitor.com
themasseywedding.com
wisconsinismyhome.com
golfclubs.today
paycoml.com
analytica.digital
best-film.link
gethard.online
elmgraphics.com
wyqgy.com
yhdc25.com
castingguide.site
at9981.com
everythinginvestmfaim.com
myfcbtexas.net
lakeshore.tax
ogrencisleri.net
hiyahuegnuyen.win
racheloves.com
zwut4pq-lsl.com
equiposlaboratorio.com
inayya.com
gmsacv.net
70ud.info
googlejerseys.red
resystant.com
pandhbomb.com
mondze.com
valeriaartlab.com
fuckfuckitall.net
elephanttrack.net
smoothingoil.com
easyvideoadverts.com
crazycorner.net
needsxnow.com
manozi.com
jyqzc.com
rbcrb.com
cattleclasscurios.com
au588.com
myannieandme.com
www256678.com
hoordad.com
rb-doku.net
xiangfenchache.com
roboter.group
imkepm.com
mustashari.info
caibao.ltd
ruralmagnet.com
porschehiltonhead.com
vespafun.com
gupiaofengxi.com
wakanipa-yogyakarta.com
magnatstern.com
fermedesgrisards.com
sticksandwombat.com
pumadevs.net
xspcqgwq.com
wstfx.net
kankantalk.com
toprecyclage.com
setdop.com
Targets
-
-
Target
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
-
Size
584KB
-
MD5
8b140506ec06ac39293346fe55fe9151
-
SHA1
4cb7f1b6b1aee0398a9fe7d6fa0ddfe21571655e
-
SHA256
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
-
SHA512
cac3f2579192fb9c2f79af7930875f6d1acc0e354cf4eb57dd96d135ff768cfdba2b5755afc6e6f63630f4664534a3b3b42e7efab4cd878651f8f613b9729105
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-