General
-
Target
Updated ORDER.docx
-
Size
11KB
-
Sample
230220-n93mrsad3z
-
MD5
98d58338e27f9aad2ef3c5a0a4df20ab
-
SHA1
1af7e9a0b504f116db06090cb229c64b54a607b8
-
SHA256
5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717
-
SHA512
dea40ac1624aa1ee9ab743c897a1f00764ad6722b9b9a329fcdcccdab9319ea85c5512c7a63fb440b0d5b55e67270ba1a417c24fb0176551021ad26ee7e2c0db
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCaWgk9Vlp:aNxUyn0i13LROEiOLkX6Ujnw+3NWgaVr
Static task
static1
Behavioral task
behavioral1
Sample
Updated ORDER.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Updated ORDER.docx
Resource
win10v2004-20221111-en
Malware Config
Extracted
http://bbBBBBBBBuuuBBBBEEEEEBBBBBBByyyyYYYYYYYYYWWWWWWwwssssDDDDDDDDDDDPPPpppppoooOOOPPOOssddSDDDD@1332625003/O--O.DOC
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Targets
-
-
Target
Updated ORDER.docx
-
Size
11KB
-
MD5
98d58338e27f9aad2ef3c5a0a4df20ab
-
SHA1
1af7e9a0b504f116db06090cb229c64b54a607b8
-
SHA256
5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717
-
SHA512
dea40ac1624aa1ee9ab743c897a1f00764ad6722b9b9a329fcdcccdab9319ea85c5512c7a63fb440b0d5b55e67270ba1a417c24fb0176551021ad26ee7e2c0db
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCaWgk9Vlp:aNxUyn0i13LROEiOLkX6Ujnw+3NWgaVr
-
Formbook payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-