General
-
Target
e230816a29bb8af0b5f24adfbe5eff62.rtf
-
Size
25KB
-
Sample
230608-e9yjdacf61
-
MD5
e230816a29bb8af0b5f24adfbe5eff62
-
SHA1
841fb495cc824fb043d1be3f033326294745dfff
-
SHA256
061eab00aca9bb4dc4a164c23f0ec24b805eaff6bd597b45601bde2958744ca3
-
SHA512
8af309043b6af0b9bae704071b643b9df4cd681e855a897cad25f0dff3113fae0a97810283bc16b0988280f47307f51c5f5669288ee5f07f8a56c63f4d52dca7
-
SSDEEP
768:XJnxqg/d7sWctQS0vZJ7UtnZlo2QLdWX2tibZqSA0:1xJ7sWcEf7gnc7QX3/A0
Static task
static1
Behavioral task
behavioral1
Sample
e230816a29bb8af0b5f24adfbe5eff62.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e230816a29bb8af0b5f24adfbe5eff62.rtf
Resource
win10v2004-20230220-en
Malware Config
Extracted
formbook
4.1
xchu
zcartoons.com
castilloshowroom.com
3bmmdtod.life
misaxoxo.com
nadiya.online
sykkbup29.xyz
triciaaprimrosevp.com
newleter.com
ptzslk.xyz
lightbulbfestival.com
texaslandline.com
ideeintemporelle.com
girljustdoitpodcast.com
medimediamarketing.com
bunk7outfitters.com
charlievgrfminnick.click
lifestyleinthehome.com
atfbestsale.online
frontdoorproperties.co.uk
grandpaswag2024.info
masterbidbox.com
twinmall.xyz
apihb.com
tanbuhelir.com
excortclub.com
avxxxtube.com
dayonetaxes.com
xx7zncjthyo.xyz
barhat-dance.online
wxbaonayue.com
sorunsuzyayinburada9.shop
so-do-to.com
bonettr.com
gosucculents.com
axcelus.mobi
elityou.com
82163.xyz
ugfc.monster
wxxinglong.com
fleurdelis-ksa.com
australiaxxxhookup.com
hieu.asia
lailashawa.com
littlefoxgrp.com
modi.codes
frenchmattie.com
francoishogue-rpg.com
ntzb1.vip
adfoidoas.shop
meter-ooh.com
mamarosarienne.online
sharonmevans.com
ccapltal.com
ewardsrq.com
rgmtrucking.com
nilhanzsa.net
prodemtim-healthy-gums.com
aviationsoftware.aero
frog.lol
hauntingmedia.com
newindianewsnetwork.com
calfamfitclasses.net
sparrow-coffee.com
centralcoastquotes.com
tangocitymoscow.com
Targets
-
-
Target
e230816a29bb8af0b5f24adfbe5eff62.rtf
-
Size
25KB
-
MD5
e230816a29bb8af0b5f24adfbe5eff62
-
SHA1
841fb495cc824fb043d1be3f033326294745dfff
-
SHA256
061eab00aca9bb4dc4a164c23f0ec24b805eaff6bd597b45601bde2958744ca3
-
SHA512
8af309043b6af0b9bae704071b643b9df4cd681e855a897cad25f0dff3113fae0a97810283bc16b0988280f47307f51c5f5669288ee5f07f8a56c63f4d52dca7
-
SSDEEP
768:XJnxqg/d7sWctQS0vZJ7UtnZlo2QLdWX2tibZqSA0:1xJ7sWcEf7gnc7QX3/A0
-
Formbook payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-