General
-
Target
8f6f20b9800cc3739e08c986979fe886.rtf
-
Size
27KB
-
Sample
230608-f65zqace93
-
MD5
8f6f20b9800cc3739e08c986979fe886
-
SHA1
945fc5d51604afd6e92c84fac68e336680d37abc
-
SHA256
4fe0591d0c5bd1f27e2a384aa171139b371847c545e9eae6e7bc6269a954a58b
-
SHA512
e5a31cf4eb09b45990de61527c98a3bb5726ce52bd9b103535bb347d18e60943b1d12d73f7aec23a6b214abb0cad952aec560ccb71064b131254018ecf646b71
-
SSDEEP
768:DHe6wuA/+TFngTG1tl2qGOQP0u2kPdU8S7C5G3fljgBQ/sp:DHOuA/+TFngC1u2kl7wm7p
Static task
static1
Behavioral task
behavioral1
Sample
8f6f20b9800cc3739e08c986979fe886.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8f6f20b9800cc3739e08c986979fe886.rtf
Resource
win10v2004-20230221-en
Malware Config
Extracted
formbook
4.1
xchu
zcartoons.com
castilloshowroom.com
3bmmdtod.life
misaxoxo.com
nadiya.online
sykkbup29.xyz
triciaaprimrosevp.com
newleter.com
ptzslk.xyz
lightbulbfestival.com
texaslandline.com
ideeintemporelle.com
girljustdoitpodcast.com
medimediamarketing.com
bunk7outfitters.com
charlievgrfminnick.click
lifestyleinthehome.com
atfbestsale.online
frontdoorproperties.co.uk
grandpaswag2024.info
masterbidbox.com
twinmall.xyz
apihb.com
tanbuhelir.com
excortclub.com
avxxxtube.com
dayonetaxes.com
xx7zncjthyo.xyz
barhat-dance.online
wxbaonayue.com
sorunsuzyayinburada9.shop
so-do-to.com
bonettr.com
gosucculents.com
axcelus.mobi
elityou.com
82163.xyz
ugfc.monster
wxxinglong.com
fleurdelis-ksa.com
australiaxxxhookup.com
hieu.asia
lailashawa.com
littlefoxgrp.com
modi.codes
frenchmattie.com
francoishogue-rpg.com
ntzb1.vip
adfoidoas.shop
meter-ooh.com
mamarosarienne.online
sharonmevans.com
ccapltal.com
ewardsrq.com
rgmtrucking.com
nilhanzsa.net
prodemtim-healthy-gums.com
aviationsoftware.aero
frog.lol
hauntingmedia.com
newindianewsnetwork.com
calfamfitclasses.net
sparrow-coffee.com
centralcoastquotes.com
tangocitymoscow.com
Targets
-
-
Target
8f6f20b9800cc3739e08c986979fe886.rtf
-
Size
27KB
-
MD5
8f6f20b9800cc3739e08c986979fe886
-
SHA1
945fc5d51604afd6e92c84fac68e336680d37abc
-
SHA256
4fe0591d0c5bd1f27e2a384aa171139b371847c545e9eae6e7bc6269a954a58b
-
SHA512
e5a31cf4eb09b45990de61527c98a3bb5726ce52bd9b103535bb347d18e60943b1d12d73f7aec23a6b214abb0cad952aec560ccb71064b131254018ecf646b71
-
SSDEEP
768:DHe6wuA/+TFngTG1tl2qGOQP0u2kPdU8S7C5G3fljgBQ/sp:DHOuA/+TFngC1u2kl7wm7p
-
Formbook payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-