General
-
Target
87930142ba02cbbfe0b77ab3beb3d1bc.rtf
-
Size
80KB
-
Sample
240509-exhbmadb55
-
MD5
87930142ba02cbbfe0b77ab3beb3d1bc
-
SHA1
4eae75c6e3d552ec1ff34d3ee00a7ee0d6f92bd0
-
SHA256
3445d16ad6e5de9939611d9bc5f3169581c3bd1166ad228506d6be70ac1eacbd
-
SHA512
7f69dc7584da9c2da36ef26eb2b1ee167800d27433383ea881b739121d706cc4330d6fe174409ce8a0518713f92a58710b0c4cac0c5b231596298962fe244a99
-
SSDEEP
1536:LAXgS04nWQuhEWhCBt2KET+qMPsAvBgdPwVI6PbxULWI4qtqi/wEXvgaew6iAzab:IggWQuhBCB8KET+qMPsAvBgWVI6POLW8
Static task
static1
Behavioral task
behavioral1
Sample
87930142ba02cbbfe0b77ab3beb3d1bc.rtf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
87930142ba02cbbfe0b77ab3beb3d1bc.rtf
Resource
win10v2004-20240508-en
Malware Config
Extracted
formbook
4.1
ht3d
derlon.net
46gem.vip
bridal-heart-boutique.com
porarquitectura.com
durkal.online
9916k.vip
nativegarden.net
hoodjac.com
coachwunder.com
jutuowangluo.com
frankmontagna.com
jalenx.com
yhxg.net
brasserie-bro.com
whitecoatprivilege.com
sigmadriving.com
inhkipcmacau.com
freediveexperience.com
52iwin.com
aaditt.com
accesspathways.com
subhadarshini.online
zshoessale.com
rubyreverie.xyz
hrtacticalin.com
lordle.app
milfriedrichphotography.com
campbellforamerica.com
blessedunity.com
ema-blog.site
loxleyshop.com
mirfinans.com
xn--2o2b110a3rh.com
palmbarnj.com
weddingantonioemarina.com
debeukbv.net
rlknia.cfd
5redbull.com
dwbwoodworking.com
cab-bc.com
testingsol.com
scadamarket.com
ryan-waltz.com
62iwin.win
balkanapp.com
weatherproofit.net
1bytes.website
butterflygroup.net
sydneyridesfestival.net
licrodriguezpalma.com
sam2.site
data-list.online
fulhamwinebar.com
eissw.com
used-cars-77695.bond
get-bettingid.com
wow-professions.info
psicoimago.com
1788777.com
cikaslot.icu
sleepbetter.health
apple-ios-gps-us-19.ink
reallyrealclothing.store
earthoftender.com
isboston.net
Targets
-
-
Target
87930142ba02cbbfe0b77ab3beb3d1bc.rtf
-
Size
80KB
-
MD5
87930142ba02cbbfe0b77ab3beb3d1bc
-
SHA1
4eae75c6e3d552ec1ff34d3ee00a7ee0d6f92bd0
-
SHA256
3445d16ad6e5de9939611d9bc5f3169581c3bd1166ad228506d6be70ac1eacbd
-
SHA512
7f69dc7584da9c2da36ef26eb2b1ee167800d27433383ea881b739121d706cc4330d6fe174409ce8a0518713f92a58710b0c4cac0c5b231596298962fe244a99
-
SSDEEP
1536:LAXgS04nWQuhEWhCBt2KET+qMPsAvBgdPwVI6PbxULWI4qtqi/wEXvgaew6iAzab:IggWQuhBCB8KET+qMPsAvBgWVI6POLW8
-
Formbook payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-