General
-
Target
Purchase Order - Project No-8879_ECOFIX.docx
-
Size
179KB
-
Sample
241030-mdbcza1eqh
-
MD5
4b4dd7f09a3f3435dd6ad0c3e0ebdec5
-
SHA1
d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1
-
SHA256
c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c
-
SHA512
8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53
-
SSDEEP
3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order - Project No-8879_ECOFIX.docx
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Purchase Order - Project No-8879_ECOFIX.docx
Resource
win10v2004-20241007-en
Malware Config
Extracted
formbook
4.1
btrd
toulouse.gold
launchyouglobal.com
margarita-services.com
dasnail.club
casa-hilo.com
hardscapesofflorida.com
thepositivitypulse.com
kkmyanev.cfd
love6ace22.top
castorcruise.com
chch6.com
h59f07jy.cfd
saatvikteerthyatra.com
fxsecuretrading-option.com
mostbet-k1o.click
36-m.beauty
ko-or-a-news.com
eurekatextile.com
gynlkj.com
deepsouthcraftsman.com
bougiebossbabe.com
202402.xyz
thecareskin.com
zimmerli.online
bathroomconnectsupreme.com
opmk.monster
docemimocasamentos.com
mywayinist.com
healthyters.com
mozartchamberorchestra.sydney
wewillrock.club
education2jobs.com
everlastdisposal.com
valentinascrochet.com
stewartvaluation.net
blackphoenix01.xyz
omnikart.shop
jejeesclothing.com
allurepet.site
futureofaustin.com
sillylittlestory.com
inthewoodsdesigns.com
freshtraining.store
illuminati4me.com
jewishlakecounty.com
devadecoration.com
nashexshop.com
martline.website
affirmationtotebags.com
golifestyles.com
telegood.info
trygenesisx.com
bestwhitetee.com
delicatemayhem.com
redyardcom.com
solarcyborg.com
emotieloos.com
fanatics-international.com
ballonsmagiques.com
projektincognito.com
fcno30.com
horizonoutdoorservices.com
couturewrap.com
mbbwa4wp.cfd
lifeofthobes.uk
Targets
-
-
Target
Purchase Order - Project No-8879_ECOFIX.docx
-
Size
179KB
-
MD5
4b4dd7f09a3f3435dd6ad0c3e0ebdec5
-
SHA1
d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1
-
SHA256
c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c
-
SHA512
8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53
-
SSDEEP
3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z
-
Formbook family
-
Formbook payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-