General
-
Target
requests.exe
-
Size
1.1MB
-
Sample
210723-5v4trq5v92
-
MD5
ac90b68610ff17a375d0c6a3ff50cac4
-
SHA1
74b6073421eeb7d1d234da8c308799e44886a8c1
-
SHA256
47e43b212669b34c8607c92637090cd2154610ec91ef0fb6207bd24f7ddbf67f
-
SHA512
3c0a35d5fa2f10ca4c0a5adcf9adb7f2a0dfd511822dbba7be646e1d594083b130dd1482fec69224e24af00dd7eac373b6220110baa26a23f8c1ae96a32abca4
Static task
static1
Behavioral task
behavioral1
Sample
requests.exe
Resource
win7v20210410
Malware Config
Extracted
formbook
4.1
http://www.pamm4fx.com/vfha/
study-pods.com
shopoctobersfire.com
pandeo.net
museumofhelloandgoodbye.com
jmj-painting-co.com
arquibitacora.com
trapcommander.com
mudujiaju.com
pizzeriavaleria.com
christineandshivam.com
serviziidrauliciitinfo.com
slardayest.com
focusdekalb.com
alzaki-ict.com
talentx.digital
posm.world
glamourmenatural.com
jnfsh.com
williammayfuneralhome.com
knapptrickgoldens.com
spa-inthewoods.com
bestgenuinelifesyle.com
thebarelook.com
ecoefinance.com
proaudiofiendz.com
zjgqctl.com
earthsurviving.com
rainbow-workshop.com
gigaffairs.com
timfine.net
midwaytanklines.com
wvpvkmzxd.com
rainydayrefunds.info
hpb9527.com
quemascompro.com
marjoriegreen.com
vaca.travel
chopsell.com
rugpat.com
cheureg.com
gan-ranking.com
najaficosmetics.net
riverwoodhomedefense.com
granthamrobotics.com
tilman-bernauer.com
gomoolah.com
innovandoart.xyz
gathermix.com
lorinuss.com
truuhost.com
panesthetics.com
billinginfo-verify.com
fuzzyfalafel.com
ebikeiop.com
dietasdoemagrecimento.com
efashionstuff.com
vtolgroundairports.com
zausted.net
sadafpapirus.com
zxd-lighting.com
hagfgg.com
xetroitlabs.com
mylifechurchodessa.com
maya-soft-plan.com
Targets
-
-
Target
requests.exe
-
Size
1.1MB
-
MD5
ac90b68610ff17a375d0c6a3ff50cac4
-
SHA1
74b6073421eeb7d1d234da8c308799e44886a8c1
-
SHA256
47e43b212669b34c8607c92637090cd2154610ec91ef0fb6207bd24f7ddbf67f
-
SHA512
3c0a35d5fa2f10ca4c0a5adcf9adb7f2a0dfd511822dbba7be646e1d594083b130dd1482fec69224e24af00dd7eac373b6220110baa26a23f8c1ae96a32abca4
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-