2019-01-02 - MALWARE FROM MALSPAM PUSHING FORMBOOK

ASSOCIATED FILES:

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following partial URLs:

 

MALSPAM

DATA FROM THE MALSPAM:

 

MALWARE

ATTACHMENT FROM THE MALSPAM:

WINDOWS EXECUTABLE EXTRACTED FROM THE ATTACHED ZIP ARCHIVE:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Formbook persistent on an infected Windows host.  Each infection has a different directory name and file name for this file.

 


Shown above:  Screenshot and data exfiltrated from my infected Windows host.  Each infection has a different directory
name and file name for these files.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.