2018-02-16 - MALSPAM PUSHING FORMBOOK INFO STEALER

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-02-16-Formbook-infection-traffic.pcap.zip   919 kB (919,310 bytes)

• 2018-02-16-Formbook-infection-traffic.pcap   (1,285,123 bytes)

• Zip archive of the email and malware:  2018-02-16-Formbook-email-and-malware.zip   844 kB (844,221 bytes)

• 2018-02-16-extracted-Formbook-malware.exe   (495,616 bytes)
• 2018-02-16-malspam-attachment.zip   (277,181 bytes)
• 2018-02-16-malspam-pushing-Formbook-1228-UTC.eml   (384,353 bytes)

WEB TRAFFIC BLOCK LIST

Indicators are not a block list, especially since the associated domains appear to be legitimate websites.  If you feel the need to block web traffic, I suggest the following partial URLs:

• hxxp://www.885mt.com/m02/
• hxxp://www.blitzathletics.fitness/m02/
• hxxp://www.clevelandtaxaccountant.com/m02/
• hxxp://www.deliciousvillefoods.com/m02/
• hxxp://www.discovertellus.com/m02/
• hxxp://www.erfenbu.com/m02/
• hxxp://www.hemalipaterl.com/m02/
• hxxp://www.jueduizan.com/m02/
• hxxp://www.karselasansor.com/m02/
• hxxp://www.kinketsukun.com/m02/
• hxxp://www.navstyle.com/m02/
• hxxp://www.siwi.solutions/m02/

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

• Date:  Friday, 2018-02-16 at 12:28 UTC
• Subject:  Confirm 30% advance payment
• From:  "Justin" <justin@yahoo.com>
• Received:  from 139.162.5.147 ([139.162.5.147])
• Message-ID:  <E1emf7M-0000Xa-Sm@kccgroups.dnsracks.com>
• Attachment name:  Transfer Copy.zip

 

Shown above:  Extracting the malware from the zip attachment and running it.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

INFECTION TRAFFIC:

• 199.188.206.251 port 80 - www.hemalipaterl.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0
• 202.254.234.147 port 80 - www.kinketsukun.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 202.254.234.147 port 80 - www.kinketsukun.com - POST /m02/
• 34.232.43.118 port 80 - www.deliciousvillefoods.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 34.232.43.118 port 80 - www.deliciousvillefoods.com - POST /m02/
• 193.33.128.202 port 80 - www.siwi.solutions - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 193.33.128.202 port 80 - www.siwi.solutions - POST /m02/
• 5.178.76.18 port 80 - www.discovertellus.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 5.178.76.18 port 80 - www.discovertellus.com - POST /m02/
• 77.223.137.20 port 80 - www.karselasansor.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 77.223.137.20 port 80 - www.karselasansor.com - POST /m02/
• 104.203.229.215 port 80 - www.885mt.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 104.203.229.215 port 80 - www.885mt.com - POST /m02/
• 192.163.183.245 port 80 - www.jueduizan.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 192.163.183.245 port 80 - www.jueduizan.com - POST /m02/
• 72.52.4.122 port 80 - www.clevelandtaxaccountant.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 72.52.4.122 port 80 - www.clevelandtaxaccountant.com - POST /m02/
• 208.91.197.91 port 80 - www.navstyle.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 208.91.197.91 port 80 - www.navstyle.com - POST /m02/
• 23.83.192.177 port 80 - www.erfenbu.com - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1
• 23.83.192.177 port 80 - www.erfenbu.com - POST /m02/
• 52.219.64.19 port 80 - www.blitzathletics.fitness - GET /m02/?LFN4x=[long string]==&wN688b=HZl0&sql=1

 

MALWARE

EMAIL ATTACHMENT (ZIP ARCHIVE):

• SHA256 hash:  f5e2ec975eb815e3963ec266e8090ef8abbd89af3dde5b036f5fa2840484a436
  File size:  277,181 bytes
  File name:  Transfer Copy.zip

EXTRACTED FORMBOOK MALWARE:

• SHA256 hash:  22d9e1cf5d47b9cccd1b1449037ec1017f1747805cd09300bbd0fdc7167b28a8
  File size:  495,616 bytes
  File name:  Swift Document.exe
  File location after infection:  C:\Program Files (x86)\L0xep\winzv1lxh98.exe

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2018-02-16-Formbook-infection-traffic.pcap.zip   919 kB (919,310 bytes)
• Zip archive of the email and malware:  2018-02-16-Formbook-email-and-malware.zip   844 kB (844,221 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.