30 DAYS OF FORMBOOK: DAY 3, WEDNESDAY 2023-06-07 - "AE30"

NOTICE:

NOTES:

 

FINDINGS:

 

ASSOCIATED FILES:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 

30 DAYS OF FORMBOOK: DAY 3, WEDNESDAY 2023-06-07 - "AE30"

INFECTION CHAIN:

- Unknown vector, possibly distributed as email attachment.

FORMBOOK SAMPLE:

- SHA256 hash: c68d075e0b6d611c385eb3d05f8f7d5c6cb0b6fc86950c95f58a5fe76f7f0b86
- File size: 695,869 bytes
- File name: Drawing-img-.r11
- File type: RAR archive data, v4, os: Win32
- File description: RAR archive containing Formbook EXE

- SHA256 hash: 61d71745d3564cb52992ff8c59ed73f9f2d5025da3e64f6c607c56ed2604f521
- File size: 793,088 bytes
- File name: Drawing-img-.exe
- Persistent file location: C:\Program Files (x86)\Tp4n\upxtu0vh.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Formbook EXE
- Creation Time: 2023-06-07 03:26:33 UTC

FORMBOOK PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: GLHPQT0P
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\p4n\upxtu0vh.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\8-67R9DQ\8-6log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\8-67R9DQ\8-6logim.jpeg - 277,178 bytes (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\8-67R9DQ\8-6logrc.ini - 1952 bytes (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\8-67R9DQ\8-6logrg.ini - 502 bytes (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\8-67R9DQ\8-6logri.ini - 40 bytes (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\8-67R9DQ\8-6logrv.ini - 40 bytes (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes named 8-6log.ini

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /ae30/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /ae30/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.christmaslv[.]com - no response from DNS server
- DNS query for www.gbera9ja[.]africa - no response from DNS server
- DNS query for www.thevelvetkit[.]africa - no response from DNS server
- DNS query for www.tutastrading[.]africa - no response from DNS server
- DNS query for www.zwelethugh[.]africa - no response from DNS server

- DNS query for www.broadbandterbaik[.]com - response: No such name
- DNS query for www.dxbsultan[.]com - response: No such name
- DNS query for www.flrfteb[.]ru - response: No such name
- DNS query for www.guideonwheels[.]com - response: No such name
- DNS query for www.howlsmovingcastlemerch[.]store - response: No such name
- DNS query for www.hulihuli[.]net - response: No such name
- DNS query for www.inhomeidea[.]com - response: No such name
- DNS query for www.k59963[.]com - response: No such name
- DNS query for www.kgaming[.]dev - response: No such name
- DNS query for www.lobosmc12[.]com - response: No such name
- DNS query for www.lowridericon[.]com - response: No such name

- DNS query for www.alphaestetica[.]com - resolved to 127.0.0.1

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- 162.209.189[.]207 or 162.209.189[.]208 port 80 - www.4983517[.]com
- 160.251.73[.]39 port 80 - www.ailihuq[.]com
- 104.18.26[.]189 or 104.18.27[.]189 port 80 - www.asteramoving[.]com
- 162.0.215[.]179 port 80 - www.bakedcivilization[.]com
- 23.227.38[.]74 port 80 - www.bedicustomgraphicapparel[.]com
- 15.197.142[.]173 port 80 - www.board-advising[.]com
- 89.31.143[.]1 port 80 - www.diamondshouse-hannover[.]online
- 192.99.101[.]236 port 80 - www.dompacino[.]com
- 69.163.216[.]147 port 80 - www.electrosertecnologia[.]com
- 13.56.33[.]8 port 80 - www.ezengage[.]com
- 198.54.117[.]217 port 80 - www.fact-times[.]live
- 15.197.142[.]173 port 80 - www.greenarrow-advisors[.]com
- 141.136.39[.]20 port 80 - www.kurrent[.]store
- 173.213.6[.]203 port 80 - www.lajwbwcl[.]com
- 34.117.168[.]233 port 80 - www.landonwieweck[.]com
- 64.190.62[.]22 port 80 - www.landscapingideas[.]site
- 31.28.24[.]244 port 80 - www.lili116[.]ru
- 76.76.21[.]98 port 80 - www.reachphone[.]app

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- 104.21.67[.]19 port 80 - www.accidentattorneysearch-jp[.]life
- 194.58.112[.]165 port 80 - www.apatitum[.]ru  **
- 64.190.62[.]22 port 80 - www.dollarvalue-guide[.]site
- 176.9.105[.]210 port 80 - www.falconspice[.]com  **
- 173.208.96[.]44 port 80 - www.fierceroar[.]uk
- 23.227.38[.]74 port 80 - www.frametasticuy[.]com  **
- 156.242.168[.]252 port 80 - www.fshxzz[.]com  **
- 15.197.142[.]173 port 80 - www.grandviewtub2shower[.]com
- 34.102.136[.]180 port 80 - www.jkdairyjammu[.]com
- 137.184.219[.]55 port 80 - www.kinder-vaccine[.]com  **
- 47.252.27[.]61 port 80 - www.ladderlab[.]site
- 162.254.207[.]54 port 80 - www.lostdrivinglicence[.]co[.]uk  !!
- 195.2.80[.]197 port 80 - www.rseriali[.]net
- 184.94.215[.]140 port 80 - www.xysklhgf[.]xyz  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

  !! - www.lostdrivinglicence[.]co[.]uk has been used for Formbook since at least 2023-05-02.  It had the last Formbook HTTP
       POST request during this infection run, and response headers indicate this server may have accepted the stolen data.
       A browser check on this domain returned a parked page hosted by Bodis, a domain parking platform.

 

Click here to return to the main page.