Malware-Traffic-Analysis.net - 30 days of Formbook: Day 4, Thursday 2023-06-08

30 DAYS OF FORMBOOK: DAY 4, THURSDAY 2023-06-08 - "T30K"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is 4th of 30 infection runs on recent Formbook samples.
Today's sample is from a .rar archive submitted to VirusTotal on Thursday 2023-06-08.

FINDINGS:

It looks like Formbook steals login credentials stored on the Firefox web browser (still not for the current version of Microsoft Edge)

ASSOCIATED FILES:

2023-06-08-IOCs-for-Formbook-infection.txt.zip 2.0 kB (1966 bytes)
2023-06-08-Formbook-infection.pcap.zip 5.2 MB (5,222,123 bytes)
2023-06-08-Formbook-malware-and-artifacts.zip 492 kB (491,565 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 4, THURSDAY 2023-06-08 - "T30K"

INFECTION CHAIN:

- Unknown vector, possibly distributed as email attachment.

FORMBOOK SAMPLE:

- SHA256 hash: 257a59a4dfa8c4bac83ea60dea8347c8ae85eb5726533064bc9ca68292462a19
- File size: 243,224 bytes
- File name: EKSTRE.rar
- File type: RAR archive data, v5
- File description: RAR archive containing Formbook EXE

- SHA256 hash: 73ce02f6b7c4c5109af4ad501aa9206bbfa5cf32bb8276ad06887c95279c907d
- File size: 259,087 bytes
- File name: rocee4908.exe
- Persistent file location: C:\Program Files (x86)\Aiz74t\rtoduf6l0x.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Formbook EXE
- Creation Time: 2021-09-25 21:56:47 UTC (probably a fake timestamp)

FORMBOOK PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: 6LC8NJNHBZC
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Aiz74t\rtoduf6l0x.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\NN7AQSRF\NN7log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\NN7AQSRF\NN7logim.jpeg - 127,830 bytes (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\NN7AQSRF\NN7logrc.ini - 2,090 bytes (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\NN7AQSRF\NN7logrf.ini - 818 bytes (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\NN7AQSRF\NN7logri.ini - 40 bytes (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\NN7AQSRF\NN7logrv.ini - 40 bytes (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes named NN7log.ini

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /t30k/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /t30k/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.7744100[.]com - no response from DNS server
- DNS query for www.e-consultas[.]store - no response from DNS server
- DNS query for www.caowoq[.]com - no response from DNS server
- DNS query for www.yuanjii[.]com - no response from DNS server
- DNS query for www.3034f47ff3[.]com - no response from DNS server

- DNS query for www.westsidecollective[.]net - response: No such name
- DNS query for www.meiniang293[.]mom - response: No such name
- DNS query for www.buy149[.]com - response: No such name
- DNS query for www.towertechnicians[.]com - response: No such name
- DNS query for www.kkbbk[.]top - response: No such name
- DNS query for www.everythingbanker[.]com - response: No such name
- DNS query for www.ingresaagalicia[.]online - response: No such name
- DNS query for www.teslatrust2x[.]com - response: No such name
- DNS query for www.zvd[.]store - response: No such name

- DNS query for www.ioe518.xyz - no IP address returned

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

- 43.155.68[.]147 port 80 - www.vbret[.]sbs - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.33923[.]xyz
- www.acsenteurka[.]com
- www.aistore[.]biz
- www.bbctravels[.]com
- www.ctsoapandcandles[.]com
- www.duanelawson[.]com
- www.gamebsras[.]cfd
- www.hv870[.]vip
- www.jmxtek[.]com
- www.luicap[.]com
- www.masturbatorzone[.]online
- www.patriotbeton[.]com
- www.patriotchampionmail[.]com
- www.playwriwi[.]com
- www.swiftpas[.]online
- www.teleportoverseas[.]com
- www.thenearlyperfectbody[.]com
- www.tronkamat[.]online
- www.watsongraphicdesigns[.]com
- www.yhtiye[.]com

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.04eb[.]top  **
- www.357y[.]xyz  **
- www.120637[.]com  **
- www.dihao123[.]com  **
- www.dream-job[.]live
- www.fdasdo[.]xyz  **
- www.junkremoval-az[.]com
- www.letusbuyyourlot[.com
- www.no731[.]com
- www.playwriwi[.]com
- www.rwhex[.]com
- www.sbobet-pasjackpot[.]xyz  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.