Malware-Traffic-Analysis.net - 30 days of Formbook: Day 7, Sunday 2023-06-11

30 DAYS OF FORMBOOK: DAY 7, SUNDAY 2023-06-11 - GULOADER FOR FORMBOOK "XCHU"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is 7th of 30 infection runs on recent Formbook samples.

ASSOCIATED FILES:

2023-06-11-IOCs-for-GuLoader-Formbook-infection.txt.zip 2.2 kB 2,156 bytes)
2023-06-11-GuLoader-Formbook-infection.pcap.zip 4.9 MB (4,875,875 bytes)
2023-06-11-GuLoader-Formbook-malware-and-artifacts.zip 2.5 MB (2,473,911 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 7, SUNDAY 2023-06-11 - GULOADER FOR FORMBOOK "XCHU"

INFECTION CHAIN:

- ?? --> HTTP traffic for GuLoader EXE --> GuLoader EXE --> HTTP traffic for encrypted binary --> Formbook infection

MALWARE/ARTIFACTS:

- SHA256 hash: f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
- File size: 1,273,800 bytes
- File location: hxxp[:]//107.172.148[.]217/23/cleanmgr.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: GuLoader EXE for Formbook

- SHA256 hash: 7cdb988da3f3317f4055c7bb0550be06f9da47e956aa4d859876205a5789f2c2
- File size: 189,504 bytes
- File location: hxxp[:]//107.172.148[.]217/cl/zbXCSdHkU190.bin
- File type: data
- File description: encoded/encrypted data binary used by this GuLoader sample for Formbook

- SHA256 hash: 31bc183c08489098dc6d52de73cb3772019b82c0c587c7c04e4a3631a1852e87
- File size: 1,273,800 bytes
- File location: C:\Program Files (x86)\H2dupmnr\Cookieswbvl.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Persistent EXE for this infection
- Note: File does not execute, giving the NSIS Error: Installer integrity check failed.

GULOADER FOR FORMBOOK PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: IDFDODJ0OBZ
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\H2dupmnr\Cookieswbvl.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\0Q61P0A2\0Q6logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /xchu/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /xchu/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.nadiya[.]online - no response from DNS server
- DNS query for www.ptzslk[.]xyz - no response from DNS server
- DNS query for www.ugfc[.]monster - no response from DNS server

- DNS query for www.adfoidoas[.]shop - response: No such name
- DNS query for www.axcelus[.]mobi - response: No such name
- DNS query for www.bunk7outfitters[.]com - response: No such name
- DNS query for www.castilloshowroom[.]com - response: No such name
- DNS query for www.elityou[.]com - response: No such name
- DNS query for www.frenchmattie[.]com - response: No such name
- DNS query for www.girljustdoitpodcast[.]com - response: No such name
- DNS query for www.medimediamarketing[.]com - response: No such name

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

- port 80 - www.82163[.]xyz - TCP SYN segments only, no response or RST from server
- port 80 - www.charlievgrfminnick[.]click - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.atfbestsale[.]online
- www.barhat-dance[.]online
- www.centralcoastquotes[.]com
- www.ewardsrq[.]com
- www.fleurdelis-ksa[.]com
- www.francoishogue-rpg[.]com
- www.frontdoorproperties[.]co[.]uk
- www.grandpaswag2024[.]info
- www.hauntingmedia[.]com
- www.hieu[.]asia
- www.lightbulbfestival[.]com
- www.littlefoxgrp[.]com
- www.masterbidbox[.]com
- www.misaxoxo[.]com
- www.modi[.]codes
- www.newindianewsnetwork[.]com
- www.ntzb1[.]vip
- www.prodemtim-healthy-gums[.]com
- www.tanbuhelir[.]com
- www.texaslandline[.]com
- www.wxbaonayue[.]com
- www.wxxinglong[.]com
- www.xx7zncjthyo[.]xyz
- www.zcartoons[.]com

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.apihb[.]com
- www.australiaxxxhookup[.]com  **
- www.aviationsoftware[.]aero  **
- www.ideeintemporelle[.]com  **
- www.lailashawa[.]com  **
- www.meter-ooh[.]com
- www.nilhanzsa[.]net  **
- www.sharonmevans[.]com
- www.sorunsuzyayinburada9[.]shop
- www.sparrow-coffee[.]com  **
- www.tangocitymoscow[.]com  **
- www.twinmall[.]xyz  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.