Malware-Traffic-Analysis.net - 30 days of Formbook: Day 8, Monday 2023-06-12

30 DAYS OF FORMBOOK: DAY 8, MONDAY 2023-06-12 - "EE2Q"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is 8th of 30 infection runs on recent Formbook samples.

ASSOCIATED FILES:

2023-06-12-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,880 bytes)
2023-06-12-Formbook-infection.pcap.zip 2.2 MB (2,220,650 bytes)
2023-06-12-Formbook-malware-and-artifacts.zip 1.1 MB (1,117,770 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 8, MONDAY 2023-06-12 - "EE2Q"

INFECTION CHAIN:

- uknown source, probably email attachment --> RAR archive --> Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: efc9dde68b9e80152fefe7265ce3504b4703c84513ceac9cd26dec407c1a5865
- File size: 554,892 bytes
- File name: unknown
- File type: RAR archive data, v5
- File description: RAR archive containing 

- SHA256 hash: 3bfdf114998cc67d1853f54e5305b774454b68fc190964a64af30048ca34b926
- File size: 776,192 bytes
- File name: Inquiry_1120236.exe
- Persistent file location: C:\Program Files (x86)\X7nwl\vv9l_rixhvn.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

FORMBOOK PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: 4HG4QBVPUFP
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\X7nwl\vv9l_rixhvn.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\27P141S4\27Plog.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\27P141S4\27Plogim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\27P141S4\27Plogri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /ee2q/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /ee2q/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.czbxlk[.]com - no response from DNS server
- DNS query for www.prostadine202[.]store - no response from DNS server
- DNS query for www.tuomamoban[.]com - no response from DNS server
- DNS query for www.uspbs[.]top - no response from DNS server

- DNS query for www.23382338[.]xyz - response: No such name
- DNS query for www.btoie[.]space - response: No such name
- DNS query for www.daqinp11012[.]club - response: No such name
- DNS query for www.guineeanalyseopinions[.]net - response: No such name
- DNS query for www.gxkchp[.]live - response: No such name
- DNS query for www.inncur[.]space - response: No such name
- DNS query for www.rooseveltdp[.]com - response: No such name
- DNS query for www.soundbase[.]life - response: No such name

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.bjcxks[.]com
- www.boguslavka[.]com
- www.challengecoinwraehouse[.]com
- www.citrixsettlement[.]com
- www.faranstechtalk[.]com
- www.gefa[.]ovh
- www.iitik[.]com
- www.ijinusaha[.]info
- www.iklanbarisgorontalo[.]com
- www.katica[.]net
- www.littlenuggetproperties[.]com
- www.mflol[.]uk
- www.mobilefreekids[.]com
- www.mygoogles[.]ch
- www.peterschwartzmanformayor[.]com
- www.premsaoli[.]cat
- www.proactionbrandsdevelopment[.]com
- www.proflidi[.]com
- www.reallinvest[.]fun
- www.sawtoothai[.]com
- www.shopazlifestylehomes[.]com
- www.taxigiarethainguyen[.]top
- www.tribek9fl[.]com

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.8xmac[.]top  **
- www.blackgirlsbeenmagical[.]com  **
- www.bricepacific[.]com  **
- www.cospaz[.]com  **
- www.fcsawftffcoffical[.]buzz  **
- www.genosync[.]xyz  **
- www.greatpromo[.]site  **
- www.netfiix-account[.]info  **
- www.porgy[.]online  **
- www.proflidi[.]com  **
- www.safepalercclaim[.]buzz  **
- www.sansheng[.]love  **

  ** - Full stolen data (encoded) sent through HTTP POST request (all of them).

Click here to return to the main page.