30 DAYS OF FORMBOOK: DAY 8, MONDAY 2023-06-12 - "EE2Q"
NOTICE:
- Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- This the is 8th of 30 infection runs on recent Formbook samples.
ASSOCIATED FILES:
- 2023-06-12-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,880 bytes)
- 2023-06-12-Formbook-infection.pcap.zip 2.2 MB (2,220,650 bytes)
- 2023-06-12-Formbook-malware-and-artifacts.zip 1.1 MB (1,117,770 bytes)
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
30 DAYS OF FORMBOOK: DAY 8, MONDAY 2023-06-12 - "EE2Q" INFECTION CHAIN: - uknown source, probably email attachment --> RAR archive --> Formbook EXE MALWARE/ARTIFACTS: - SHA256 hash: efc9dde68b9e80152fefe7265ce3504b4703c84513ceac9cd26dec407c1a5865 - File size: 554,892 bytes - File name: unknown - File type: RAR archive data, v5 - File description: RAR archive containing - SHA256 hash: 3bfdf114998cc67d1853f54e5305b774454b68fc190964a64af30048ca34b926 - File size: 776,192 bytes - File name: Inquiry_1120236.exe - Persistent file location: C:\Program Files (x86)\X7nwl\vv9l_rixhvn.exe - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - File description: Windows EXE for Formbook version 4.1 FORMBOOK PERSISTENCE: - Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Value name: 4HG4QBVPUFP - Value type: REG_SZ - Value Data: C:\Program Files (x86)\X7nwl\vv9l_rixhvn.exe DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER: - C:\Users\[username]\AppData\Roaming\27P141S4\27Plog.ini - 0 bytes - C:\Users\[username]\AppData\Roaming\27P141S4\27Plogim.jpeg (screenshot of desktop) - C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrc.ini (Outlook Recovery) - C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrf.ini (Firefox Recovery) - C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrg.ini (Chrome Recovery) - C:\Users\[username]\AppData\Roaming\27P141S4\27Plogri.ini (Iexplore Recovery) - C:\Users\[username]\AppData\Roaming\27P141S4\27Plogrv.ini (__Vault Recovery) - Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes. FORMBOOK HTTP GET AND POST REQUESTS: - GET /ee2q/?[string of alphanumeric characters with the following mixed in: = _ + and /] - POST /ee2q/ DOMAINS THAT DID NOT RESOLVE: - DNS query for www.czbxlk[.]com - no response from DNS server - DNS query for www.prostadine202[.]store - no response from DNS server - DNS query for www.tuomamoban[.]com - no response from DNS server - DNS query for www.uspbs[.]top - no response from DNS server - DNS query for www.23382338[.]xyz - response: No such name - DNS query for www.btoie[.]space - response: No such name - DNS query for www.daqinp11012[.]club - response: No such name - DNS query for www.guineeanalyseopinions[.]net - response: No such name - DNS query for www.gxkchp[.]live - response: No such name - DNS query for www.inncur[.]space - response: No such name - DNS query for www.rooseveltdp[.]com - response: No such name - DNS query for www.soundbase[.]life - response: No such name DOMAINS USED FOR FORMBOOK GET REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.bjcxks[.]com - www.boguslavka[.]com - www.challengecoinwraehouse[.]com - www.citrixsettlement[.]com - www.faranstechtalk[.]com - www.gefa[.]ovh - www.iitik[.]com - www.ijinusaha[.]info - www.iklanbarisgorontalo[.]com - www.katica[.]net - www.littlenuggetproperties[.]com - www.mflol[.]uk - www.mobilefreekids[.]com - www.mygoogles[.]ch - www.peterschwartzmanformayor[.]com - www.premsaoli[.]cat - www.proactionbrandsdevelopment[.]com - www.proflidi[.]com - www.reallinvest[.]fun - www.sawtoothai[.]com - www.shopazlifestylehomes[.]com - www.taxigiarethainguyen[.]top - www.tribek9fl[.]com DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.8xmac[.]top ** - www.blackgirlsbeenmagical[.]com ** - www.bricepacific[.]com ** - www.cospaz[.]com ** - www.fcsawftffcoffical[.]buzz ** - www.genosync[.]xyz ** - www.greatpromo[.]site ** - www.netfiix-account[.]info ** - www.porgy[.]online ** - www.proflidi[.]com ** - www.safepalercclaim[.]buzz ** - www.sansheng[.]love ** ** - Full stolen data (encoded) sent through HTTP POST request (all of them).
Click here to return to the main page.