Malware-Traffic-Analysis.net - 30 days of Formbook: Day 10, Wednesday 2023-06-14

30 DAYS OF FORMBOOK: DAY 10, WEDNESDAY 2023-06-14 - "J0C7"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is 10th of 30 infection runs on recent Formbook samples.

ASSOCIATED FILES:

2023-06-14-IOCs-for-Formbook-infection.txt.zip 1.6 kB (1,640 bytes)
2023-06-14-Formbook-infection-traffic.pcap.zip 4.6 MB (4,603,330 bytes)
2023-06-14-Formbook-malware-and-artifacts.zip 250 kB (250,015 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 10, WEDNESDAY 2023-06-14 - "J0C7"

FORMBOOK SAMPLE:

- SHA256 hash: f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8
- File size: 261,366 bytes
- File name: DHL Receipt276334511.exe
- Persistent file location: C:\Program Files (x86)\Ozr4lln\rzatlltg.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Windows EXE for Formbook version 4.1

FORMBOOK PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: JVOPLXT01X0
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Ozr4lln\rzatlltg.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\58-OPSSE\58-logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /j0c7/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /j0c7/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.amadeusliu[.]xyz - no response from DNS server
- DNS query for www.jinchunxi[.]com - no response from DNS server
- DNS query for www.seacrawlers[.]com - no response from DNS server

- DNS query for www[.]combatsportsacademyus[.]com - response: No such name
- DNS query for www.futurebuilding[.]community - response: No such name
- DNS query for www.getbeelu[.]com - response: No such name
- DNS query for www.ios777cpf[.]top - response: No such name
- DNS query for www.segui276[.]pics - response: No such name
- DNS query for www.thebestfurnitureplace[.]com - response: No such name

- DNS query for www.lwdingyi[.]com - no IP returned from DNS server
- DNS query for www.agreels[.]com - resolved to 127.0.0.1

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.00869[.]live
- www.534atjewish[.]store
- www.altyazi-hub[.]xyz
- www.biopale[.]com
- www.client23-portal[.]com
- www.flyersfirst[.]com
- www.g6mnt[.]xyz
- www.highsiddle[.]com
- www.lsty[.]net
- www.pb22362[.]com
- www.quotesonvideo[.]site
- www.riz-moj[.]com
- www.sinyalbuton[.]net
- www.xn--68j011g8slt1hlv3c[.]site

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.devrijeweide.store  **
- www.fbkjacn69[.]pics
- www.flaxtest[.]com  **
- www.lbvasd[.]xyz  **
- www.letsbet[.]life
- www.maestris-prepa[.]com  **
- www.manaroo[.]com
- www.mostafa-mahmoud[.]club  **
- www.prospectstrata[.]com  **
- www.restinpeace[.]website
- www.riz-moj[.]com
- www.starseedalignment[.]com  **
- www.tyec[.]xyz
- www.ythqq[.]com

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.