30 DAYS OF FORMBOOK: DAY 11, THURSDAY 2023-06-15 - "GA94"

NOTICE:

NOTES:

 

ASSOCIATED FILES:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 

30 DAYS OF FORMBOOK: DAY 11, THURSDAY 2023-06-15 - "GA94"

INFECTION CHAIN:

- email --> zip attachment --> extracted Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: 63ae5c002960b573d101a2184e87a958a8937919f63293a38ec44fde0c5fb62a
- File size: 750,705 bytes
- File name: PO-10152023.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: Email attachment, zip archive containing Windows EXE for Formbook

- SHA256 hash: 9fc1a496456126794feddbeb9a15f49e2c8e2ab876b074e1d46b0dc9fb0fb47c
- File size: 1,201,664 bytes
- File location: C:\Program Files (x86)\Vcv1tan\uvu0-6lvd.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Persistent Formbook EXE

- SHA256 hash: dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5
- File size: 1,201,664 bytes
- File name: PO-10152023.exe
- Location: C:\Users\[username]\AppData\Roaming\gvvgziabpIdvO.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: hidden EXE for Formbook seen after running the initial Formbook EXE

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: JVAX5T2PEDZ
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Vcv1tan\uvu0-6lvd.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\527P5ORA\527log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\527P5ORA\527logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\527P5ORA\527logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\527P5ORA\527logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\527P5ORA\527logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\527P5ORA\527logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\527P5ORA\527logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

HTTP GET AND POST REQUESTS:

- GET /ga94/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /ga94/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.hissetnefesveyasamplatformu[.]com - no response from DNS server
- DNS query for www.teachersfinance[.]online - no response from DNS server

- DNS query for www.187597[.]com - response: No such name
- DNS query for www.chanjiaoronghe[.]top - response: No such name
- DNS query for www.dtripofjava[.]com - response: No such name
- DNS query for www.orbilter[.]finance - response: No such name
- DNS query for www.toutouchan[.]club - response: No such name

- DNS query for www.metropedialampung[.]com - resolved to 127.0.0.1

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

- www.zuzwwjow[.]top - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.araskincare29[.]com
- www.asu667708[.]com
- www.esentris[.]com
- www.k3zrk[.]xyz
- www.osumart[.]com
- www.oxuczwrpfgy[.]top
- www.shinanokenshi[.]net
- www.sxgic[.]com
- www.teamaddmi[.]com
- www.verasity[.]claims

DOMAINS USED FOR GET -AND- POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.affordablematchmaker[.]com
- www.ahahealthcare[.]com
- www.bimoxf[.]xyz  **
- www.brttdimero[.]xyz
- www.clubkore[.]com
- www.forexpowertrader[.]com  **
- www.juliaschueler[.]com  **
- www.jwzydn[.]club
- www.kehoumpa[.]xyz
- www.mike-fried[.]com  **
- www.plugyourduck[.]com
- www.robertandcharlina[.]com
- www.rx-eg[.]com  **
- www.xn--zin-rxa[.]com

  ** - Full stolen data (encoded) sent through HTTP POST request.

 

Click here to return to the main page.