30 DAYS OF FORMBOOK: DAY 11, THURSDAY 2023-06-15 - "GA94"
NOTICE:
- Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- This the is 11th of 30 infection runs on recent Formbook samples.
ASSOCIATED FILES:
- 2023-06-15-IOCs-for-Formbook-infection.txt.zip 1.8 kB (1,880 bytes)
- 2023-06-15-Formbook-malspam-0131-UTC.eml.zip 772 kB (772,473 bytes)
- 2023-06-15-Formbook-infection-traffic.pcap.zip 5.9 MB (5,866,666 bytes)
- 2023-06-15-Formbook-malware-and-artifacts.zip 2.3 MB (2,259,830 bytes)
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
30 DAYS OF FORMBOOK: DAY 11, THURSDAY 2023-06-15 - "GA94" INFECTION CHAIN: - email --> zip attachment --> extracted Formbook EXE MALWARE/ARTIFACTS: - SHA256 hash: 63ae5c002960b573d101a2184e87a958a8937919f63293a38ec44fde0c5fb62a - File size: 750,705 bytes - File name: PO-10152023.zip - File type: Zip archive data, at least v2.0 to extract, compression method=deflate - File description: Email attachment, zip archive containing Windows EXE for Formbook - SHA256 hash: 9fc1a496456126794feddbeb9a15f49e2c8e2ab876b074e1d46b0dc9fb0fb47c - File size: 1,201,664 bytes - File location: C:\Program Files (x86)\Vcv1tan\uvu0-6lvd.exe - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - File description: Persistent Formbook EXE - SHA256 hash: dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5 - File size: 1,201,664 bytes - File name: PO-10152023.exe - Location: C:\Users\[username]\AppData\Roaming\gvvgziabpIdvO.exe - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - File description: hidden EXE for Formbook seen after running the initial Formbook EXE PERSISTENCE: - Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Value name: JVAX5T2PEDZ - Value type: REG_SZ - Value Data: C:\Program Files (x86)\Vcv1tan\uvu0-6lvd.exe DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER: - C:\Users\[username]\AppData\Roaming\527P5ORA\527log.ini - 0 bytes - C:\Users\[username]\AppData\Roaming\527P5ORA\527logim.jpeg (screenshot of desktop) - C:\Users\[username]\AppData\Roaming\527P5ORA\527logrc.ini (Outlook Recovery) - C:\Users\[username]\AppData\Roaming\527P5ORA\527logrf.ini (Firefox Recovery) - C:\Users\[username]\AppData\Roaming\527P5ORA\527logrg.ini (Chrome Recovery) - C:\Users\[username]\AppData\Roaming\527P5ORA\527logri.ini (Iexplore Recovery) - C:\Users\[username]\AppData\Roaming\527P5ORA\527logrv.ini (__Vault Recovery) - Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes. HTTP GET AND POST REQUESTS: - GET /ga94/?[string of alphanumeric characters with the following mixed in: = _ + and /] - POST /ga94/ DOMAINS THAT DID NOT RESOLVE: - DNS query for www.hissetnefesveyasamplatformu[.]com - no response from DNS server - DNS query for www.teachersfinance[.]online - no response from DNS server - DNS query for www.187597[.]com - response: No such name - DNS query for www.chanjiaoronghe[.]top - response: No such name - DNS query for www.dtripofjava[.]com - response: No such name - DNS query for www.orbilter[.]finance - response: No such name - DNS query for www.toutouchan[.]club - response: No such name - DNS query for www.metropedialampung[.]com - resolved to 127.0.0.1 DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER: - www.zuzwwjow[.]top - TCP SYN segments only, no response or RST from server DOMAINS USED FOR GET REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.araskincare29[.]com - www.asu667708[.]com - www.esentris[.]com - www.k3zrk[.]xyz - www.osumart[.]com - www.oxuczwrpfgy[.]top - www.shinanokenshi[.]net - www.sxgic[.]com - www.teamaddmi[.]com - www.verasity[.]claims DOMAINS USED FOR GET -AND- POST REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.affordablematchmaker[.]com - www.ahahealthcare[.]com - www.bimoxf[.]xyz ** - www.brttdimero[.]xyz - www.clubkore[.]com - www.forexpowertrader[.]com ** - www.juliaschueler[.]com ** - www.jwzydn[.]club - www.kehoumpa[.]xyz - www.mike-fried[.]com ** - www.plugyourduck[.]com - www.robertandcharlina[.]com - www.rx-eg[.]com ** - www.xn--zin-rxa[.]com ** - Full stolen data (encoded) sent through HTTP POST request.
Click here to return to the main page.