Malware-Traffic-Analysis.net - 30 days of Formbook: Day 13, Saturday 2023-06-17

30 DAYS OF FORMBOOK: DAY 13, SATURDAY 2023-06-17 - "MR04"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 13th of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-06-17-IOCs-for-Formbook-infection.txt.zip 1.3 kB (1,312 bytes)
2023-06-17-Formbook-infection-traffic.pcap.zip 898 kB (898,086 bytes)
2023-06-17-Formbook-malware.zip 492 kB (492,251 bytes)

30 DAYS OF FORMBOOK: DAY 13, SATURDAY 2023-06-17 - "MR04"

NOTES:

- Formbook C2 traffic seemed to stop after approximately 8 minutes.
- The infected host ran for an additional 12 minutes without generating any further C2 traffic.
- No data exfiltration (from HTTP POST requests) was noted during this infection run.
- Sample was not made persistent during this infection run.

MALWARE/ARTIFACTS:

- SHA256 hash: 2ba078964ac08045205a7876c7ad23b4b5fbcba5d7cab2941d00d4b161c3bfe8
- File size: 244,245 bytes
- File name: 1.900 dekont.rar
- File type: RAR archive data, v5
- File description: RAR archive containing Windows EXE for Formbook

- SHA256 hash: 3b64d6b8012a1a72f89aa735fa41ddda9423a575235baa72c7fc0685cd1b3666
- File size: 260,111 bytes
- File name: 1.900 dekont.exe
- Persistent file location: 
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Windows EXE for Formbook version 4.1

HTTP GET REQUESTS:

- GET /mr04/?[string of alphanumeric characters with the following mixed in: = _ + and /]

FORMBOOK C2 DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.21130[.]vip - no response from DNS server
- DNS query for www.aysnovels[.]africa - no response from DNS server
- DNS query for www.learnfirst[.]africa - no response from DNS server
- DNS query for www.loopapp[.]social - no response from DNS server

- DNS query for www.arisunlimited[.]com - response: No such name
- DNS query for www.crosselling[.]tech - response: No such name
- DNS query for www.elpayasocantarinpeluquin[.]com - response: No such name

FORMBOOK C2 DOMAINS USED FOR GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.44gaokk[.]com
- www.berbicehighschool[.]com
- www.cartoonpic[.]xyz
- www.casaalmendras[.]com
- www.dabaogj58[.]com
- www.faircoins[.]xyz
- www.kitchen-remodel-ideas-1[.]space
- www.learningfromthedeep[.]com
- www.lets-do-the-job[.]com
- www.sourcedwatches[.]co[.]uk
- www.staples-colchester[.]co[.]uk
- www.storyboardtools[.]com
- www.uuhv-gjap[.]net
- www.xianchengkeji[.]net
- www.yetcox[.]online

Click here to return to the main page.