30 DAYS OF FORMBOOK: DAY 14, SUNDAY 2023-06-18 - "JY05"
NOTICE:
- Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- This the is my 14th of 30 infection runs for recent Formbook activity.
ASSOCIATED FILES:
- 2023-06-18-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,864 bytes)
- 2023-06-18-Formbook-infection-traffic.pcap.zip 3.6 MB (3,635,523 bytes)
- 2023-06-18-Formbook-malware-and-artifacts.zip 1.5 MB (1,479,270 bytes)
30 DAYS OF FORMBOOK: DAY 14, SUNDAY 2023-06-18 - "JY95" INFECTION CHAIN: - Email --> attached RAR archive --> extracted Formbook EXE --> victim runs Formbook EXE MALWARE/ARTIFACTS: - SHA256 hash: d4e20563270a5ba905c6b4128ad37cd5fceadc70b4d81208aa2c27e2aba957ba - File size: 731,541 bytes - File name: OOLU27169061523.PDF.r00 - File type: RAR archive data, v5 - File description: RAR archive containing Formbook EXE - SHA256 hash: 2acf9e6ca3e414f19b3a3a121ce594e2d0a0c75584aa1239ece006416296d6cf - File size: 1,227,264 bytes - File name: OOLU27169061523.exe - File location after running: C:\Users\[username]\AppData\Roaming\UFOfUWrReFq.exe [hidden file] - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - File description: Windows EXE for Formbook version 4.1 REGISTRY UPDATE: - Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Value name: UTTXV4AX - Value type: REG_SZ - Value Data: C:\Program Files (x86)\T1bj8ahp\3fnhynxxxlshy2fp.exe - NOTE: The above registry update runs a copy of MSbuild.exe, a legitimate file. -- SHA256 hash ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER: - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlog.ini - 0 bytes - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlogim.jpeg (screenshot of desktop) - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlogrc.ini (Outlook Recovery) - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlogrf.ini (Firefox Recovery) - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlogrg.ini (Chrome Recovery) - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlogri.ini (Iexplore Recovery) - C:\Users\[username]\AppData\Roaming\J1MPO1D0\J1Mlogrv.ini (__Vault Recovery) - Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes. HTTP GET AND POST REQUESTS: - GET /jy95/?[string of alphanumeric characters with the following mixed in: = _ + and /] - POST /jy95/ DOMAINS THAT DID NOT RESOLVE: - DNS query for www.hzqywzhs[.]com - no response from DNS server - DNS query for www.x55568[.]com - no response from DNS server - DNS query for www.coinpod[.]app - response: No such name - DNS query for www.premintxyz[.]net - response: No such name - DNS query for www.ussinners[.]com - response: No such name - DNS query for www.xbkgstd[.]top - response: No such name DOMAINS USED FOR GET REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.04it[.]icu - www.baddiebearz[.]com - www.blacklifecoachcompany[.]com - www.codecultr[.]com - www.crackmyway[.]com - www.digitalshop.biz - www.do-si-dough[.]com - www.fetus[.]fun - www.finanzas1[.]com - www.forumconstructioninc[.]com - www.geektechtalks[.]com - www.giornalaiditalia[.]com - www.hospitalmode[.]com - www.isbuae[.]com - www.magis-bo[.]com - www.nicholasthemarketer[.]com - www.orbinlopez[.]one - www.physiowithamina[.]com - www.sailtmtbar[.]com - www.savvieseller[.]com - www.smartshoppinghub[.]store - www.strydasoles[.]store - www.undiereleaseco[.]com - www.xn--bj4bt9j[.]com DOMAINS USED FOR GET -AND- POST REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.cchapmanganato[.]com - www.ebayqerbaf[.]top - www.harveylee[.]online - www.kendradoggrooming[.]com - www.mrsmacksshortbread[.]com - www.muenols[.]xyz - www.oasisconnects[.]com - www.parfermelha[.]store - www.psychicstandupcomedy[.]com - www.sassnass[.]com - www.surferscompass[.]com - www.taiyienergyhealing[.]com
Click here to return to the main page.