30 DAYS OF FORMBOOK: DAY 15, MONDAY 2023-06-19 - "CE18"

NOTICE:

NOTES:

 

ASSOCIATED FILES:

 

30 DAYS OF FORMBOOK: DAY 15, MONDAY 2023-06-19 - "CE18"

INFECTION CHAIN:

- Email --> attached RAR archive --> extracted Formbook EXE --> victim runs Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: 2a35f64577b3890e7b53408aeeb8afd0e75f94fcaaf9548311d95c434c673493
- File size: 663,727 bytes
- File name: Quotation RF181-2023.lzh
- File type: RAR archive data, v5
- File description: RAR archive containing Formbook EXE

- SHA256 hash: 059d5f6ce17550f0aad80205593ff14cd81bcacf6e2b3bbc1cee716f9669aa64
- File size: 745,472 bytes
- File name: Quotation RF181-2023.exe
- Initially saved to disk at: C:\Users\[username]\AppData\Roaming\gOfVvdRIClEfa.exe
- Persistent file location: C:\Program Files (x86)\Xgpwtqdbp\ol7l_rk8tp.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: KVIT22SP
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Xgpwtqdbp\ol7l_rk8tp.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\O132R763\O13log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\O132R763\O13logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\O132R763\O13logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\O132R763\O13logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\O132R763\O13logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\O132R763\O13logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\O132R763\O13logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

HTTP GET AND POST REQUESTS:

- GET /ce18/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /ce18/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.ljcfarms.africa - no response from DNS server

- DNS query for www.bleatcement[.]online - response: No such name
- DNS query for www.bookcom34567875373733744444[.]top - response: No such name
- DNS query for www.dunamu-cabin[.]com - response: No such name
- DNS query for www.ecochec[.]ru - response: No such name
- DNS query for www.ectobyte[.]com - response: No such name
- DNS query for www.fiteallc[.]com - response: No such name
- DNS query for www.gamerunr[.]com - response: No such name
- DNS query for www.login-xfinity[.]net - response: No such name
- DNS query for www.sim-virtual[.]net - response: No such name
- DNS query for www.x7c7h[.]com - response: No such name

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

-  port 80 - www.dghg-106[.]com - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.bankloan-dd.ru
- www.bastetribal[.]com
- www.bigcommerce[.]rsvp
- www.birdie786[.]com
- www.bishopdelicious[.]com
- www.coachcreators[.]net
- www.countrykidsclothing[.]com
- www.coupimmobilier[.]com
- www.current-vacanies[.]com
- www.dominioncard[.]com
- www.fayetaylor[.]realtor
- www.hentaireaf[.]com
- www.jamtanganbagus[.]online
- www.nankanasaheb[.]com
- www.seroofingtelford[.]co[.]uk
- www.theoakwheel[.]co[.]uk
- www.tinasc[.]com
- www.wilkesalms[.]org[.]uk

DOMAINS USED FOR GET -AND- POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.abadicash11[.]vip
- www.amarisetechnologies[.]com  **
- www.beyondschoolwork[.]com
- www.bjzlccqz[.]com  **
- www.cleanifylaundry[.]com  **
- www.eyecatcher[.]tech
- www.fullmography[.]com
- www.hcmajq[.]info
- www.just-leanin[.]com
- www.kitchen-furniture-66738[.]com
- www.merxip[.]online  **
- www.sunsetnyc[.]com  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

 

Click here to return to the main page.