Malware-Traffic-Analysis.net - 30 days of Formbook: Day 16, Tuesday 2023-06-20

30 DAYS OF FORMBOOK: DAY 16, TUESDAY 2023-06-20 - "F1W6"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 16th of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-06-20-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,911 bytes)
2023-06-20-malspam-used-for-Formbook-infection.eml.zip 722 kB (722,187 bytes)
2023-06-20-Formbook-infection-traffic.pcap.zip 3.6 MB (3,637,778 bytes)
2023-06-20-Formbook-malware-and-artifacts.zip 1.4 MB (1,427,045 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 16, TUESDAY 2023-06-20 - "F1W6"

INFECTION CHAIN:

- Email --> attached RAR archive --> extracted Formbook EXE --> victim runs Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: 3b9e90311f9cbe156aeaf44f7966610c0d79ba8cea42e02a19e126559a3b2f2f
- File size: 701,200 bytes
- File name: Remittance_90633_03.rar
- File type: RAR archive data, v5
- File description: RAR archive containing Formbook EXE

- SHA256 hash: d6fc1cb115ba92328c7be966ad4a2f85c015555934898cadc108715aa4c8eda9
- File size: 795,648 bytes
- File name: Remittance_90633_03.exe
- Persistent file location: C:\Program Files (x86)\E0bw\1bbx6lexibmx.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

FORMBOOK PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: URYTANKHIJN
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\E0bw\1bbx6lexibmx.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\034R3P3R\034log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\034R3P3R\034logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\034R3P3R\034logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\034R3P3R\034logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\034R3P3R\034logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\034R3P3R\034logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\034R3P3R\034logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /f1w6/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /f1w6/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for ww.006bo[.]com - no response from DNS server
- DNS query for www.kzyky[.]top - no response from DNS server
- DNS query for www.puspitasnack[.]online - no response from DNS server

- DNS query for www.bao1888[.]site - response: No such name
- DNS query for www.gmlioe58v[.]fun - response: No such name
- DNS query for www.junk2recycle[.]com - response: No such name
- DNS query for www.jwanzheng[.]com - response: No such name
- DNS query for www.teamnordquist[.]com - response: No such name
- DNS query for www.tfrksr[.]boats - response: No such name
- DNS query for www.wallstreetbull[.]online - response: No such name
- DNS query for www.ym11z[.]shop - response: No such name
- DNS query for www.yourcomplexproject[.]com - response: No such name

- DNS query for www.1chaojiqian[.]com - no IP returned from DNS server

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

-  port 80 - www.totoapang27[.]shop - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.5577127[.]com
- www.afschaffer[.]com
- www.canada-topsales[.]com
- www.crmhybridai[.]com
- www.droyztech[.]com
- www.elixircollagenrush[.]com
- www.expetowing[.]com
- www.fireandmettle[.]com
- www.fluxfactorfuel[.]com
- www.genesiscomercializadora[.]com
- www.haitucn[.]info
- www.hitroader[.]com
- www.ifgfunds[.]com
- www.noriyosi[.]com
- www.oldedirtroad[.]com
- www.playacabarete[.]net
- www.proartesmarciales[.]com
- www.pw786[.]vip
- www.salamcleaning[.]com
- www.scottswann[.]com
- www.shguojibu[.]com
- www.travelgirlboutique[.]com
- www.venuegirl[.]com
- www.wjh555[.]vip
- www.yuyl[.]top

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.bestsuppliespetstore.website  **
- www.bricoluxury[.]com
- www.delidl[.]com
- www.hoagiepalooza.site
- www.m2venturesinc[.]com
- www.mlo564.xyz  **
- www.netgies.xyz  **
- www.oldiefans[.]info  **
- www.your-local-girls[.]info  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.