30 DAYS OF FORMBOOK: DAY 19, FRIDAY 2023-06-23 - "P1A4"

NOTICE:

NOTES:

 

ASSOCIATED FILES:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 

30 DAYS OF FORMBOOK: DAY 19, FRIDAY 2023-06-23 - "P1A4"

INFECTION CHAIN:

- Email --> attached zip archive --> extracted Formbook EXE --> victim runs Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: c82db411de04afc91b522f6545e55ab908c9203c2903fbf4ab5c005fdcac9700
- File size: 630,611 bytes
- File name: lista2307.pdf.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: Zip archive containing Formbook EXE

- SHA256 hash: 33a99c34ff26bc364cb269714312dea0fa7a6d9dbef9cea87760dc8f1b951fd5
- File size: 701,952 bytes
- File name: lista2307.pdf.exe
- Persistent file location:  C:\Program Files (x86)\Rz4sd8dzh\srsd_zy.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: YPZ8VZKH
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Rz4sd8dzh\srsd_zy.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlog.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlogim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlogrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlogrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlogrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlogri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\7KM43412\7KMlogrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /p1a4/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /p1a4/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.jrjtechcorp[.]com - no response from DNS server
- DNS query for www.tokogampang[.]com - no response from DNS server
- DNS query for www.yuvamhavuz[.]com - no response from DNS server

- DNS query for www.energysubstance[.]com - response: No such name
- DNS query for www.homegrass[.]info - response: No such name
- DNS query for www.menstruationunlocked[.]com - response: No such name
- DNS query for www.meyhanemno1[.]com - response: No such name
- DNS query for www.newsreadermajesty[.]com - response: No such name
- DNS query for www.shengxinshare[.]com - response: No such name

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

-  port 80 - www.newproducthat[.]online - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.20-4-7[.]com
- www.3393t[.]vip
- www.6699668[.]com
- www.android-avtomagintla-ufa[.]store
- www.bestaisoftwarereviewer[.]com
- www.bluemountainventures[.]com
- www.ddlsit[.]com
- www.digitroncomputeracademy[.]com
- www.freshpicklic[.]com
- www.ingresaseeguro[.]com
- www.landco[.]eco
- www.marcelaejoaoarthur[.]com
- www.moneeyygoo[.]website
- www.onlinebuydogbeds[.]website
- www.overhired[.]com
- www.pegasusreuse[.]com
- www.pg1952[.]com
- www.pg2552[.]com
- www.pointsremandsplus[.]com
- www.skyrimx[.]top
- www.sltn188[.]com
- www.speedoenperu[.]com
- www.suvcardeals[.]xyz
- www.zishiying[.]net

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.188judi[.]xyz
- www.702proproperty[.]com  **
- www.antflying[.]com
- www.bystander[.]news
- www.getkani[.]com
- www.herbologyhive[.]com  **
- www.hhjjc[.]com
- www.iconnemt[.]com  **
- www.kedaionline004[.]store  **
- www.riabanker[.]com  **
- www.seiyut[.]xyz  **
- www.soul2be[.]academy  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

 

Click here to return to the main page.