30 DAYS OF FORMBOOK: DAY 21, SUNDAY 2023-06-25 - "CX01"
NOTICE:
- Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- This the is my 21st of 30 infection runs for recent Formbook activity.
ASSOCIATED FILES:
- 2023-06-25-IOCs-for-Formbook-infection.txt.zip 1.8 kB (1,784 bytes)
- 2023-06-25-Formbook-infection-traffic.pcap.zip 5.4 MB (5,408,510 bytes)
- 2023-06-25-Formbook-malware-and-artifacts.zip 1.7 MB (1,663,067 bytes)
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
30 DAYS OF FORMBOOK: DAY 21, SUNDAY 2023-06-25 - "CX01" INFECTION CHAIN: - Email --> attached zip archive --> extracted Formbook EXE --> victim runs Formbook EXE MALWARE/ARTIFACTS: - SHA256 hash: 307049842571f310922c575ca7586c1488c053bc8a02bee0d8363aa351a2652e - File size: 830,572 bytes - File name: P.O.zip - File type: Zip archive data, at least v2.0 to extract, compression method=deflate - File description: zip archive containing Formbook EXE - SHA256 hash: 7308c76e724c775bc44e6c3ab076f564c1b8a5e4a51f5dbd97e316763a08da5f - File size: 1,040,384 bytes - File name: P.O.exe - Persistent file location: C:\Program Files (x86)\Ropopnhw\ztylmlp8tp.exe - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - File description: Windows EXE for Formbook version 4.1 PERSISTENCE: - Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Value name: ADWLMDR8JNI - Value type: REG_SZ - Value Data: C:\Program Files (x86)\Ropopnhw\ztylmlp8tp.exe DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER: - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlog.ini - 0 bytes - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlogim.jpeg (screenshot of desktop) - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlogrc.ini (Outlook Recovery) - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlogrf.ini (Firefox Recovery) - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlogrg.ini (Chrome Recovery) - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlogri.ini (Iexplore Recovery) - C:\Users\[username]\AppData\Roaming\09R-SOQE\09Rlogrv.ini (__Vault Recovery) - Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes. FORMBOOK HTTP GET AND POST REQUESTS: - GET /cx01/?[string of alphanumeric characters with the following mixed in: = _ + and /] - POST /cx01/ DOMAINS THAT DID NOT RESOLVE: - DNS query for www.bkudelivery[.]com - no response from DNS server - DNS query for www.keepbritainpouring[.]com - no response from DNS server - DNS query for www.36205122222[.]xyz - response: No such name - DNS query for www.desains[.]net - response: No such name - DNS query for www.efeftrust[.]buzz - response: No such name - DNS query for www.hzairt[.]cfd - response: No such name - DNS query for www.huachunjianshe-sh[.]com - response: No such name - DNS query for www.nolimitpaintingllc[.]net - response: No such name DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER: - port 80 - www.221553[.]com - TCP SYN segments only, no response or RST from server DOMAINS USED FOR FORMBOOK GET REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.canaldeaprendizaje[.]online - www.citar[.]win - www.cuiligandiy[.]com - www.dcvbrfervcewfeg[.]click - www.evenmore[.]live - www.finspace[.]biz - www.greepeas[.]com - www.marrvision[.]com - www.vivianivcfl[.]com DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS: - Note: These appear to be legitimate websites or parked domain pages. - www.51cg6[.]xyz ** - www.bm9222[.]com ** - www.ceceloa[.]com - www.derryautoparts[.]com ** - www.digitalnishant[.]com ** - www.eyeppy[.]net - www.fecoles[.]online ** - www.fejkus[.]xyz - www.financeclub[.]net - www.fortreaclinicaltrials[.]com ** - www.freshenu[.]com - www.goodd88[.]com ** - www.igaoman[.]com - www.kar-phi[.]shop - www.ncintura[.]com ** - www.reshapeaestheics[.]co[.]uk ** - Full stolen data (encoded) sent through HTTP POST request.
Click here to return to the main page.