Malware-Traffic-Analysis.net - 30 days of Formbook: Day 23, Monday 2023-06-26

30 DAYS OF FORMBOOK: DAY 22, MONDAY 2023-06-26 - "G0E8"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 22nd of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-06-26-IOCs-for-Formbook-infection.txt.zip 1.6 kB (1,631 bytes)
2023-06-26-Formbook-infection-traffic.pcap.zip 4.2 MB (4,186,934 bytes)
2023-06-26-Formbook-malware-and-artifacts.zip 565 kB (565,240 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 22, MONDAY 2023-06-26 - "G0E8"

MALWARE SAMPLE:

- SHA256 hash: 7f9df9c86591df8f872192222f7bc3a784ff665913ae4fcc15e44840286a9c8f
- File size: 828,928 bytes
- File name: PO-000675.exe
- Persistent file location: C:\Program Files (x86)\Cn6qlofa\audiodgtx2.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: ZBC4ANKXGV
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Cn6qlofa\audiodgtx2.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlog.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlogim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlogrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlogrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlogrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlogri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\5PR792A9\5PRlogrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /g0e8/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /g0e8/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.lkfangche[.]com - no response from DNS server
- DNS query for www.mxui[.]top - no response from DNS server

- DNS query for www.bella-japon[.]com - response: No such name
- DNS query for www.ddgarciaf[.]live - response: No such name
- DNS query for www.exceptionalservicegroup[.]com - response: No such name
- DNS query for www.joesplace[.]xyz - response: No such name
- DNS query for www.nvyoubb5[.]buzz - response: No such name
- DNS query for www.theproteusvoid[.]com - response: No such name

- DNS query for www.lmn2209[.]sbs - no IP returned from DNS server
- DNS query for www.qgbsukco2[.]com - no IP returned from DNS server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.33832[.]xyz
- www.adswarior[.]click
- www.artverseclothing[.]com
- www.ayam48ekor[.]xyz
- www.bocahn4kal46.site
- www.dbhkcnrsah[.]com
- www.downloadcorner[.]com
- www.edgeater[.]com
- www.goturnkeywebsites[.]com
- www.kccmysore[.]com
- www.lovemehireme[.]com
- www.qof521[.]xyz
- www.redactedgraphics[.]com
- www.samakhsarapi.online
- www.shop-foule[.]com
- www.tamikamtownsendinc[.]com
- www[.]toptoveterteam[.]world
- www.vippay[.]site
- www.winch-systems[.]com

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.aichicup[.]com  **
- www.aiunclouded[.]com
- www.beautifulmindsmgmt[.]com
- www.jasdoltin[.]xyz  **
- www.markrepository.website
- www.miemishop[.]com
- www.smartphone[.]solutions  **
- www.suistamp[.]com
- www.www30100h[.]com
- www.xrblockbuster[.]com
- www.yctuba[.]com  **
- www.zf129[.]vip

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.