Malware-Traffic-Analysis.net - 30 days of Formbook: Day 25, Thursday 2023-06-29

30 DAYS OF FORMBOOK: DAY 25, THURSDAY 2023-06-29 - "CS94"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 25th of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-06-29-IOCs-for-Formbook-infection.txt.zip 2.0 kB (2,040 bytes)
2023-06-29-Formbook-infection-traffic.pcap.zip 4.7 MB (4,720,191 bytes)
2023-06-29-Formbook-malware-and-artifacts.zip 1.2 MB (1,187,630 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 25, THURSDAY 2023-06-29 - "CS94"

INFECTION CHAIN:

- Email --> attached RAR archive --> extracted Formbook EXE --> victim runs Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: 2ee6fb6a93174c53b1de3fb881ff50f06ff33a03337b6cb8d37bd562b18eda13
- File size: 587,367 bytes
- File name: Quotation.rar
- File type: RAR archive data, v5
- File description: RAR archive containing Formbook EXE

- SHA256 hash: ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
- File size: 920,576 bytes
- File name: Quotation.exe
- Persistent file location: C:\Program Files (x86)\Agtbxn2\or5hinj6e.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: KBCXWPJ0
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Agtbxn2\or5hinj6e.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\783RB9A-\783log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\783RB9A-\783logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\783RB9A-\783logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\783RB9A-\783logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\783RB9A-\783logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\783RB9A-\783logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\783RB9A-\783logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /cs94/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /cs94/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.domestig[.]africa - no response from DNS server
- DNS query for www.dhubdigitalsolutions[.]africa - no response from DNS server
- DNS query for www.jtownexclusive[.]africa - no response from DNS server
- DNS query for www.megagist[.]africa - no response from DNS server
- DNS query for www.testhamsa[.]net - no response from DNS server

- DNS query for www.9-ji[.]com - response: No such name
- DNS query for www.akinsrealtystation[.]com - response: No such name
- DNS query for www.amzosecsn-jp[.]icu - response: No such name
- DNS query for www.audley[.]boo - response: No such name
- DNS query for www.bbywafz248xca4[.]com - response: No such name
- DNS query for www.cammali[.]com - response: No such name
- DNS query for www.carpetexperss[.]com - response: No such name
- DNS query for www.cqivrh[.]cfd - response: No such name
- DNS query for www.duoguang[.]top - response: No such name
- DNS query for www.houseecare[.]com - response: No such name
- DNS query for www.hsfgass33[.]top - response: No such name
- DNS query for www.lhv-turvakontroll[.]com - response: No such name
- DNS query for www.requestwebques[.]online - response: No such name

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

-  port 80 - www.econetv[.]com - TCP SYN segments only, no response or RST from server
-  port 80 - www.hgfadhgadfyta[.]top - TCP SYN segments only, no response or RST from server
-  port 80 - www.iseedifferent[.]com - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.1paikunaway[.]com
- www.24hrlaundry[.]com
- www.2826casino[.]com
- www.azerya[.]tech
- www.balikesirjenerator[.]com
- www.brocomole[.]com
- www.builtmedia[.]co[.]uk
- www.carolinacoastalrealestate[.]homes
- www.carrirae[.]shop
- www.chat784[.]com
- www.coandcocoon[.]com
- www.cookfleet[.]xyz
- www.daugoivn[.]com
- www.dcleaningseevicesltd[.]co[.]uk
- www.dhaliwal3[.]com
- www.digijockey[.]com
- www.fantastika[.]online
- www.georoiddemo[.]online
- www.gh-socio[.]com
- www.greatonlineshoppingmall[.]com
- www.hability[.]xyz
- www.hdwebsite4[.]info
- www.healthproduct[.]site
- www.lazarnejad[.]com
- www.liuyao168[.]com
- www.lr-nexusark[.]com
- www.nadraservicecentre[.]co[.]uk
- www.otc[.]rsvp

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.camoeyes[.]boo  **
- www.dhfjda8[.]com
- www.forumken[.]net
- www.humanlongevity[.]xyz
- www.independentbmwdiagnostics[.]co[.]uk
- www.iptvebay[.]shop
- www.jrmastering[.]ch  **
- www.kitchenpharmacy[.]co[.]uk
- www.lan26[.]ru
- www.lefinet[.]com  **
- www.rrscu[.]com  **
- www.yuvmh[.]xyz  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.