Malware-Traffic-Analysis.net - 30 days of Formbook: Day 26, Friday 2023-06-30

30 DAYS OF FORMBOOK: DAY 26, FRIDAY 2023-06-30 - "S28Y"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 26th of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-06-30-IOCs-for-Formbook-infection.txt.zip 2.2 kB (2,171 bytes)
2023-06-30-Formbook-infection-traffic.pcap.zip 7.3 MB (7,338,043 bytes)
2023-06-30-Formbook-malware-and-artifacts.zip 466 kB (466,406 bytes)

30 DAYS OF FORMBOOK: DAY 26, FRIDAY 2023-06-30 - "S28Y"

INFECTION CHAIN:

- Email --> attached zip archive --> extracted Formbook EXE --> victim runs Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: 36c59fca2be8a3be742cfa48db7112d01fc18ec1eb855e46f44a014de1726607
- File size: 231,008 bytes
- File name: PRE ALERT NOTICE#202307.zipsh
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: Zip archive containing Formbook EXE

- SHA256 hash: 215bf08032eb73c5e0b50bcce07def909e22f769315b0f90ed6cec87b28d44f6
- File size: 245,825 bytes
- File name: PRE ALERT NOTICE#202307.exe
- Persistent file location #1: C:\Users\[username]\AppData\Roaming\gluqaj\fokscx.exe
- Persistent file location #2:  C:\Program Files (x86)\Bzzyxv\gdiplptor.exe
- File type:  PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value 0 name: hqmvrbk
- Value 0 type: REG_SZ
- Value 0 Data: C:\Users\[username]\AppData\Roaming\gluqaj\fokscx.exe "C:\Users\[username]\Downloads\
                PRE ALERT NOTICE#202307.exe"
- Value 1 name: NJNXQZG8VV
- Value 1 type: REG_SZ
- Value 1 Data: C:\Program Files (x86)\Bzzyxv\gdiplptor.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\6L80511C\6L8log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\6L80511C\6L8logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\6L80511C\6L8logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\6L80511C\6L8logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\6L80511C\6L8logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\6L80511C\6L8logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\6L80511C\6L8logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /s28y/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /s28y/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.campinglager[.]beer - no response from DNS server
- DNS query for www.probiostarter[.]com - no response from DNS server
- DNS query for www.rttty15[.]com - no response from DNS server
- DNS query for www.vg4d0o[.]work - no response from DNS server

- DNS query for www.2auw88[.]com - response: No such name
- DNS query for www.338zt7we6i0[.]cyou - response: No such name
- DNS query for www.babyhubstore[.]com - response: No such name
- DNS query for www.brekroic[.]com - response: No such name
- DNS query for www.copythriller[.]com - response: No such name
- DNS query for www.prinicaonlinr[.]com - response: No such name
- DNS query for www.rewindrehabilitation[.]com - response: No such name
- DNS query for www.sabzevarfaj[.]sbs - response: No such name
- DNS query for www.shisokj[.]vip - response: No such name
- DNS query for www.usrinfo[.]top - response: No such name
- DNS query for www.xn--i2bwwzn[.]com - response: No such name
- DNS query for www.yijgqpi59[.]top - response: No such name

DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:

- port 80 - www.fascistian[.]com - TCP SYN segments only, no response or RST from server
- port 80 - www.hotelguerneville[.]com - TCP SYN segments only, no response or RST from server
- port 80 - www.jiangwan[.]top - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.1d8t[.]com
- www.86slsz[.]com
- www.airrests[.]com
- www.blahblahblahkatee[.]com
- www.blogdamuskinha[.]com
- www.coatedincoco[.]com
- www.contourbioinc[.]com
- www.farviolet[.]com
- www.gaynorvascones[.]site
- www.getwinchance[.]com
- www.hg301d[.]cfd
- www.investigatorsshow[.].net
- www.kedou25[.]com
- www.lightsoftwear[.]com
- www.m-behjati[.]com
- www.mpocash[.]mobi
- www.mvp688[.]pro
- www.nissanvideos[.]com
- www.ordukampanyalar[.]com
- www.prosblogs[.]com
- www.redbudvending[.]com
- www.relovedresses[.]com
- www.revolut[.]expert
- www.riverwoodschool[.]com
- www.sedashop[.]com
- www.serenitysuite[.]health
- www.starbytescafe[.]com
- www.tickeplate[.]com
- www.truyenfullonline[.]com
- www.visual138[.]info
- www.wexun[.]net
- www.whytry[.]shop
- www.wildcatcreekhomes[.]com
- www.youbi[.]cyou

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.8betkrw[.]com
- www.ccxx0[.]com  **
- www[.]comienzadesdecero[.]com
- www.configurableba[.]life
- www.hieblev[.]online  **
- www.i8ep58[.]cfd
- www.i9bet[.]quest  **
- www.litescales[.]sbs  **
- www.lyrianhealth[.]com
- www.newskysupplies[.]com  **
- www.ou3ejf[.]cfd
- www.readyconcreto[.]com  **

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.