Malware-Traffic-Analysis.net - 30 days of Formbook: Day 26, Saturday 2023-07-01

30 DAYS OF FORMBOOK: DAY 27, SATURDAY 2023-07-01 - "NES8"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 27th of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-07-01-IOCs-for-Formbook-infection.txt.zip 2.1 kB (2,147 bytes)
2023-07-01-Formbook-infection-traffic.pcap.zip 8.9 MB (8,859,530 bytes)
2023-07-01-Formbook-malware-and-artifacts.zip 456 kB (456,061 bytes)

30 DAYS OF FORMBOOK: DAY 27, SATURDAY 2023-07-01 - "NES8"

INFECTION CHAIN:

- Email --> attached RTF ".doc" exploiting CVE-2017-11882 --> retreives and runs Formbook EXE --> Formbook C2

NOTES:

- This infection chain uses an RTF exploiting CVE-2017-11882 to retrieve and run the Formbook EXE.
- However, in this example, I used Microsoft Edge on a Windows 10 host to retreive the Formbook EXE.

MALWARE/ARTIFACTS:

- SHA256 hash: 4ef48d1dac8579e1ae4a39655a8b17aa2f7d327af0503a2bce77065d8bd8f73c
- File size: 150,124 bytes
- File name: CUSTOMER023- PURCHASE ORDER.doc
- File type: Rich Text Format data, version 1
- File description: RTF with ".doc" file extension exploiting CVE-2017-11882 for Formbook infection

- SHA256 hash: 1898f22fac7a609e186050d787f60be2d8427ad8d24fa66f44c0ddcc17cb72d5
- File size: 330,002 bytes
- File location: hxxp[:]//ask6.awt[.]com.pk/wordpress/wp-content/mad.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Windows EXE for Formbook version 4.1

- SHA256 hash: a1255a580562b9ad80015641a5da339dbe73226e7ea67e4e4fc35ae54139b7c7
- File size: 81,408 bytes
- File location: C:\Program Files (x86)\Xgz3d\autochk1bylajq8.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Non-malicious file where persistent Formbook would normally be saved

PPERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: TV5XV418QZCL
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Xgz3d\autochk1bylajq8.exe

- Note: EXE referenced in the above registry key is not Formbook

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlog.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlogim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlogrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlogrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlogrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlogri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\6-R04OQ0\6-Rlogrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /nes8/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /nes8/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.huibi01[.]vip - no response from DNS server
- DNS query for www.sarodret[.]buzz - no response from DNS server
- DNS query for www.soulcommunication[.]site - no response from DNS server

- DNS query for www.s95wh[.]icu - response: No such name

- DNS query for www.dgrjzz1688[.]com - no IP returned from DNS server
- DNS query for www.kruz56[.]site - no IP returned from DNS server
- DNS query for www.tbsc766[.]store - no IP returned from DNS server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.adammushrooms[.]com
- www.banca-particulares[.]icu
- www.cantonbourbonroom[.]com
- www.drinkarakay[.]com
- www.incentiveexcellence[.]com
- www.jinglunqhd[.]com
- www.letterkennytown[.]com
- www.loyalguardianop[.]com
- www.marketproinv[.]info
- www.mitsubishixpander[.]com
- www.mybestfurend[.]com
- www.n7m[.]tokyo
- www.ninobrowndelivery[.]net
- www.oxylabs[.]top
- www.precisionradiologyin[.]com
- www.rainbow-bridge[.]xyz
- www.righttowrescue[.]com
- www.smartbed-gb-tok[.]life
- www.smmfsa[.]com
- www.thegoodfunguy[.]com
- www.vivre-lyon7[.]com
- www.yaxin376[.]com

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.abc-notation[.]com  **
- www.asmcpn[.]us
- www.culdshn[.]pics
- www.dailyhoroscope4you[.]space
- www.dietoll-official[.]site
- www.enakslot[.]net
- www.hatmam[.]com  **
- www.innovativanimal[.]com  **
- www.purityrecruitment[.]com
- www.shockgods[.]net  **
- www.sonrisasica[.]com  **
- www.swegon[.]tech
- www.wordybag[.]online  **
- www.y94x[.]info

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.