30 DAYS OF FORMBOOK: DAY 28, SUNDAY 2023-07-02 - "SY18"

NOTICE:

NOTES:

 

ASSOCIATED FILES:

 

30 DAYS OF FORMBOOK: DAY 28, SUNDAY 2023-07-02 - "SY18"

INFECTION CHAIN:

- Email --> Microsoft Excel file --> CVE-2017-11882 exploit --> retreives and runs Formbook EXE

MALWARE/ARTIFACTS:

- SHA256 hash: 2044b8bd82e55429ac7fc4608d67477f8673b1fee099be9372cf2b4f9b1a16c0
- File size: 1,951,638 bytes
- File name: unknown
- File type: Microsoft Excel 2007+
- File description: Microsoft Excel file with exploit targeting older versions of Microsoft Office

- SHA256 hash: 042a79fca496efba98589c7115c620c116af2ef1e1308a9ab91f21026a5ccd43
- File size: 349,775 bytes
- File location: hxxp[:]//www.atonal[.]com.br/shebronzy3.1.exe
- Persistent file location: C:\Program Files (x86)\Jvbohq418\bbcmrqpl.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: XTWX3ZIXDH
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Jvbohq418\bbcmrqpl.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\N78558A0\N78log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\N78558A0\N78logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\N78558A0\N78logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\N78558A0\N78logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\N78558A0\N78logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\N78558A0\N78logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\N78558A0\N78logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /sy18/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /sy18/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.1hgfrdr[.]asia - response: No such name
- DNS query for www.aboutwean[.]site - response: No such name
- DNS query for www.goqyfriy[.]com - response: No such name
- DNS query for www.ltnmgt[.]com - response: No such name
- DNS query for www.safeborderpetition[.]com - response: No such name
- DNS query for www.zakhtive[.]com - response: No such name

DOMAIN THAT RESOLVED, BUT NO CONNECTION TO SERVER:

- port 80 - www.nanjingyunmi[.]work - TCP SYN segments only, no response or RST from server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.123zap[.]net
- www.15wpg[.]live
- www.centrelink[.]online
- www.dbszdjh[.]fun
- www.design-de-interiores[.]wiki
- www.drops-of-awesome[.]com
- www.futuretechsolutions[.]site
- www.garderlafoi[.]com
- www.gemellebeauty[.]com
- www.gracefulbeautycompany[.]com
- www.illuminatonightlyrental[.]com
- www.immersionbusiness[.]com
- www.inspiration-note[.]com
- www.jetcasinosite-official6[.]top
- www.mgn4[.]com
- www.moobileproctor[.]com
- www.mycravingscafe[.]com
- www.myctoclub[.]com
- www.nuaar[.]com
- www.recursiveinscription[.]com
- www.speakerbluetooth[.]com
- www.swfpic[.]com
- www.xvngitnsfbtjregw[.]xyz

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.bawdydesignz[.]com
- www.grav2[.]com
- www.myhc360[.]com
- www.petfurevernz[.]com
- www.pinax[.]info
- www.shipsmartstore[.]com
- www.stockprob[.]com
- www.suandoc[.]xyz
- www.support-dsney[.]info
- www.u2sr03[.]shop

 

Click here to return to the main page.