30 DAYS OF FORMBOOK: DAY 29, MONDAY 2023-07-03 - GULOADER FOR FORMBOOK "AU22"

NOTICE:

NOTES:

 

ASSOCIATED FILES:

 

30 DAYS OF FORMBOOK: DAY 29, MONDAY 2023-07-03 - GULOADER FOR FORMBOOK "AU22"

MALWARE/ARTIFACTS:

- SHA256 hash: c14f03d40463a937c43d9e7717acc6c96c5b294c0d15a6431d09b5e3e2a76d45
- File size: 420,320 bytes
- File name: regedit_pcs.exe
- Persistent file location: C:\Program Files (x86)\Qwvahanj0\bvr0hrr0cfb.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Windows EXE for GuLoader

- SHA256 hash: a317666a3cc949a8aebcd7b05623e454d5f640701a78371002679fd9b7c06627
- File size: 189,504 bytes
- File location: hxxp[:]//107.172.148[.]208/hgm/EDZRsnhXwak246.bin
- File type: data
- File description: data binary retrieved by GuLoader for Formbook
- Note: This file is not malicious on its own

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: HBCTIHTHWZ8
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Qwvahanj0\bvr0hrr0cfb.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\2L7NO2QW\2L7logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /au22/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /au22/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.stayinwhaus[.]com - no response from DNS server
- DNS query for www.yitejiajiaju[.]com - no response from DNS server

- DNS query for www.4s04[.]com - response: No such name
- DNS query for www.91p199[.]xyz - response: No such name
- DNS query for www.agellanascends[.]com - response: No such name
- DNS query for www.eccpim[.]mobi - response: No such name
- DNS query for www.gfoke[.]com - response: No such name
- DNS query for www.magnetcetera[.]com - response: No such name
- DNS query for www.okask[.]top - response: No such name
- DNS query for www.pbrcenter[.]com - response: No such name
- DNS query for www.pknc29t[.]asia - response: No such name
- DNS query for www.securityc0inbasecheck[.]com - response: No such name
- DNS query for www.stiffsoothe[.]com - response: No such name
- DNS query for www.williesales[.]com - response: No such name

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.2025yh[.]com
- www.ameron[.]net
- www.eh8z[.]com
- www.ektaparishadindia[.]com
- www.kbizconnect[.]com
- www.libertycentraltx[.]com
- www.matiamahal[.]com
- www.maticads[.]com
- www.onaca-marketing[.]com
- www.pastiwede03[.]site
- www.philoslabs[.]com
- www.poopscoop[.]news
- www.sigsdubai[.]com
- www.stockprinciple[.]com
- www.t3mf2s7[.]com
- www.takingstepswithme[.]net
- www.thirty4llc[.]com
- www.tradingisgambling[.]com
- www.trykaledrgpt77[.]com
- www.umso[.]community
- www.youtringaring[.]com
- www.yummyhairproducts[.]com
- www.zhaohui[.]love

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.4636829[.]com
- www.9936uu[.]top
- www.amreeshchandra[.]com
- www.bigeasytripods[.]com
- www.bruckerproperties[.]com
- www.dvineshirts[.]com
- www.evolvedbooks[.]com
- www.kiecoe[.]xyz
- www.mailstupmembership[.]com
- www.pbwyx[.]com
- www.ritaracanfood[.]com
- www.rootslady[.]com

 

Click here to return to the main page.