Malware-Traffic-Analysis.net - 30 days of Formbook: Day 30, Tuesday 2023-07-04

30 DAYS OF FORMBOOK: DAY 30, TUESDAY 2023-07-04 - "MF6W"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my final post of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-07-04-IOCs-for-Formbook-infection.txt.zip 1.6 kB (1,646 bytes)
2023-07-04-Formbook-infection-traffic.pcap.zip 4.9 MB (4,854,704 bytes)
2023-07-04-Formbook-malware-and-artifacts.zip 553 kB (552,566 bytes)

30 DAYS OF FORMBOOK: DAY 30, TUESDAY 2023-07-04 - "MF6W"

- SHA256 hash: c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
- File size: 740,352 bytes
- File name: unknown
- Persistent file location: C:\Program Files (x86)\B-zctph-x\winij_dmp7h.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE for Formbook version 4.1

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: EPVHY8LXKPK
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\B-zctph-x\winij_dmp7h.exe

DATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3log.ini - 0 bytes
- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3logim.jpeg  (screenshot of desktop)
- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3logrc.ini  (Outlook Recovery)
- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3logrf.ini  (Firefox Recovery)
- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3logrg.ini  (Chrome Recovery)
- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3logri.ini  (Iexplore Recovery)
- C:\Users\[username]\AppData\Roaming\LN344RRR\LN3logrv.ini  (__Vault Recovery)

- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /mf6w/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /mf6w/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.my-sexcam[.]com - no response from DNS server
- DNS query for www.padokhep[.]com - no response from DNS server

- DNS query for www.jilianginfo[.]com - response: No such name
- DNS query for www.marwin747[.]com - response: No such name
- DNS query for www.nescafelab[.]com - response: No such name
- DNS query for www.xn--20230626-0b6oy72d[.]com - response: No such name

- DNS query for www.6339777[.]com - no IP returned from DNS server
- DNS query for www.yaboleyuvip9[.]com - no IP returned from DNS server

DOMAINS USED FOR FORMBOOK GET REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.atlheadshotphoto[.]com
- www.diamond-manpower[.]com
- www.drivingthendrinking[.]com
- www.fabitgood[.]com
- www.iwon79714[.]com
- www.jairoy[.]com
- www.kayshopak[.]com
- www.kizlarhamamiturkiye[.]com
- www.limestonecoffeetea[.]com
- www.mondemeuble[.]com
- www.nesliceart[.]com
- www.pooutreach[.]com
- www.prendresoindemoncorps[.]com
- www.teamnebulallc[.]com
- www.theinformativepilot[.]com
- www.ukpornagency[.]com
- www.vestmentpartnerssp[.]com
- www.wjfglobal[.]com
- www.yourfrancoach[.]com

DOMAINS USED FOR FORMBOOK GET AND POST REQUESTS:

- Note: These appear to be legitimate websites or parked domain pages. 

- www.5zh3ang[.]com
- www.animalscamps[.]com
- www.arianececcon[.]com  **
- www.bearshelpingbabies[.]com
- www.dftxcol[.]xyz  **
- www.houseofmanus[.]com  **
- www.houserentapp[.]com
- www.localventuremarketing[.]com
- www.marglobaltravels[.]com
- www.maysourcetag[.]com  **
- www.myaibusinessninja[.]com
- www.piscorey[.]com
- www.redetextbox[.]com  **
- www.seanandkelly[.]com  **
- www.shiftfailure[.]com
- www.zapatillastopmarca[.]com

  ** - Full stolen data (encoded) sent through HTTP POST request.

Click here to return to the main page.