2018-01-04 - MALSPAM PUSHING FORMBOOK INFO STEALER

ASSOCIATED FILES:

  • 2018-01-04-Formbook-infection-traffic.pcap   (1,831,112 bytes)
  • 2018-01-04-Formbook-malware-sample.exe   (425,984 bytes)
  • 2018-01-04-malspam-attachment-Proforma-INV-44748.rar   (214,334 bytes)
  • 2018-01-04-malspam-pushing-Formbook-1419-UTC.txt   (317,143 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following partial URLs:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Attached RAR file is actually an ACE archive.

 


Shown above:  Malware extracted from the ACE archive.

 

TRAFFIC


Shown above:  Infection traffic in Wireshark.

 

ASSOCIATED TRAFFIC:

 

MALWARE

ACE ARCHIVE FROM THE MALSPAM:

FORMBOOK MALWARE EXTRACTED FROM THE ACE ARCHIVE:

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

 

IMAGES


Shown above:  Alerts from Sguil on the infection traffic in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Registry key and associated files on the infected Windows host

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.