2018-02-16 - MALSPAM PUSHING FORMBOOK INFO STEALER

ASSOCIATED FILES:

  • 2018-02-16-Formbook-infection-traffic.pcap   (1,285,123 bytes)
  • 2018-02-16-extracted-Formbook-malware.exe   (495,616 bytes)
  • 2018-02-16-malspam-attachment.zip   (277,181 bytes)
  • 2018-02-16-malspam-pushing-Formbook-1228-UTC.eml   (384,353 bytes)

WEB TRAFFIC BLOCK LIST

Indicators are not a block list, especially since the associated domains appear to be legitimate websites.  If you feel the need to block web traffic, I suggest the following partial URLs:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Extracting the malware from the zip attachment and running it.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

INFECTION TRAFFIC:

 

MALWARE

EMAIL ATTACHMENT (ZIP ARCHIVE):

EXTRACTED FORMBOOK MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.