Malware-Traffic-Analysis.net - 30 days of Formbook: Day 20, Saturday 2023-06-24

30 DAYS OF FORMBOOK: DAY 20, SATURDAY 2023-06-24 - VERSION 3.8 "AK"

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

This the is my 20th of 30 infection runs for recent Formbook activity.

ASSOCIATED FILES:

2023-06-24-IOCs-for-Formbook-infection.txt.zip 1.3 kB (1,300 bytes)
2023-06-24-Formbook-infection-traffic.pcap.zip 621 kB (620,813 bytes)
2023-06-24-Formbook-malware-and-artifacts.zip 226 kB (226,226 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

30 DAYS OF FORMBOOK: DAY 20, SATURDAY 2023-06-24 - VERSION 3.8 "AK"

NOTES:

- This appears to be an older Formbook sample, and most of the C2 domains did not resolve.
- I normally find Formbook version 4.1 samples, but this one is version 3.8.
- Version 3.8 apparently uses 2 alpha-numeric characters before the forward slash in its URLs.
- Version 4.1 uses 4 alpha-numeric characters before the forward slash in its URLs.

MALWARE/ARTIFACTS:

- SHA256 hash: 306ec5446efd5df25be8fbe20dfe78990d717e0ca2e12ec1926d1a1a31fa5cd9
- File size: 421,888 bytes
- File name: Pilikai.exe
- Persistent file location: C:\Program Files (x86)\Yadox\gzxltkpgt.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Windows EXE for Formbook version 3.8

PERSISTENCE:

- Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: NBCLYLMXCNY
- Value type: REG_SZ
- Value Data: C:\Program Files (x86)\Yadox\gzxltkpgt.exe

ARTIFACT FROM DATA DIRECTORY FOR EXFILTRATION TO FORMBOOK C2 SERVER:

- C:\Users\[username]\AppData\Roaming\4P8M-C7E\4P8log.ini - 0 bytes

- Note: The above directory had other files that were deleted after data exfiltation.

FORMBOOK HTTP GET AND POST REQUESTS:

- GET /ak/?[string of alphanumeric characters with the following mixed in: = _ + and /]
- POST /ak/

DOMAINS THAT DID NOT RESOLVE:

- DNS query for www.285man[.]com - response: No such name
- DNS query for www.49elrtdm8k[.]info - response: No such name
- DNS query for www.bastblossoz[.]info - response: No such name
- DNS query for www.bigmoviesplatinew[.]reise - response: No such name
- DNS query for www.bkfqvwvd[.]com - response: No such name
- DNS query for www.blackricematters[.]info - response: No such name
- DNS query for www.liebestablettensicher[.]com - response: No such name
- DNS query for www.lusao28281[.]com - response: No such name
- DNS query for www.modelsair[.]com - response: No such name
- DNS query for www.natido[.]info - response: No such name
- DNS query for www.shoppulsegamer[.]com - response: No such name
- DNS query for www.shortsharpuseful[.]com - response: No such name
- DNS query for www.tembizu[.]com - response: No such name
- DNS query for www.thecyprusdivecentre[.]com - response: No such name

DOMAIN USED FOR FORMBOOK GET REQUESTS:

- www.guamgold[.]com

DOMAIN USED FOR FORMBOOK GET AND POST REQUESTS:

- www.hao-yue[.]com

Click here to return to the main page.