30 DAYS OF FORMBOOK: DAY 20, SATURDAY 2023-06-24 - VERSION 3.8 "AK"
NOTICE:
- Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- This the is my 20th of 30 infection runs for recent Formbook activity.
ASSOCIATED FILES:
- 2023-06-24-IOCs-for-Formbook-infection.txt.zip 1.3 kB (1,300 bytes)
- 2023-06-24-Formbook-infection-traffic.pcap.zip 621 kB (620,813 bytes)
- 2023-06-24-Formbook-malware-and-artifacts.zip 226 kB (226,226 bytes)
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
30 DAYS OF FORMBOOK: DAY 20, SATURDAY 2023-06-24 - VERSION 3.8 "AK" NOTES: - This appears to be an older Formbook sample, and most of the C2 domains did not resolve. - I normally find Formbook version 4.1 samples, but this one is version 3.8. - Version 3.8 apparently uses 2 alpha-numeric characters before the forward slash in its URLs. - Version 4.1 uses 4 alpha-numeric characters before the forward slash in its URLs. MALWARE/ARTIFACTS: - SHA256 hash: 306ec5446efd5df25be8fbe20dfe78990d717e0ca2e12ec1926d1a1a31fa5cd9 - File size: 421,888 bytes - File name: Pilikai.exe - Persistent file location: C:\Program Files (x86)\Yadox\gzxltkpgt.exe - File type: PE32 executable (GUI) Intel 80386, for MS Windows - File description: Windows EXE for Formbook version 3.8 PERSISTENCE: - Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Value name: NBCLYLMXCNY - Value type: REG_SZ - Value Data: C:\Program Files (x86)\Yadox\gzxltkpgt.exe ARTIFACT FROM DATA DIRECTORY FOR EXFILTRATION TO FORMBOOK C2 SERVER: - C:\Users\[username]\AppData\Roaming\4P8M-C7E\4P8log.ini - 0 bytes - Note: The above directory had other files that were deleted after data exfiltation. FORMBOOK HTTP GET AND POST REQUESTS: - GET /ak/?[string of alphanumeric characters with the following mixed in: = _ + and /] - POST /ak/ DOMAINS THAT DID NOT RESOLVE: - DNS query for www.285man[.]com - response: No such name - DNS query for www.49elrtdm8k[.]info - response: No such name - DNS query for www.bastblossoz[.]info - response: No such name - DNS query for www.bigmoviesplatinew[.]reise - response: No such name - DNS query for www.bkfqvwvd[.]com - response: No such name - DNS query for www.blackricematters[.]info - response: No such name - DNS query for www.liebestablettensicher[.]com - response: No such name - DNS query for www.lusao28281[.]com - response: No such name - DNS query for www.modelsair[.]com - response: No such name - DNS query for www.natido[.]info - response: No such name - DNS query for www.shoppulsegamer[.]com - response: No such name - DNS query for www.shortsharpuseful[.]com - response: No such name - DNS query for www.tembizu[.]com - response: No such name - DNS query for www.thecyprusdivecentre[.]com - response: No such name DOMAIN USED FOR FORMBOOK GET REQUESTS: - www.guamgold[.]com DOMAIN USED FOR FORMBOOK GET AND POST REQUESTS: - www.hao-yue[.]com
Click here to return to the main page.