Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #FormBook #11882
- https://pastebin.com/D6VPDyyz
- FAQ:
- https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
- https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
- https://blog.talosintelligence.com/2018/06/my-little-formbook.html
- attack_vector
- --------------
- email attach xlsx > 11882 > EQNEDT32.EXE GET > ProgramData\Ms_Office.exe
- email_headers
- --------------
- Received: from cider.nocdirect.com (cider.nocdirect.com [69.73.188.30])
- by srv8.victim.com (8.15.2/8.15.2) with ESMTP id wAE3acT0019711
- for <user0@org2.victim.com>; Wed, 14 Nov 2018 05:36:48 +0200 (EET)
- (envelope-from mcottage@mchkenya.org)
- Date: Tue, 13 Nov 2018 22:16:06 -0500
- From: Asti Swastiani <mcottage@mchkenya.org>
- To: marketing@mignon-international.com
- Subject: Ref. No.: PO OM/UL/QP214.R8/PO 18-049
- X-Sender: mcottage@mchkenya.org
- User-Agent: Roundcube Webmail/1.3.3
- files
- --------------
- SHA-256 4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c
- File name 0.xlsx
- File size 9.43 KB
- SHA-256 928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
- File name great2_outputBD4467F.exe (Judson6)
- File size 748 KB
- activity
- **************
- PL_GET:
- h11p:\ andreasmannegren{.} com/wp-content/plugins/revslider/views/great2_outputBD4467F.exe - 404
- C2:
- hh11p:\ www{.} eei{.} events/g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBploTYiXkzzTkGQTjo55Z5ogwTFumUA==&qT-=VdAPlzXXXdnxjjM
- h11p:\ www{.} lyricmes{.} com/g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/qdq0BmWYnk1oT2RUPA4VuDtpxhw==&qT-=VdAPlzXXXdnxjjM&sql=1
- netwrk
- --------------
- 216.70.123.107 andreasmannegren{.} com GET /wp-content/plugins/revslider/views/great2_outputBD4467F.exe
- 199.192.25.199 lyricmes{.} com GET /g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/... HTTP/1.1 Continuation
- 50.63.202.60 eei{.} events GET /g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBpl... HTTP/1.1 Continuation
- teamplus{.} cloud GET /g2/?cf=xrbHp0&xTF4=3ajSB4EqpyHKoMIyi/xby82oCcO+iX2HJLg... HTTP/1.1 Continuation
- tntrestuarantmarketing{.} com GET /g2/?xTF4=kwEpnkah6032lapaO+q/7mm7EQl4Xspy5J9vk... HTTP/1.1 Continuation
- selfhelpelderly{.} com GET /g2/?cf=xrbHp0&xTF4=aFdZcRNvtmRNuv2JE/8t1hNilKNznpftqW8... HTTP/1.1 Continuation
- nonxy{.} com GET /g2/?xTF4=QPRf3hc6291z8MikLetgS6hOMKycrV/8Ds8iQ3JQ6GGFw... HTTP/1.1 Continuation
- nfrastructures{.} cloud GET /g2/?cf=xrbHp0&xTF4=9ndMY6trpb87FJO/SblaSOCN+QQXjxqTpP/... HTTP/1.1 Continuation
- hiketodestination{.} com GET /g2/?xTF4=NFcGGNZRqOzVA0ZLnMyAKm/tMI4UhN1NS1rpoXK9NjB21... HTTP/1.1 Continuation
- sxww{.} info GET /g2/?cf=xrbHp0&xTF4=vfjYIF6MPowoFLyg8tYXGUduEyrv03S+VFk... HTTP/1.1 Continuation
- alanherbig{.} com GET /g2/?xTF4=jA9515VKFfcDPWuea/VJNvBiYe31D8IE+FwctdIoPYJLH... HTTP/1.1 Continuation
- portkennedypsychology{.} net GET /g2/?cf=xrbHp0&xTF4=4QvUFRaTSjAYqS71y3160CgpqQ5... HTTP/1.1 Continuation
- POST /g2/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
- comp
- --------------
- EQNEDT32.EXE 2040 TCP 216.70.123.107 80 SYN_SENT
- [System] 0 TCP 216.70.123.107 80 TIME_WAIT
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
- C:\Windows\system32\svchost.exe -k DcomLaunch
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\ProgramData\Ms_Office.exe
- persist
- --------------
- n/a
- drop
- --------------
- C:\ProgramData\Ms_Office.exe
- # # #
- xls https://www.virustotal.com/#/file/4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c/details
- exe https://www.virustotal.com/#/file/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7/details
- https://analyze.intezer.com/#/analyses/388fe1af-ac71-41e8-9858-62fed8a0ea0a
- https://analyze.intezer.com/#/analyses/4821a443-ebc5-429f-9272-bcf019317049
- url https://urlhaus.abuse.ch/url/79518/
- https://urlscan.io/sha256/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement