VRad

#formbook_141118

Nov 15th, 2018
419
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #FormBook #11882
  2.  
  3. https://pastebin.com/D6VPDyyz
  4.  
  5. FAQ:
  6. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
  7. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
  8. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
  9.  
  10. attack_vector
  11. --------------
  12. email attach xlsx > 11882 > EQNEDT32.EXE GET > ProgramData\Ms_Office.exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from cider.nocdirect.com (cider.nocdirect.com [69.73.188.30])
  17. by srv8.victim.com (8.15.2/8.15.2) with ESMTP id wAE3acT0019711
  18. for <user0@org2.victim.com>; Wed, 14 Nov 2018 05:36:48 +0200 (EET)
  19. (envelope-from mcottage@mchkenya.org)
  20. Date: Tue, 13 Nov 2018 22:16:06 -0500
  21. From: Asti Swastiani <mcottage@mchkenya.org>
  22. To: marketing@mignon-international.com
  23. Subject: Ref. No.: PO OM/UL/QP214.R8/PO 18-049
  24. X-Sender: mcottage@mchkenya.org
  25. User-Agent: Roundcube Webmail/1.3.3
  26.  
  27. files
  28. --------------
  29. SHA-256 4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c
  30. File name 0.xlsx
  31. File size 9.43 KB
  32.  
  33. SHA-256 928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
  34. File name great2_outputBD4467F.exe (Judson6)
  35. File size 748 KB
  36.  
  37. activity
  38. **************
  39.  
  40. PL_GET:
  41. h11p:\ andreasmannegren{.} com/wp-content/plugins/revslider/views/great2_outputBD4467F.exe - 404
  42.  
  43. C2:
  44. hh11p:\ www{.} eei{.} events/g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBploTYiXkzzTkGQTjo55Z5ogwTFumUA==&qT-=VdAPlzXXXdnxjjM
  45. h11p:\ www{.} lyricmes{.} com/g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/qdq0BmWYnk1oT2RUPA4VuDtpxhw==&qT-=VdAPlzXXXdnxjjM&sql=1
  46.  
  47. netwrk
  48. --------------
  49. 216.70.123.107 andreasmannegren{.} com GET /wp-content/plugins/revslider/views/great2_outputBD4467F.exe
  50.  
  51. 199.192.25.199 lyricmes{.} com GET /g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/... HTTP/1.1 Continuation
  52. 50.63.202.60 eei{.} events GET /g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBpl... HTTP/1.1 Continuation
  53.  
  54. teamplus{.} cloud GET /g2/?cf=xrbHp0&xTF4=3ajSB4EqpyHKoMIyi/xby82oCcO+iX2HJLg... HTTP/1.1 Continuation
  55. tntrestuarantmarketing{.} com GET /g2/?xTF4=kwEpnkah6032lapaO+q/7mm7EQl4Xspy5J9vk... HTTP/1.1 Continuation
  56. selfhelpelderly{.} com GET /g2/?cf=xrbHp0&xTF4=aFdZcRNvtmRNuv2JE/8t1hNilKNznpftqW8... HTTP/1.1 Continuation
  57. nonxy{.} com GET /g2/?xTF4=QPRf3hc6291z8MikLetgS6hOMKycrV/8Ds8iQ3JQ6GGFw... HTTP/1.1 Continuation
  58. nfrastructures{.} cloud GET /g2/?cf=xrbHp0&xTF4=9ndMY6trpb87FJO/SblaSOCN+QQXjxqTpP/... HTTP/1.1 Continuation
  59. hiketodestination{.} com GET /g2/?xTF4=NFcGGNZRqOzVA0ZLnMyAKm/tMI4UhN1NS1rpoXK9NjB21... HTTP/1.1 Continuation
  60. sxww{.} info GET /g2/?cf=xrbHp0&xTF4=vfjYIF6MPowoFLyg8tYXGUduEyrv03S+VFk... HTTP/1.1 Continuation
  61. alanherbig{.} com GET /g2/?xTF4=jA9515VKFfcDPWuea/VJNvBiYe31D8IE+FwctdIoPYJLH... HTTP/1.1 Continuation
  62. portkennedypsychology{.} net GET /g2/?cf=xrbHp0&xTF4=4QvUFRaTSjAYqS71y3160CgpqQ5... HTTP/1.1 Continuation
  63.  
  64. POST /g2/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  65.  
  66. comp
  67. --------------
  68. EQNEDT32.EXE 2040 TCP 216.70.123.107 80 SYN_SENT
  69. [System] 0 TCP 216.70.123.107 80 TIME_WAIT
  70.  
  71. proc
  72. --------------
  73. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  74. C:\Windows\system32\svchost.exe -k DcomLaunch
  75. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  76. C:\ProgramData\Ms_Office.exe
  77.  
  78. persist
  79. --------------
  80. n/a
  81.  
  82. drop
  83. --------------
  84. C:\ProgramData\Ms_Office.exe
  85.  
  86. # # #
  87. xls https://www.virustotal.com/#/file/4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c/details
  88.  
  89. exe https://www.virustotal.com/#/file/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7/details
  90. https://analyze.intezer.com/#/analyses/388fe1af-ac71-41e8-9858-62fed8a0ea0a
  91. https://analyze.intezer.com/#/analyses/4821a443-ebc5-429f-9272-bcf019317049
  92.  
  93. url https://urlhaus.abuse.ch/url/79518/
  94. https://urlscan.io/sha256/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
RAW Paste Data