Public Pastes
SHARE
TWEET

#formbook_141118

VRad Nov 15th, 2018 (edited) 311 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #FormBook #11882
  2.  
  3. https://pastebin.com/D6VPDyyz
  4.  
  5. FAQ:
  6. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
  7. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
  8. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
  9.  
  10. attack_vector
  11. --------------
  12. email attach xlsx > 11882 > EQNEDT32.EXE GET > ProgramData\Ms_Office.exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from cider.nocdirect.com (cider.nocdirect.com [69.73.188.30])
  17. by srv8.victim.com (8.15.2/8.15.2) with ESMTP id wAE3acT0019711
  18. for <user0@org2.victim.com>; Wed, 14 Nov 2018 05:36:48 +0200 (EET)
  19. (envelope-from mcottage@mchkenya.org)
  20. Date: Tue, 13 Nov 2018 22:16:06 -0500
  21. From: Asti Swastiani <mcottage@mchkenya.org>
  22. To: marketing@mignon-international.com
  23. Subject: Ref. No.:  PO OM/UL/QP214.R8/PO 18-049
  24. X-Sender: mcottage@mchkenya.org
  25. User-Agent: Roundcube Webmail/1.3.3
  26.  
  27. files
  28. --------------
  29. SHA-256 4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c
  30. File name   0.xlsx
  31. File size   9.43 KB
  32.  
  33. SHA-256 928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
  34. File name   great2_outputBD4467F.exe (Judson6)
  35. File size   748 KB
  36.  
  37. activity
  38. **************
  39.  
  40. PL_GET:
  41. h11p:\ andreasmannegren{.} com/wp-content/plugins/revslider/views/great2_outputBD4467F.exe  - 404
  42.  
  43. C2:
  44. hh11p:\ www{.} eei{.} events/g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBploTYiXkzzTkGQTjo55Z5ogwTFumUA==&qT-=VdAPlzXXXdnxjjM
  45. h11p:\ www{.} lyricmes{.} com/g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/qdq0BmWYnk1oT2RUPA4VuDtpxhw==&qT-=VdAPlzXXXdnxjjM&sql=1
  46.  
  47. netwrk
  48. --------------
  49. 216.70.123.107      andreasmannegren{.} com GET /wp-content/plugins/revslider/views/great2_outputBD4467F.exe
  50.  
  51. 199.192.25.199      lyricmes{.} com         GET /g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/...  HTTP/1.1 Continuation
  52. 50.63.202.60        eei{.} events           GET /g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBpl...   HTTP/1.1 Continuation
  53.  
  54.             teamplus{.} cloud       GET /g2/?cf=xrbHp0&xTF4=3ajSB4EqpyHKoMIyi/xby82oCcO+iX2HJLg...  HTTP/1.1 Continuation
  55.             tntrestuarantmarketing{.} com   GET /g2/?xTF4=kwEpnkah6032lapaO+q/7mm7EQl4Xspy5J9vk...      HTTP/1.1 Continuation
  56.             selfhelpelderly{.} com      GET /g2/?cf=xrbHp0&xTF4=aFdZcRNvtmRNuv2JE/8t1hNilKNznpftqW8...  HTTP/1.1 Continuation
  57.             nonxy{.} com            GET /g2/?xTF4=QPRf3hc6291z8MikLetgS6hOMKycrV/8Ds8iQ3JQ6GGFw...  HTTP/1.1 Continuation
  58.             nfrastructures{.} cloud     GET /g2/?cf=xrbHp0&xTF4=9ndMY6trpb87FJO/SblaSOCN+QQXjxqTpP/...  HTTP/1.1 Continuation
  59.             hiketodestination{.} com    GET /g2/?xTF4=NFcGGNZRqOzVA0ZLnMyAKm/tMI4UhN1NS1rpoXK9NjB21...  HTTP/1.1 Continuation
  60.             sxww{.} info            GET /g2/?cf=xrbHp0&xTF4=vfjYIF6MPowoFLyg8tYXGUduEyrv03S+VFk...  HTTP/1.1 Continuation
  61.             alanherbig{.} com       GET /g2/?xTF4=jA9515VKFfcDPWuea/VJNvBiYe31D8IE+FwctdIoPYJLH...  HTTP/1.1 Continuation
  62.             portkennedypsychology{.} net    GET /g2/?cf=xrbHp0&xTF4=4QvUFRaTSjAYqS71y3160CgpqQ5...      HTTP/1.1 Continuation
  63.  
  64. POST /g2/ HTTP/1.1  (application/x-www-form-urlencoded) Mozilla/4.0
  65.  
  66. comp
  67. --------------
  68. EQNEDT32.EXE    2040    TCP 216.70.123.107  80  SYN_SENT                                       
  69. [System]    0   TCP 216.70.123.107  80  TIME_WAIT
  70.  
  71. proc
  72. --------------
  73. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  74. C:\Windows\system32\svchost.exe -k DcomLaunch
  75. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  76. C:\ProgramData\Ms_Office.exe
  77.  
  78. persist
  79. --------------
  80. n/a
  81.  
  82. drop
  83. --------------
  84. C:\ProgramData\Ms_Office.exe
  85.  
  86. # # #
  87. xls https://www.virustotal.com/#/file/4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c/details
  88.  
  89. exe https://www.virustotal.com/#/file/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7/details
  90.     https://analyze.intezer.com/#/analyses/388fe1af-ac71-41e8-9858-62fed8a0ea0a
  91.     https://analyze.intezer.com/#/analyses/4821a443-ebc5-429f-9272-bcf019317049
  92.  
  93. url https://urlhaus.abuse.ch/url/79518/
  94.     https://urlscan.io/sha256/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top