Advertisement
VRad

#formbook_141118

Nov 15th, 2018
811
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.04 KB | None | 0 0
  1. #IOC #OptiData #VR #FormBook #11882
  2.  
  3. https://pastebin.com/D6VPDyyz
  4.  
  5. FAQ:
  6. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
  7. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
  8. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
  9.  
  10. attack_vector
  11. --------------
  12. email attach xlsx > 11882 > EQNEDT32.EXE GET > ProgramData\Ms_Office.exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from cider.nocdirect.com (cider.nocdirect.com [69.73.188.30])
  17. by srv8.victim.com (8.15.2/8.15.2) with ESMTP id wAE3acT0019711
  18. for <[email protected]>; Wed, 14 Nov 2018 05:36:48 +0200 (EET)
  19. (envelope-from [email protected])
  20. Date: Tue, 13 Nov 2018 22:16:06 -0500
  21. From: Asti Swastiani <[email protected]>
  22. Subject: Ref. No.: PO OM/UL/QP214.R8/PO 18-049
  23. User-Agent: Roundcube Webmail/1.3.3
  24.  
  25. files
  26. --------------
  27. SHA-256 4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c
  28. File name 0.xlsx
  29. File size 9.43 KB
  30.  
  31. SHA-256 928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
  32. File name great2_outputBD4467F.exe (Judson6)
  33. File size 748 KB
  34.  
  35. activity
  36. **************
  37.  
  38. PL_GET:
  39. h11p:\ andreasmannegren{.} com/wp-content/plugins/revslider/views/great2_outputBD4467F.exe - 404
  40.  
  41. C2:
  42. hh11p:\ www{.} eei{.} events/g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBploTYiXkzzTkGQTjo55Z5ogwTFumUA==&qT-=VdAPlzXXXdnxjjM
  43. h11p:\ www{.} lyricmes{.} com/g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/qdq0BmWYnk1oT2RUPA4VuDtpxhw==&qT-=VdAPlzXXXdnxjjM&sql=1
  44.  
  45. netwrk
  46. --------------
  47. 216.70.123.107 andreasmannegren{.} com GET /wp-content/plugins/revslider/views/great2_outputBD4467F.exe
  48.  
  49. 199.192.25.199 lyricmes{.} com GET /g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/... HTTP/1.1 Continuation
  50. 50.63.202.60 eei{.} events GET /g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBpl... HTTP/1.1 Continuation
  51.  
  52. teamplus{.} cloud GET /g2/?cf=xrbHp0&xTF4=3ajSB4EqpyHKoMIyi/xby82oCcO+iX2HJLg... HTTP/1.1 Continuation
  53. tntrestuarantmarketing{.} com GET /g2/?xTF4=kwEpnkah6032lapaO+q/7mm7EQl4Xspy5J9vk... HTTP/1.1 Continuation
  54. selfhelpelderly{.} com GET /g2/?cf=xrbHp0&xTF4=aFdZcRNvtmRNuv2JE/8t1hNilKNznpftqW8... HTTP/1.1 Continuation
  55. nonxy{.} com GET /g2/?xTF4=QPRf3hc6291z8MikLetgS6hOMKycrV/8Ds8iQ3JQ6GGFw... HTTP/1.1 Continuation
  56. nfrastructures{.} cloud GET /g2/?cf=xrbHp0&xTF4=9ndMY6trpb87FJO/SblaSOCN+QQXjxqTpP/... HTTP/1.1 Continuation
  57. hiketodestination{.} com GET /g2/?xTF4=NFcGGNZRqOzVA0ZLnMyAKm/tMI4UhN1NS1rpoXK9NjB21... HTTP/1.1 Continuation
  58. sxww{.} info GET /g2/?cf=xrbHp0&xTF4=vfjYIF6MPowoFLyg8tYXGUduEyrv03S+VFk... HTTP/1.1 Continuation
  59. alanherbig{.} com GET /g2/?xTF4=jA9515VKFfcDPWuea/VJNvBiYe31D8IE+FwctdIoPYJLH... HTTP/1.1 Continuation
  60. portkennedypsychology{.} net GET /g2/?cf=xrbHp0&xTF4=4QvUFRaTSjAYqS71y3160CgpqQ5... HTTP/1.1 Continuation
  61.  
  62. POST /g2/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  63.  
  64. comp
  65. --------------
  66. EQNEDT32.EXE 2040 TCP 216.70.123.107 80 SYN_SENT
  67. [System] 0 TCP 216.70.123.107 80 TIME_WAIT
  68.  
  69. proc
  70. --------------
  71. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  72. C:\Windows\system32\svchost.exe -k DcomLaunch
  73. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  74. C:\ProgramData\Ms_Office.exe
  75.  
  76. persist
  77. --------------
  78. n/a
  79.  
  80. drop
  81. --------------
  82. C:\ProgramData\Ms_Office.exe
  83.  
  84. # # #
  85. xls https://www.virustotal.com/#/file/4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c/details
  86.  
  87. exe https://www.virustotal.com/#/file/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7/details
  88. https://analyze.intezer.com/#/analyses/388fe1af-ac71-41e8-9858-62fed8a0ea0a
  89. https://analyze.intezer.com/#/analyses/4821a443-ebc5-429f-9272-bcf019317049
  90.  
  91. url https://urlhaus.abuse.ch/url/79518/
  92. https://urlscan.io/sha256/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement