#formbook_141118

#IOC #OptiData #VR #FormBook #11882

https://pastebin.com/D6VPDyyz

FAQ:
https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
https://blog.talosintelligence.com/2018/06/my-little-formbook.html

attack_vector
--------------
email attach xlsx > 11882 > EQNEDT32.EXE GET > ProgramData\Ms_Office.exe

email_headers
--------------
Received: from cider.nocdirect.com (cider.nocdirect.com [69.73.188.30])
by srv8.victim.com (8.15.2/8.15.2) with ESMTP id wAE3acT0019711
for <user0@org2.victim.com>; Wed, 14 Nov 2018 05:36:48 +0200 (EET)
(envelope-from mcottage@mchkenya.org)
Date: Tue, 13 Nov 2018 22:16:06 -0500
From: Asti Swastiani <mcottage@mchkenya.org>
To: marketing@mignon-international.com
Subject: Ref. No.:  PO OM/UL/QP214.R8/PO 18-049
X-Sender: mcottage@mchkenya.org
User-Agent: Roundcube Webmail/1.3.3

files
--------------
SHA-256	4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c
File name	0.xlsx
File size	9.43 KB

SHA-256	928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
File name	great2_outputBD4467F.exe (Judson6)
File size	748 KB

activity
**************

PL_GET:
h11p:\ andreasmannegren{.} com/wp-content/plugins/revslider/views/great2_outputBD4467F.exe	- 404

C2:
hh11p:\ www{.} eei{.} events/g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBploTYiXkzzTkGQTjo55Z5ogwTFumUA==&qT-=VdAPlzXXXdnxjjM
h11p:\ www{.} lyricmes{.} com/g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/qdq0BmWYnk1oT2RUPA4VuDtpxhw==&qT-=VdAPlzXXXdnxjjM&sql=1

netwrk
--------------
216.70.123.107		andreasmannegren{.} com	GET /wp-content/plugins/revslider/views/great2_outputBD4467F.exe

199.192.25.199		lyricmes{.} com			GET /g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/...	HTTP/1.1 Continuation
50.63.202.60		eei{.} events			GET /g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBpl...	HTTP/1.1 Continuation

			teamplus{.} cloud		GET /g2/?cf=xrbHp0&xTF4=3ajSB4EqpyHKoMIyi/xby82oCcO+iX2HJLg...	HTTP/1.1 Continuation
			tntrestuarantmarketing{.} com	GET /g2/?xTF4=kwEpnkah6032lapaO+q/7mm7EQl4Xspy5J9vk...		HTTP/1.1 Continuation
			selfhelpelderly{.} com		GET /g2/?cf=xrbHp0&xTF4=aFdZcRNvtmRNuv2JE/8t1hNilKNznpftqW8...	HTTP/1.1 Continuation
			nonxy{.} com			GET /g2/?xTF4=QPRf3hc6291z8MikLetgS6hOMKycrV/8Ds8iQ3JQ6GGFw...	HTTP/1.1 Continuation
			nfrastructures{.} cloud		GET /g2/?cf=xrbHp0&xTF4=9ndMY6trpb87FJO/SblaSOCN+QQXjxqTpP/...	HTTP/1.1 Continuation
			hiketodestination{.} com	GET /g2/?xTF4=NFcGGNZRqOzVA0ZLnMyAKm/tMI4UhN1NS1rpoXK9NjB21...	HTTP/1.1 Continuation
			sxww{.} info			GET /g2/?cf=xrbHp0&xTF4=vfjYIF6MPowoFLyg8tYXGUduEyrv03S+VFk...	HTTP/1.1 Continuation
			alanherbig{.} com		GET /g2/?xTF4=jA9515VKFfcDPWuea/VJNvBiYe31D8IE+FwctdIoPYJLH...	HTTP/1.1 Continuation
			portkennedypsychology{.} net	GET /g2/?cf=xrbHp0&xTF4=4QvUFRaTSjAYqS71y3160CgpqQ5...		HTTP/1.1 Continuation

POST /g2/ HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/4.0

comp
--------------
EQNEDT32.EXE	2040	TCP	216.70.123.107	80	SYN_SENT
[System]	0	TCP	216.70.123.107	80	TIME_WAIT

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
C:\Windows\system32\svchost.exe -k DcomLaunch
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\ProgramData\Ms_Office.exe

persist
--------------
n/a

drop
--------------
C:\ProgramData\Ms_Office.exe

# # #
xls	https://www.virustotal.com/#/file/4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c/details

exe	https://www.virustotal.com/#/file/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7/details
	https://analyze.intezer.com/#/analyses/388fe1af-ac71-41e8-9858-62fed8a0ea0a
	https://analyze.intezer.com/#/analyses/4821a443-ebc5-429f-9272-bcf019317049

url	https://urlhaus.abuse.ch/url/79518/
	https://urlscan.io/sha256/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7