API tools faq
paste
Advertisement
VRad

#formbook_141118

VRad
Nov 15th, 2018
635
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.04 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #FormBook #11882
  2.  
  3. https://pastebin.com/D6VPDyyz
  4.  
  5. FAQ:
  6. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
  7. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
  8. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
  9.  
  10. attack_vector
  11. --------------
  12. email attach xlsx > 11882 > EQNEDT32.EXE GET > ProgramData\Ms_Office.exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from cider.nocdirect.com (cider.nocdirect.com [69.73.188.30])
  17. by srv8.victim.com (8.15.2/8.15.2) with ESMTP id wAE3acT0019711
  18. for <user0@org2.victim.com>; Wed, 14 Nov 2018 05:36:48 +0200 (EET)
  19. (envelope-from mcottage@mchkenya.org)
  20. Date: Tue, 13 Nov 2018 22:16:06 -0500
  21. From: Asti Swastiani <mcottage@mchkenya.org>
  22. To: marketing@mignon-international.com
  23. Subject: Ref. No.: PO OM/UL/QP214.R8/PO 18-049
  24. X-Sender: mcottage@mchkenya.org
  25. User-Agent: Roundcube Webmail/1.3.3
  26.  
  27. files
  28. --------------
  29. SHA-256 4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c
  30. File name 0.xlsx
  31. File size 9.43 KB
  32.  
  33. SHA-256 928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
  34. File name great2_outputBD4467F.exe (Judson6)
  35. File size 748 KB
  36.  
  37. activity
  38. **************
  39.  
  40. PL_GET:
  41. h11p:\ andreasmannegren{.} com/wp-content/plugins/revslider/views/great2_outputBD4467F.exe - 404
  42.  
  43. C2:
  44. hh11p:\ www{.} eei{.} events/g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBploTYiXkzzTkGQTjo55Z5ogwTFumUA==&qT-=VdAPlzXXXdnxjjM
  45. h11p:\ www{.} lyricmes{.} com/g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/qdq0BmWYnk1oT2RUPA4VuDtpxhw==&qT-=VdAPlzXXXdnxjjM&sql=1
  46.  
  47. netwrk
  48. --------------
  49. 216.70.123.107 andreasmannegren{.} com GET /wp-content/plugins/revslider/views/great2_outputBD4467F.exe
  50.  
  51. 199.192.25.199 lyricmes{.} com GET /g2/?PRuLzd=5+TjCJMXgnBe6eyGBQcBN/C4nN6rhQBNFVIhTZQ5ep/... HTTP/1.1 Continuation
  52. 50.63.202.60 eei{.} events GET /g2/?PRuLzd=yfvXzIQIQbHAZ196o7SMbkoSZwVS8akoH7hB6KMBpl... HTTP/1.1 Continuation
  53.  
  54. teamplus{.} cloud GET /g2/?cf=xrbHp0&xTF4=3ajSB4EqpyHKoMIyi/xby82oCcO+iX2HJLg... HTTP/1.1 Continuation
  55. tntrestuarantmarketing{.} com GET /g2/?xTF4=kwEpnkah6032lapaO+q/7mm7EQl4Xspy5J9vk... HTTP/1.1 Continuation
  56. selfhelpelderly{.} com GET /g2/?cf=xrbHp0&xTF4=aFdZcRNvtmRNuv2JE/8t1hNilKNznpftqW8... HTTP/1.1 Continuation
  57. nonxy{.} com GET /g2/?xTF4=QPRf3hc6291z8MikLetgS6hOMKycrV/8Ds8iQ3JQ6GGFw... HTTP/1.1 Continuation
  58. nfrastructures{.} cloud GET /g2/?cf=xrbHp0&xTF4=9ndMY6trpb87FJO/SblaSOCN+QQXjxqTpP/... HTTP/1.1 Continuation
  59. hiketodestination{.} com GET /g2/?xTF4=NFcGGNZRqOzVA0ZLnMyAKm/tMI4UhN1NS1rpoXK9NjB21... HTTP/1.1 Continuation
  60. sxww{.} info GET /g2/?cf=xrbHp0&xTF4=vfjYIF6MPowoFLyg8tYXGUduEyrv03S+VFk... HTTP/1.1 Continuation
  61. alanherbig{.} com GET /g2/?xTF4=jA9515VKFfcDPWuea/VJNvBiYe31D8IE+FwctdIoPYJLH... HTTP/1.1 Continuation
  62. portkennedypsychology{.} net GET /g2/?cf=xrbHp0&xTF4=4QvUFRaTSjAYqS71y3160CgpqQ5... HTTP/1.1 Continuation
  63.  
  64. POST /g2/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  65.  
  66. comp
  67. --------------
  68. EQNEDT32.EXE 2040 TCP 216.70.123.107 80 SYN_SENT
  69. [System] 0 TCP 216.70.123.107 80 TIME_WAIT
  70.  
  71. proc
  72. --------------
  73. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  74. C:\Windows\system32\svchost.exe -k DcomLaunch
  75. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  76. C:\ProgramData\Ms_Office.exe
  77.  
  78. persist
  79. --------------
  80. n/a
  81.  
  82. drop
  83. --------------
  84. C:\ProgramData\Ms_Office.exe
  85.  
  86. # # #
  87. xls https://www.virustotal.com/#/file/4dfbc00e5551883e57f25f3b6f961c1f9ca97ece99a53adc4360cbee818a092c/details
  88.  
  89. exe https://www.virustotal.com/#/file/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7/details
  90. https://analyze.intezer.com/#/analyses/388fe1af-ac71-41e8-9858-62fed8a0ea0a
  91. https://analyze.intezer.com/#/analyses/4821a443-ebc5-429f-9272-bcf019317049
  92.  
  93. url https://urlhaus.abuse.ch/url/79518/
  94. https://urlscan.io/sha256/928e6a9e6fe5791f96fe551cc9925d36e078694780004b434f3d3bd6a48e03c7
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!