SHARE
TWEET

#formbook_151118

VRad Nov 15th, 2018 (edited) 204 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #FormBook #RAR #EXE
  2.  
  3. https://pastebin.com/VFG89LnT
  4.  
  5. previous_contact:
  6. 14/11/18    https://pastebin.com/D6VPDyyz
  7.  
  8. FAQ:
  9. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
  10. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
  11. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
  12.  
  13. attack_vector
  14. --------------
  15. email attach .7z (RAR) > exe > C2
  16.  
  17. email_headers
  18. --------------
  19. Received: from oceanicoilfield.ae ([37.49.225.69])
  20.     by mail0.victim (8.15.2/8.15.2) with ESMTP id wAENwTUL097819
  21.     for <user0@org.hq.victim>; Thu, 15 Nov 2018 01:58:30 +0200 (EET)
  22.     (envelope-from aslam@oceanicoilfield.ae)
  23. From: Muhamed Aslam - Oceanic <aslam@oceanicoilfield.ae>
  24. To: <user0@org.hq.victim>
  25. Subject: RFQ 3799
  26. Date: Wed, 14 Nov 2018 15:58:23 -0800
  27.  
  28. files
  29. --------------
  30. SHA-256 4e72d3ed7d35d533cdbe8382c2f116a4bfbaf144fb32204bda85e0a5b6b2ff8d
  31. File name   RFQ 3799,PDF.7z     (!) RAR archive data, v8a,
  32. File size   344.16 KB
  33.  
  34. SHA-256 fecd706889701fcffe2052a8581abe5ce557fa6732ef6841cf6c21e562d4d2f4
  35. File name   RFQ 3799,PDF.exe
  36. File size   664.5 KB
  37.  
  38. activity
  39. **************
  40.  
  41. C2: h11p:\ www{.} gamer-cosmo{.} site/lo/?Mv18=QojiFkevncA7UP8PkLtuNgt5Wmw...
  42.  
  43. netwrk
  44. --------------
  45. www{.} gamer-cosmo{.} site  GET /lo/?Mv18=QojiFkevncA7UP8PkLtuNgt5Wmw...    HTTP/1.1 Continuation   no User Agent
  46.  
  47. comp
  48. --------------
  49. n/a
  50.  
  51. proc
  52. --------------
  53. "C:\Users\operator\Desktop\RFQ 3799,PDF.exe"
  54. "C:\Users\operator\Desktop\RFQ 3799,PDF.exe"
  55.  
  56. persist
  57. --------------
  58. n/a
  59.  
  60. drop
  61. --------------
  62. C:\Users\operator\Desktop\RFQ 3799,PDF.exe
  63.  
  64. # # #
  65. RAR https://www.virustotal.com/#/file/4e72d3ed7d35d533cdbe8382c2f116a4bfbaf144fb32204bda85e0a5b6b2ff8d/details
  66. EXE https://www.virustotal.com/#/file/fecd706889701fcffe2052a8581abe5ce557fa6732ef6841cf6c21e562d4d2f4/details
  67.     https://analyze.intezer.com/#/analyses/c1d8aeeb-7d9f-4f4f-a9a4-773941743367
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top