Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #FormBook #RAR #EXE
- https://pastebin.com/VFG89LnT
- previous_contact:
- 14/11/18 https://pastebin.com/D6VPDyyz
- FAQ:
- https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
- https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
- https://blog.talosintelligence.com/2018/06/my-little-formbook.html
- attack_vector
- --------------
- email attach .7z (RAR) > exe > C2
- email_headers
- --------------
- Received: from oceanicoilfield.ae ([37.49.225.69])
- by mail0.victim (8.15.2/8.15.2) with ESMTP id wAENwTUL097819
- for <user0@org.hq.victim>; Thu, 15 Nov 2018 01:58:30 +0200 (EET)
- (envelope-from aslam@oceanicoilfield.ae)
- From: Muhamed Aslam - Oceanic <aslam@oceanicoilfield.ae>
- To: <user0@org.hq.victim>
- Subject: RFQ 3799
- Date: Wed, 14 Nov 2018 15:58:23 -0800
- files
- --------------
- SHA-256 4e72d3ed7d35d533cdbe8382c2f116a4bfbaf144fb32204bda85e0a5b6b2ff8d
- File name RFQ 3799,PDF.7z (!) RAR archive data, v8a,
- File size 344.16 KB
- SHA-256 fecd706889701fcffe2052a8581abe5ce557fa6732ef6841cf6c21e562d4d2f4
- File name RFQ 3799,PDF.exe
- File size 664.5 KB
- activity
- **************
- C2: h11p:\ www{.} gamer-cosmo{.} site/lo/?Mv18=QojiFkevncA7UP8PkLtuNgt5Wmw...
- netwrk
- --------------
- www{.} gamer-cosmo{.} site GET /lo/?Mv18=QojiFkevncA7UP8PkLtuNgt5Wmw... HTTP/1.1 Continuation no User Agent
- comp
- --------------
- n/a
- proc
- --------------
- "C:\Users\operator\Desktop\RFQ 3799,PDF.exe"
- "C:\Users\operator\Desktop\RFQ 3799,PDF.exe"
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\operator\Desktop\RFQ 3799,PDF.exe
- # # #
- RAR https://www.virustotal.com/#/file/4e72d3ed7d35d533cdbe8382c2f116a4bfbaf144fb32204bda85e0a5b6b2ff8d/details
- EXE https://www.virustotal.com/#/file/fecd706889701fcffe2052a8581abe5ce557fa6732ef6841cf6c21e562d4d2f4/details
- https://analyze.intezer.com/#/analyses/c1d8aeeb-7d9f-4f4f-a9a4-773941743367
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement