#formbook_151118

#IOC #OptiData #VR #FormBook #RAR #EXE

https://pastebin.com/VFG89LnT

previous_contact:
14/11/18	https://pastebin.com/D6VPDyyz

FAQ:
https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
https://blog.talosintelligence.com/2018/06/my-little-formbook.html

attack_vector
--------------
email attach .7z (RAR) > exe > C2

email_headers
--------------
Received: from oceanicoilfield.ae ([37.49.225.69])
	by mail0.victim (8.15.2/8.15.2) with ESMTP id wAENwTUL097819
	for <user0@org.hq.victim>; Thu, 15 Nov 2018 01:58:30 +0200 (EET)
	(envelope-from aslam@oceanicoilfield.ae)
From: Muhamed Aslam - Oceanic <aslam@oceanicoilfield.ae>
To: <user0@org.hq.victim>
Subject: RFQ 3799
Date: Wed, 14 Nov 2018 15:58:23 -0800

files
--------------
SHA-256	4e72d3ed7d35d533cdbe8382c2f116a4bfbaf144fb32204bda85e0a5b6b2ff8d
File name	RFQ 3799,PDF.7z		(!) RAR archive data, v8a,
File size	344.16 KB

SHA-256	fecd706889701fcffe2052a8581abe5ce557fa6732ef6841cf6c21e562d4d2f4
File name	RFQ 3799,PDF.exe
File size	664.5 KB

activity
**************

C2:	h11p:\ www{.} gamer-cosmo{.} site/lo/?Mv18=QojiFkevncA7UP8PkLtuNgt5Wmw...

netwrk
--------------
www{.} gamer-cosmo{.} site	GET /lo/?Mv18=QojiFkevncA7UP8PkLtuNgt5Wmw...	HTTP/1.1 Continuation	no User Agent

comp
--------------
n/a

proc
--------------
"C:\Users\operator\Desktop\RFQ 3799,PDF.exe"
"C:\Users\operator\Desktop\RFQ 3799,PDF.exe"

persist
--------------
n/a

drop
--------------
C:\Users\operator\Desktop\RFQ 3799,PDF.exe

# # #
RAR	https://www.virustotal.com/#/file/4e72d3ed7d35d533cdbe8382c2f116a4bfbaf144fb32204bda85e0a5b6b2ff8d/details
EXE	https://www.virustotal.com/#/file/fecd706889701fcffe2052a8581abe5ce557fa6732ef6841cf6c21e562d4d2f4/details
	https://analyze.intezer.com/#/analyses/c1d8aeeb-7d9f-4f4f-a9a4-773941743367