Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #formbook #opendir #2stage #xmlrels #11882
- https://pastebin.com/yLu1cL9K
- previous_contact:
- 15/11/18 https://pastebin.com/VFG89LnT
- 14/11/18 https://pastebin.com/D6VPDyyz
- FAQ:
- https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
- https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
- https://blog.talosintelligence.com/2018/06/my-little-formbook.html
- attack_vector
- --------------
- email attach doc1 > xml.rels > GET1 > doc2 > 11882 > GET2 > \Public\vbc.exe
- email_headers
- --------------
- Return-Path: <diego@greenenergyac.com>
- Received: from greenenergyac.com ([194.110.85.183])
- From: "Diego Restivo" <diego@greenenergyac.com>
- To: user00@victim0.com
- Subject: Order 142
- Date: 26 Feb 2019 03:13:30 -0500
- files
- --------------
- SHA-256 34878815d23e065fdc7c3b190b3530494717795549b0c94257ebb9d9a285a9f4
- File name Purchase Order 142.docx [Microsoft Word 2007+] > footer2.xml.rels > Target= http://gg{.} gg/d8ddd
- File size 31.78 KB
- SHA-256 7e928ca90c533761e251005d3620ba12099b5ec81149ae5efcf78d9421e973b9
- File name document.docx [Microsoft Word 2007+] > oleObject1.bin > EquAtIOn NATivE http://gg{.} gg/d8dat
- File size 19.34 KB
- SHA-256 77415339963c31d05e1a1a1729692d0a57120443832c2400f3f9263bb338ff49
- File name vbc.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.22 MB
- SHA-256 f39991bf62216733c2a6e0c152fe6be16e20e7758d1f59c2d48d5d8d27cbd90a
- File name RuntimeBroker.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.22 MB
- SHA-256 5e5af2601339ba6242ce7180020578610a7b81851094fc2ef449cca4e995e5bf
- File name RuntimeBroker.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.22 MB
- activity
- **************
- PL_SRC:
- gg{.} gg:80//d8ddd
- http://watchdogdns{.} duckdns{.} org/jae/document.docx
- gg{.} gg:80//d8dat
- http://watchdogdns{.} duckdns{.} org/jae/vbc.exe
- C2:
- http://www.tv-cable{.} com/jw/?Cj=id....
- netwrk
- --------------
- 91.224.140.71 gg{.} gg OPTIONS / HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.1.7601
- 91.224.140.71 gg{.} gg OPTIONS / HTTP/1.1 Microsoft Office Protocol Discovery
- 91.224.140.71 gg{.} gg PROPFIND / HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.1.7601
- 91.224.140.71 gg{.} gg GET /d8ddd HTTP/1.1 Mozilla/4.0
- 23.249.166.156 watchdogdns{.} duckdns{.} org GET /jae/document.docx HTTP/1.1 Mozilla/4.0
- 91.224.140.71 gg{.} gg HEAD /d8ddd HTTP/1.1 Microsoft Office Existence Discovery
- 23.249.166.156 watchdogdns{.} duckdns{.} org HEAD /jae/document.docx HTTP/1.1 Microsoft Office Existence Discovery
- 91.224.140.71 gg{.} gg GET /d8dat HTTP/1.1 no User Agent
- 23.249.166.156 watchdogdns{.} duckdns{.} org GET /jae/vbc.exe HTTP/1.1 no User Agent
- 23.20.239.12 tv-cable.com GET /jw/?Cj=id... HTTP/1.1 no User Agent
- comp
- --------------
- svchost.exe 840 TCP localhost 49786 91.224.140.71 80 SYN_SENT
- WINWORD.EXE 2192 TCP localhost 49791 23.249.166.156 80 SYN_SENT
- EQNEDT32.EXE 2230 TCP localhost 49797 91.224.140.71 80 SYN_SENT
- EQNEDT32.EXE 2230 TCP localhost 49799 23.249.166.156 80 SYN_SENT
- proc
- --------------
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\Public\vbc.exe
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- "C:\Windows\SysWOW64\schtasks.exe" /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc minute /mo 1 /F
- C:\Windows\system32\taskeng.exe {AC685A2D-7E0C-4FC7-80E7-7C734BCC4A28} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
- C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- "C:\Windows\SysWOW64\schtasks.exe" /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc minute /mo 1 /F
- C:\Windows\system32\taskeng.exe
- C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- C:\Windows\SysWOW64\schtasks.exe /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc minute /mo 1 /F
- persist
- --------------
- Task Scheduler
- \desktopimgdownldr
- c:\users\operator\appdata\roaming\sdbinst\runtimebroker.exe 25.02.2019 12:46
- drop
- --------------
- C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
- C:\Users\Public\vbc.exe
- # # #
- https://www.virustotal.com/#/file/34878815d23e065fdc7c3b190b3530494717795549b0c94257ebb9d9a285a9f4/details
- https://www.virustotal.com/#/file/7e928ca90c533761e251005d3620ba12099b5ec81149ae5efcf78d9421e973b9/details
- https://www.virustotal.com/#/file/77415339963c31d05e1a1a1729692d0a57120443832c2400f3f9263bb338ff49/details
- https://www.virustotal.com/#/file/f39991bf62216733c2a6e0c152fe6be16e20e7758d1f59c2d48d5d8d27cbd90a/details
- https://analyze.intezer.com/#/analyses/e3c3c705-31d7-425e-83f3-bf7ff4adcdd8
- https://analyze.intezer.com/#/analyses/5222cd52-f5ea-47ed-bc97-c2656016cb46
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement