#formbook_260219

1. #IOC #OptiData #VR #formbook #opendir #2stage #xmlrels #11882
2.  
3. https://pastebin.com/yLu1cL9K
4.  
5. previous_contact:
6. 15/11/18 https://pastebin.com/VFG89LnT
7. 14/11/18 https://pastebin.com/D6VPDyyz
8.  
9. FAQ:
10. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
11. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
12. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
13.  
14. attack_vector
15. --------------
16. email attach doc1 > xml.rels > GET1 > doc2 > 11882 > GET2 > \Public\vbc.exe
17.  
18. email_headers
19. --------------
20. Return-Path: <diego@greenenergyac.com>
21. Received: from greenenergyac.com ([194.110.85.183])
22. From: "Diego Restivo" <diego@greenenergyac.com>
23. To: user00@victim0.com
24. Subject: Order 142
25. Date: 26 Feb 2019 03:13:30 -0500
26.  
27. files
28. --------------
29. SHA-256 34878815d23e065fdc7c3b190b3530494717795549b0c94257ebb9d9a285a9f4
30. File name Purchase Order 142.docx [Microsoft Word 2007+] > footer2.xml.rels > Target= http://gg{.} gg/d8ddd
31. File size 31.78 KB
32.  
33. SHA-256 7e928ca90c533761e251005d3620ba12099b5ec81149ae5efcf78d9421e973b9
34. File name document.docx [Microsoft Word 2007+] > oleObject1.bin > EquAtIOn NATivE http://gg{.} gg/d8dat
35. File size 19.34 KB
36.  
37. SHA-256 77415339963c31d05e1a1a1729692d0a57120443832c2400f3f9263bb338ff49
38. File name vbc.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
39. File size 1.22 MB
40.  
41. SHA-256 f39991bf62216733c2a6e0c152fe6be16e20e7758d1f59c2d48d5d8d27cbd90a
42. File name RuntimeBroker.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
43. File size 1.22 MB
44.  
45. SHA-256 5e5af2601339ba6242ce7180020578610a7b81851094fc2ef449cca4e995e5bf
46. File name RuntimeBroker.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
47. File size 1.22 MB
48.  
49. activity
50. **************
51. PL_SRC:
52.  
53. gg{.} gg:80//d8ddd
54.  
55. http://watchdogdns{.} duckdns{.} org/jae/document.docx
56.  
57. gg{.} gg:80//d8dat
58.  
59. http://watchdogdns{.} duckdns{.} org/jae/vbc.exe
60.  
61. C2:
62.  
63. http://www.tv-cable{.} com/jw/?Cj=id....
64.  
65. netwrk
66. --------------
67. 91.224.140.71 gg{.} gg OPTIONS / HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.1.7601
68. 91.224.140.71 gg{.} gg OPTIONS / HTTP/1.1 Microsoft Office Protocol Discovery
69.  
70. 91.224.140.71 gg{.} gg PROPFIND / HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.1.7601
71. 91.224.140.71 gg{.} gg GET /d8ddd HTTP/1.1 Mozilla/4.0
72.  
73. 23.249.166.156 watchdogdns{.} duckdns{.} org GET /jae/document.docx HTTP/1.1 Mozilla/4.0
74.  
75. 91.224.140.71 gg{.} gg HEAD /d8ddd HTTP/1.1 Microsoft Office Existence Discovery
76. 23.249.166.156 watchdogdns{.} duckdns{.} org HEAD /jae/document.docx HTTP/1.1 Microsoft Office Existence Discovery
77.  
78. 91.224.140.71 gg{.} gg GET /d8dat HTTP/1.1 no User Agent
79.  
80. 23.249.166.156 watchdogdns{.} duckdns{.} org GET /jae/vbc.exe HTTP/1.1 no User Agent
81.  
82. 23.20.239.12 tv-cable.com GET /jw/?Cj=id... HTTP/1.1 no User Agent
83.  
84.  
85. comp
86. --------------
87. svchost.exe 840 TCP localhost 49786 91.224.140.71 80 SYN_SENT
88. WINWORD.EXE 2192 TCP localhost 49791 23.249.166.156 80 SYN_SENT
89.  
90. EQNEDT32.EXE 2230 TCP localhost 49797 91.224.140.71 80 SYN_SENT
91. EQNEDT32.EXE 2230 TCP localhost 49799 23.249.166.156 80 SYN_SENT
92.  
93. proc
94. --------------
95. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
96. C:\Users\Public\vbc.exe
97. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
98. "C:\Windows\SysWOW64\schtasks.exe" /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc minute /mo 1 /F
99.  
100. C:\Windows\system32\taskeng.exe {AC685A2D-7E0C-4FC7-80E7-7C734BCC4A28} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
101. C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
102. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
103. "C:\Windows\SysWOW64\schtasks.exe" /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc minute /mo 1 /F
104.  
105. C:\Windows\system32\taskeng.exe
106. C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
107. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
108. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
109. C:\Windows\SysWOW64\schtasks.exe /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc minute /mo 1 /F
110.  
111. persist
112. --------------
113. Task Scheduler
114. \desktopimgdownldr
115. c:\users\operator\appdata\roaming\sdbinst\runtimebroker.exe 25.02.2019 12:46
116.  
117. drop
118. --------------
119. C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
120.  
121. C:\Users\Public\vbc.exe
122.  
123. # # #
124. https://www.virustotal.com/#/file/34878815d23e065fdc7c3b190b3530494717795549b0c94257ebb9d9a285a9f4/details
125. https://www.virustotal.com/#/file/7e928ca90c533761e251005d3620ba12099b5ec81149ae5efcf78d9421e973b9/details
126. https://www.virustotal.com/#/file/77415339963c31d05e1a1a1729692d0a57120443832c2400f3f9263bb338ff49/details
127. https://www.virustotal.com/#/file/f39991bf62216733c2a6e0c152fe6be16e20e7758d1f59c2d48d5d8d27cbd90a/details
128. https://analyze.intezer.com/#/analyses/e3c3c705-31d7-425e-83f3-bf7ff4adcdd8
129. https://analyze.intezer.com/#/analyses/5222cd52-f5ea-47ed-bc97-c2656016cb46
130.  
131. VR
132.  
133. @