SHARE
TWEET

#formbook_260219

VRad Feb 26th, 2019 (edited) 224 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #formbook #opendir #2stage #xmlrels #11882
  2.  
  3. https://pastebin.com/yLu1cL9K
  4.  
  5. previous_contact:
  6. 15/11/18    https://pastebin.com/VFG89LnT
  7. 14/11/18    https://pastebin.com/D6VPDyyz
  8.  
  9. FAQ:
  10. https://www.bleepingcomputer.com/news/security/formbook-infostealer-sold-on-hacking-forums-is-becoming-quite-a-threat/
  11. https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
  12. https://blog.talosintelligence.com/2018/06/my-little-formbook.html
  13.  
  14. attack_vector
  15. --------------
  16. email attach doc1 > xml.rels > GET1 > doc2 > 11882 > GET2 > \Public\vbc.exe
  17.  
  18. email_headers
  19. --------------
  20. Return-Path: <diego@greenenergyac.com>
  21. Received: from greenenergyac.com ([194.110.85.183])
  22. From: "Diego Restivo" <diego@greenenergyac.com>
  23. To: user00@victim0.com
  24. Subject: Order 142
  25. Date: 26 Feb 2019 03:13:30 -0500
  26.  
  27. files
  28. --------------
  29. SHA-256 34878815d23e065fdc7c3b190b3530494717795549b0c94257ebb9d9a285a9f4
  30. File name   Purchase Order 142.docx     [Microsoft Word 2007+]  > footer2.xml.rels > Target= http://gg{.} gg/d8ddd
  31. File size   31.78 KB
  32.  
  33. SHA-256 7e928ca90c533761e251005d3620ba12099b5ec81149ae5efcf78d9421e973b9
  34. File name   document.docx           [Microsoft Word 2007+]  > oleObject1.bin > EquAtIOn NATivE http://gg{.} gg/d8dat
  35. File size   19.34 KB
  36.  
  37. SHA-256 77415339963c31d05e1a1a1729692d0a57120443832c2400f3f9263bb338ff49
  38. File name   vbc.exe             [PE32 executable (GUI) Intel 80386, for MS Windows]
  39. File size   1.22 MB
  40.  
  41. SHA-256 f39991bf62216733c2a6e0c152fe6be16e20e7758d1f59c2d48d5d8d27cbd90a
  42. File name   RuntimeBroker.exe       [PE32 executable (GUI) Intel 80386, for MS Windows]
  43. File size   1.22 MB
  44.  
  45. SHA-256 5e5af2601339ba6242ce7180020578610a7b81851094fc2ef449cca4e995e5bf
  46. File name   RuntimeBroker.exe       [PE32 executable (GUI) Intel 80386, for MS Windows]
  47. File size   1.22 MB
  48.  
  49. activity
  50. **************
  51. PL_SRC:
  52.  
  53. gg{.} gg:80//d8ddd
  54.  
  55. http://watchdogdns{.} duckdns{.} org/jae/document.docx
  56.  
  57. gg{.} gg:80//d8dat
  58.  
  59. http://watchdogdns{.} duckdns{.} org/jae/vbc.exe
  60.  
  61. C2:
  62.  
  63. http://www.tv-cable{.} com/jw/?Cj=id....
  64.  
  65. netwrk
  66. --------------
  67. 91.224.140.71       gg{.} gg            OPTIONS /       HTTP/1.1    Microsoft-WebDAV-MiniRedir/6.1.7601
  68. 91.224.140.71       gg{.} gg            OPTIONS /       HTTP/1.1    Microsoft Office Protocol Discovery
  69.  
  70. 91.224.140.71       gg{.} gg            PROPFIND /      HTTP/1.1    Microsoft-WebDAV-MiniRedir/6.1.7601
  71. 91.224.140.71       gg{.} gg            GET /d8ddd      HTTP/1.1    Mozilla/4.0
  72.  
  73. 23.249.166.156      watchdogdns{.} duckdns{.} org   GET /jae/document.docx  HTTP/1.1    Mozilla/4.0
  74.  
  75. 91.224.140.71       gg{.} gg            HEAD /d8ddd         HTTP/1.1    Microsoft Office Existence Discovery
  76. 23.249.166.156      watchdogdns{.} duckdns{.} org   HEAD /jae/document.docx HTTP/1.1    Microsoft Office Existence Discovery
  77.  
  78. 91.224.140.71       gg{.} gg            GET /d8dat      HTTP/1.1    no User Agent  
  79.  
  80. 23.249.166.156      watchdogdns{.} duckdns{.} org   GET /jae/vbc.exe    HTTP/1.1    no User Agent
  81.  
  82. 23.20.239.12        tv-cable.com            GET /jw/?Cj=id...   HTTP/1.1    no User Agent
  83.  
  84.  
  85. comp
  86. --------------
  87. svchost.exe 840 TCP localhost   49786   91.224.140.71   80  SYN_SENT
  88. WINWORD.EXE 2192    TCP localhost   49791   23.249.166.156  80  SYN_SENT
  89.  
  90. EQNEDT32.EXE    2230    TCP localhost   49797   91.224.140.71   80  SYN_SENT
  91. EQNEDT32.EXE    2230    TCP localhost   49799   23.249.166.156  80  SYN_SENT
  92.  
  93. proc
  94. --------------
  95. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  96. C:\Users\Public\vbc.exe
  97. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  98. "C:\Windows\SysWOW64\schtasks.exe" /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc  minute /mo 1 /F
  99.  
  100. C:\Windows\system32\taskeng.exe {AC685A2D-7E0C-4FC7-80E7-7C734BCC4A28} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  101. C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
  102. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  103. "C:\Windows\SysWOW64\schtasks.exe" /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc  minute /mo 1 /F
  104.  
  105. C:\Windows\system32\taskeng.exe
  106. C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
  107. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  108. C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  109. C:\Windows\SysWOW64\schtasks.exe /create /tn desktopimgdownldr /tr "C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe" /sc  minute /mo 1 /F
  110.  
  111. persist
  112. --------------
  113. Task Scheduler                 
  114. \desktopimgdownldr         
  115. c:\users\operator\appdata\roaming\sdbinst\runtimebroker.exe 25.02.2019 12:46   
  116.  
  117. drop
  118. --------------
  119. C:\Users\operator\AppData\Roaming\sdbinst\RuntimeBroker.exe
  120.  
  121. C:\Users\Public\vbc.exe
  122.  
  123. # # #
  124. https://www.virustotal.com/#/file/34878815d23e065fdc7c3b190b3530494717795549b0c94257ebb9d9a285a9f4/details
  125. https://www.virustotal.com/#/file/7e928ca90c533761e251005d3620ba12099b5ec81149ae5efcf78d9421e973b9/details
  126. https://www.virustotal.com/#/file/77415339963c31d05e1a1a1729692d0a57120443832c2400f3f9263bb338ff49/details
  127. https://www.virustotal.com/#/file/f39991bf62216733c2a6e0c152fe6be16e20e7758d1f59c2d48d5d8d27cbd90a/details
  128. https://analyze.intezer.com/#/analyses/e3c3c705-31d7-425e-83f3-bf7ff4adcdd8
  129. https://analyze.intezer.com/#/analyses/5222cd52-f5ea-47ed-bc97-c2656016cb46
  130.  
  131. VR
  132.  
  133. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top