2019-01-02 - MALWARE FROM MALSPAM PUSHING FORMBOOK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-01-02-Formbook-infection-traffic.pcap.zip   2.5 MB (2,498,922 bytes)
• 2019-01-02-Formbook-malware.zip   606 kB (606,149 bytes)

NOTES:

• Unfortunately, I do not have any copies of the malspam for this blog post.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following partial URLs:

• hxxp[:]//www.freedomrings[.]info/hx310/
• hxxp[:]//www.wtzoo[.]win/hx310/
• hxxp[:]//www.internationalbankfund[.]com/hx310/
• hxxp[:]//www.yatai-garden[.]com/hx310/
• hxxp[:]//www.idalia-coiffure[.]com/hx310/
• hxxp[:]//www.sevilaykuaforguzellik[.]com/hx310/
• hxxp[:]//www.250483061[.]com/hx310/
• hxxp[:]//www.villasmarana[.]com/hx310/
• hxxp[:]//www.childrensincatthecastle[.]com/hx310/
• hxxp[:]//www.trendsgiant[.]com/hx310/
• hxxp[:]//www.thetransporterguys[.]com/hx310/
• hxxp[:]//www.wwwgemstra[.]com/hx310/
• hxxp[:]//www.tavewa[.]holiday/hx310/
• hxxp[:]//www.harveyfloodedmyhome[.]com/hx310/
• hxxp[:]//www.lianglinyiyou[.]com/hx310/
• hxxp[:]//www.foothillsoftware[.]info/hx310/

 

MALSPAM

DATA FROM THE MALSPAM:

• Received: from 94.177.236[.]105
• Date: Wednesday, 2019-01-02 as early as 02:28 UTC through at least 05:51 UTC
• Sending address (probably spoofed): grzesiekg@ilovepdf[.]com
• Subject: Re:Fw: Approved - INV-1221/P.I 1124

 

MALWARE

ATTACHMENT FROM THE MALSPAM:

• SHA256 hash:  7cbe6879c4bb39f394711d0deb8c42be8df74967d11ff9699d020540eb1fa098
• File size:  303,657 bytes
• File name:  Unknown, possibly P.I 1124_PDF.zip

WINDOWS EXECUTABLE EXTRACTED FROM THE ATTACHED ZIP ARCHIVE:

• SHA256 hash:  988b1b09c4737513e96477e55fe18599e8d714f226826a2b641681a45ef2e364
• File size:  677,784 bytes
• File name:  P.I 1124_PDF.exe
• File location after infection:  C:\Program Files (x86)\Y3f3\cd2l4nhr.exe   (random directory and file names)

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 198.105.244[.]228 port 80 - www.freedomrings[.]info - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.wtzoo[.]win - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.wtzoo[.]win - POST /hx310/
• 50.87.249[.]206 port 80 - www.internationalbankfund[.]com - GET /hx310/?[long string of characters]
• 50.87.249[.]206 port 80 - www.internationalbankfund[.]com - POST /hx310/
• unanswered DNS queries for www.yatai-garden[.]com
• 198.105.244[.]228 port 80 - www.idalia-coiffure[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.idalia-coiffure[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.sevilaykuaforguzellik[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.sevilaykuaforguzellik[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.250483061[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.250483061[.]com - POST /hx310/
• 185.230.61[.]161 port 80 - www.villasmarana[.]com - GET /hx310/?[long string of characters]
• 185.230.61[.]161 port 80 - www.villasmarana[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.childrensincatthecastle[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.childrensincatthecastle[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.trendsgiant[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.trendsgiant[.]com - POST /hx310/
• 85.233.160[.]24 port 80 - www.thetransporterguys[.]com - GET /hx310/?[long string of characters]
• 85.233.160[.]24 port 80 - www.thetransporterguys[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.wwwgemstra[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.wwwgemstra[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.tavewa[.]holiday - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.tavewa[.]holiday - POST /hx310/
• 198.105.244[.]228 port 80 - www.harveyfloodedmyhome[.]com - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.harveyfloodedmyhome[.]com - POST /hx310/
• 192.64.114[].25 port 80 - www.lianglinyiyou[.]com - GET /hx310/?[long string of characters]
• 192.64.114[.]25 port 80 - www.lianglinyiyou[.]com - POST /hx310/
• 198.105.244[.]228 port 80 - www.foothillsoftware[.]info - GET /hx310/?[long string of characters]
• 198.105.244[.]228 port 80 - www.foothillsoftware[.]info - POST /hx310/

 

IMAGES

Shown above:  Formbook persistent on an infected Windows host.  Each infection has a different directory name and file name for this file.

 

Shown above:  Screenshot and data exfiltrated from my infected Windows host.  Each infection has a different directory
name and file name for these files.

 

Click here to return to the main page.