2019-05-20 - MALSPAM PUSHES FORMBOOK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Email:  2019-05-20-associated-malspam.zip   246 kB (245,879 bytes)

• 2019-05-19-malspam-pushing-Formbook-1807-UTC.eml   (323,861 bytes)

• Traffic:  2019-05-20-Formbook-infection-traffic.pcap.zip   1.7 MB (1,716,450 bytes)

• 2019-05-20-Formbook-infection-traffic.pcap   (2,416,560 bytes)

• Malware and artifacts:  2019-05-20-malware-and-artifacts-from-Formbook-infection.zip   480 kB (480,351 bytes)

• 2019-05-19-Formbook-malspam-email-attachment.rar   (235,629 bytes)
• 2019-05-19-Formbook-EXE-extracted-from-malspam-attachment.exe   (471,040 bytes)
• 2019-05-20-Windows-registry-update-to-keep-Formbook-persistent.txt   (578 bytes)

 

EMAIL

Shown above:  An example of Formbook malspam from Sunday, 2019-05-19.

 

TRAFFIC

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 23.20.239[.]12 port 80 - www.idolapkr[.]com - GET /ha/?1b=[long string]
• 199.192.19[.]135 port 80 - www.tuemhrs[.]com - GET /ha/?1b=[long string]
• 199.192.19[.]135 port 80 - www.tuemhrs[.]com - POST /ha/
• 23.110.92[.]106 port 80 - www.advisemi[.]com - GET /ha/?1b=[long string]
• 23.110.92[.]106 port 80 - www.advisemi[.]com - POST /ha/
• 91.195.240[.]126 port 80 - www.aewsgbpu[.]com - GET /ha/?1b=[long string]
• 91.195.240[.]126 port 80 - www.aewsgbpu[.]com - POST /ha/
• 34.73.137[.]103 port 80 - www.sandboxtweets[.]com - GET /ha/?1b=[long string]
• 34.73.137[.]103 port 80 - www.sandboxtweets[.]com - POST /ha/
• 154.216.225[.]187 port 80 - www.027yunwu[.]com - GET /ha/?1b=[long string]
• 154.216.225[.]187 port 80 - www.027yunwu[.]com - POST /ha/
• 69.195.124[.]145 port 80 - www.tatareality[.]com - GET /ha/?1b=[long string]
• 69.195.124[.]145 port 80 - www.tatareality[.]com - POST /ha/
• 23.21.153[.]146 port 80 - www.firststeptowealth[.]com - GET /ha/?1b=[long string]
• 23.21.153[.]146 port 80 - www.firststeptowealth[.]com - POST /ha/
• 195.201.25[.]31 port 80 - www.tier1mail[.]com - GET /ha/?1b=[long string]
• 195.201.25[.]31 port 80 - www.tier1mail[.]com - POST /ha/
• 93.89.226[.]17 port 80 - www.kibristakumar[.]com - GET /ha/?1b=[long string]
• 93.89.226[.]17 port 80 - www.kibristakumar[.]com - POST /ha/
• DNS query for www.0l1zerothen[.]men - response: No such name
• DNS query for www.jz8066[.]com - response: No such name
• DNS query for www.walwarez[.]com - response: No such name
• DNS query for www.prcrim[.]com - response: Server failure
• DNS query for www.mywebgib[.]com - response: No such name

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  7f335f990851510ab9654e9fc1add2acec2c38a64563b711031769c58ecd45c0
  File size:  235,629 bytes
  File name:  Purchase Order Details HTE1903-008.rar
  File description:  Rar archive attached to malspam

• SHA256 hash:  5a7042e698ce8e5cf6c4615e41a4205a52d9bb18a6ff214a967724c866cb72b4
  File size:  471,040 bytes
  File name:  purchase.exe
  File location after infection:  C:\Program Files (x86)\Fstqt\0tax3f9.exe
  File description:  Formbook malware EXE

 

IMAGES

Shown above:  Malware and artifacts from an infected Windows host.

 

Click here to return to the main page.