2024-08-12 (MONDAY): XLOADER/FORMBOOK INFECTION

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

 

ASSOCIATED FILES:

• 2024-08-12-XLoader-Formbook-malspam-0312-UTC.eml.zip   776.4 kB   (776,435 bytes)
• 2024-08-12-XLoader-Formbook-infection-traffic.pcap.zip   7.8 MB   (7,765,631 bytes)
• 2024-08-12-XLoader-Formbook-malware.zip   1.5 MB   (1,459,037 bytes)

 

EMAIL

HEADER LINE INFORMATION FROM THE EMAIL:

• Received: from inolab[.]com (unknown [185.222.58[.]57]) [information removed]; Mon, 12 Aug 2024 03:12:36 +0000 (UTC)
• From: Minsun Kim <ventas@inolab[.]com>
• Subject: RE: THEMETAL NEW ORDERFOB$ _KORIA PORT
• Date: 12 Aug 2024 05:12:35 +0200
• Message-ID: <20240812051235.02052A1977AA2791@inolab[.]com>
• Attachment name: THEMETAL NEW ORDERFOB$ _KORIA PORT.rar

 

MALWARE

FILES FROM THE INFECTION:

• SHA256 hash:  c1bbaa4c8755f137f915709e710c62cc507ce4055cb2fb498d0656f82f66b31a
  
• File size:  727,946 bytes
• File name:  THEMETAL NEW ORDERFOB$ _KORIA PORT.exe
• File type:  RAR archive data, v5
• File description:  RAR archive seen as the email attachment

• SHA256 hash:  992c1fa1d6584c711280bd3a519018a88c7766728ca0b51024484d9a83ef6d9c
  
• File size:  779,272 bytes
• File name:  THEMETAL NEW ORDERFOB$ _KORIA PORT.exe
• File type:  PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
• File description:  32-bit Windows executable (EXE) for XLoader/Formbook extracted from the above RAR archive

 

INFECTION TRAFFIC

DOMAINS FROM THE INFECTION TRAFFIC:

• www.354388[.]pet
• www.618110[.]com
• www.agiantsbar[.]com
• www.agrigatefarm[.]online
• www.airbnbneuchatel[.]com
• www.alohaconnect[.]org
• www.askvanta[.]com
• www.barbie69[.]xyz
• www.by2526[.]com
• www.coffeemakers[.]online
• www.connectionbyebd[.]com
• www.cradunk[.]com
• www.daisseur[.]online
• www.denflos[.]top
• www.doonsideproperty[.]com
• www.dressroza[.]com
• www.dulichngaaz[.]info
• www.forexpp[.]store
• www.globalexecutive[.]agency
• www.hachettegroup[.]media
• www.huanle[.]store
• www.ontoweightloss[.]health
• www.physicallyfit[.]org
• www.pmcq1[.]xyz
• www.ppsonco[.]store
• www.qkotc[.]xyz
• www.screw[.]lol
• www.sisouehnmnxxd[.]top
• www.steelplaque[.]info
• www.ueimg[.]xyz
• www.wowsomefan[.]store
• www.yu86h[.]top

 

IMAGES

Shown above:  Screenshot of the email in Thunderbird.

 

Shown above:  Email attachment (RAR archive) and extracted Windows EXE file for XLoader/Formbook.

 

Shown above:  Start of the infection traffic filtered in Wireshark.

 

Shown above:  TCP stream from one of the HTTP POST requests during the post-infection traffic.

 

Shown above:  Traffic later from the infection, after the HTTP POST requests had stopped.

 

Click here to return to the main page.