{
	"id": "a5bf8a9a-439e-4d8d-94f9-4a70ff43c1b5",
	"created_at": "2026-04-06T00:17:29.670613Z",
	"updated_at": "2026-04-10T03:20:44.900071Z",
	"deleted_at": null,
	"sha1_hash": "1410eba8386c22d6e655b939194ddd55fff55392",
	"title": "Malware-Traffic-Analysis.net - 30 days of Formbook: Day 1, Monday 2023-06-05",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 770767,
	"plain_text": "Malware-Traffic-Analysis.net - 30 days of Formbook: Day 1,\r\nMonday 2023-06-05\r\nArchived: 2026-04-05 21:02:42 UTC\r\nNOTICE:\r\nOf note, the zip archives on this page have been updated, and they now use the new password scheme.  For\r\nthe new password, see the \"about\" page of this website.\r\nNOTES:\r\nI'm gathering data on Formbook, so I plan to generate infection runs on new Formbook samples 30 times\r\nduring the next month or two.\r\nToday's sample is from a .rar archive submitted to VirusTotal on Sunday 2023-06-04.\r\nASSOCIATED FILES:\r\n2023-06-05-IOCs-for-Formbook-infection.txt.zip   2.5 kB   (2,535 bytes)\r\n2023-06-05-Formbook-infection.pcap.zip   3.9 MB   (3,898,132 bytes)\r\n2023-06-05-Formbook-malware-and-artifacts.zip   1.9 MB   (1,919,919 bytes)\r\nIMAGES\r\nhttps://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nPage 1 of 6\n\nShown above:  Initial Formbook binary (Windows EXE file) submitted to VirusTotal.\r\nShown above:  Formbook persistent on the infected Windows host.\r\nhttps://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nPage 2 of 6\n\nShown above:  Stolen data temporarily stored to disk, which is deleted after data is accepted by a Formbook C2\r\nserver.\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\n30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05\r\nINFECTION CHAIN:\r\n- Unknown vector, possibly distributed as email attachment.\r\nFORMBOOK SAMPLE:\r\nhttps://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nPage 3 of 6\n\n- SHA256 hash: 4d86ca8f4deaffa4779027e6aa03ddd63b8b7b035e1344a609ea1fadbd1040bb\r\n- File size: 620,684 bytes\r\n- File name: Release_pending_bookings_now.rar\r\n- File type: RAR archive data, v4, os: Win32\r\n- File description: RAR archive containing Formbook EXE\r\n- Earliest Contents Modification: 2023-06-04 21:50:35 UTC\r\n- SHA256 hash: 041e8def9ed010055a5b366d501d80f49601e6c8650470c7163addb52a45e634\r\n- File size: 1,072,128 bytes\r\n- File name: Release pending bookings now.exe\r\n- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\n- File description: Formbook EXE with Adobe PDF-style icon\r\n- Creation Time: 2023-06-04 20:50:35 UTC\r\n- SHA256 hash: 5a48b39e1031dc42091ea074e632b3e8cc22a887b16c909b2dcd66490a8cf377\r\n- File size: 1,072,128 bytes\r\n- File location: C:\\Program Files (x86)\\Mgvd0-6q\\hte5jd.exe\r\n- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\n- File description: Formbook from the above sample, persistent on the infected Windows host\r\nFORMBOOK PERSISTENCE:\r\n- Windows Registry key: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n- Value name: IVUDUFW0\r\n- Value type: REG_SZ\r\n- Value Data: C:\\Program Files (x86)\\Mgvd0-6q\\hte5jd.exe\r\nDATA STORED FOR EXFILTRATION TO FORMBOOK C2 SERVER:\r\n- C:\\Users\\[username]\\AppData\\Roaming\\KM1A2CD2\\KM1log.ini - 0 bytes\r\n- C:\\Users\\[username]\\AppData\\Roaming\\KM1A2CD2\\KM1logim.jpeg - 137 kB (screenshot of desktop)\r\n- C:\\Users\\[username]\\AppData\\Roaming\\KM1A2CD2\\KM1logrc.ini - 2 kB (Outlook Recovery)\r\n- C:\\Users\\[username]\\AppData\\Roaming\\KM1A2CD2\\KM1logri.ini - 1 kB (Iexplore Recovery)\r\n- C:\\Users\\[username]\\AppData\\Roaming\\KM1A2CD2\\KM1logrv.ini - 1 kB (__Vault Recovery)\r\n- Note: All the above files were deleted after data exfiltation, except for first file at 0 bytes nam\r\nFORMBOOK HTTP GET AND POST REQUESTS:\r\n- GET /he2a/?[string of alphanumeric characters with the following mixed in: = _ + and /]\r\n- POST /he2a/\r\nFORMBOOK DOMAINS THAT DID NOT RESOLVE:\r\n- DNS query for www.24eu-ru-startup[.]xyz - No such name\r\n- DNS query for www.b-store[.]shop - No such name\r\n- DNS query for www.bavrnimn[.]site - No such name\r\nhttps://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nPage 4 of 6\n\n- DNS query for www.connectioncompass[.]store - No such name\r\n- DNS query for www.hfaer4[.]xyz - No such name\r\n- DNS query for www.lb92[.]tech - No such name\r\n- DNS query for www.meet-friends[.]online - No such name\r\n- DNS query for www.myjbtest[.]net - No such name\r\n- DNS query for www.narcisme[.]coach - No such name\r\n- DNS query for www.pagosmultired[.]online - no response from DNS\r\n- DNS query for www.redtopassociates[.]com - No such name\r\n- DNS query for www.smokintires[.]net - No such name\r\n- DNS query for www.wealthjigsaw[.]xyz - No such name\r\nFORMBOOK DOMAINS THAT RESOLVED, BUT NO CONNECTION TO SERVER:\r\n- 156.239.77[.]249 port 80 - www.paintellensburg[.]com - TCP SYN segments only, no response or RST f\r\n- 3.36.26[.]167 port 80 - www.6o20r[.]beauty - TCP SYN segments only, no response or RST from server\r\nFORMBOOK GET URLS ONLY:\r\n- Note: Most of these are parked domain pages, although some appear to be legitimate websites.\r\n- 13.248.243[.]5 port 80 - www.4tvaccounting[.]com\r\n- 115.126.35[.]194 port 80 - www.678ap[.]com\r\n- 217.70.184[.]50 port 80 - www.adept-expert-comptable[.]net\r\n- 50.87.146[.]73 port 80 - www.arsajib[.]com\r\n- 34.102.136[.]180 port 80 - www.avaturre[.]biz\r\n- 198.54.117[.]216 port 80 - www.botfolk[.]com\r\n- 154.219.175[.]99 port 80 - www.cpohlelaw[.]com\r\n- 154.197.7[.]82 port 80 - www.cyg8wm3zfb[.]xyz\r\n- 75.2.115[.]196 port 80 - www.dp77[.]shop\r\n- 72.167.69[.]17 port 80 - www.dtslogs[.]com\r\n- 103.224.182[.]210 port 80 - www.eletrobrasilvendas[.]com\r\n- 169.239.218[.]55 port 80 - www.epeople[.]store\r\n- 198.54.117[.]215 or 198.54.117[.]218 port 80 - www.guninfo[.]guru\r\n- 104.194.229[.]208 port 80 - www.hg08139[.]com\r\n- 34.102.136[.]180 port 80 - www.mamaeconomics[.]net\r\n- 172.67.160[.]165 port 80 - www.mathews[.]buzz\r\n- 172.67.147[.]23 port 80 - www.mimi2023[.]monster\r\n- 154.31.55[.]249 port 80 - www.mybet668[.]com\r\n- 34.69.160[.]147 port 80 - www.pf326[.]com\r\n- 103.181.194[.]5 port 80 - www.pittalam[.]com\r\n- 204.188.203[.]154 port 80 - www.saledotfate[.]live\r\n- 198.185.159[.]144 port 80 - www.theoregondog[.]com\r\n- 91.238.163[.]179 port 80 - www.totneshotdesk[.]com\r\n- 217.70.184[.]50 port 80 - www.xn--groupe-gorg-lbb[.]com\r\n- 107.148.151[.]12 port 80 - www.yuwangjing[.]com\r\n- 172.67.147[.]73 port 80 - www.zamupoi[.]fun\r\n- 104.21.75[.]135 port 80 - www.zekicharge[.]com\r\nhttps://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nPage 5 of 6\n\nDOMAINS USING FORMBOOK GET AND POST URLS:\r\n- Note: These appear to be legitimate websites or parked domain pages.\r\n- 76.223.105[.]230 port 80 - www.4tvaccounting[.]com\r\n- 15.197.142[.]173 port 80 - www.cyberlegion[.]group\r\n- 34.117.168[.]233 port 80 - www.dcmdot[.]com **\r\n- 15.197.142[.]173 port 80 - www.emsculptcenterofne[.]com\r\n- 91.195.240[.]94 port 80 - www.giuila[.]online\r\n- 34.102.136[.]180 port 80 - www.matrix-promotions[.]com\r\n- 104.21.28[.]185 port 80 - www.mimi2023[.]monster **\r\n- 34.102.136[.]180 port 80 - www.misstamar[.]mobi **\r\n- 67.223.117[.]3 port 80 - www.notbokin[.]online **\r\n- 68.65.122[.]50 port 80 - www.qfs-capital[.]com !!\r\n- 64.98.135[.]49 port 80 - www.taylorranchtrail[.]com **\r\n- 202.124.241[.]178 port 80 - www.theaustralianbrisketboard[.]com\r\n ** - Full stolen data (encoded) sent through HTTP POST request.\r\n !! - Domain www.qfs-capital[.]com appears to be a legitimate site, but response headers from the PO\r\n it accepted the stolen data.\r\nClick here to return to the main page.\r\nSource: https://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nhttps://www.malware-traffic-analysis.net/2023/06/05/index.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malware-traffic-analysis.net/2023/06/05/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1410eba8386c22d6e655b939194ddd55fff55392.pdf",
		"text": "https://archive.orkl.eu/1410eba8386c22d6e655b939194ddd55fff55392.txt",
		"img": "https://archive.orkl.eu/1410eba8386c22d6e655b939194ddd55fff55392.jpg"
	}
}