formbook | 0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

General

Target

dllhost.exe
Size

485KB
MD5

1fe73fe4d37cae6a02262b5164f3def0
SHA1

80b03eb27651723bded1fd1425f489225b3bba3b
SHA256

0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8
SHA512

7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

Score

10^/10

formbook kzk9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kzk9

C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1036-63-0x000000000041EB80-mapping.dmp	formbook
behavioral1/memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1016 cmd.exe

pid	process
1016	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dllhost.exedllhost.execolorcpl.exe

description	pid	process	target process
PID 1324 set thread context of 1036	1324	dllhost.exe	dllhost.exe
PID 1036 set thread context of 1244	1036	dllhost.exe	Explorer.EXE
PID 1300 set thread context of 1244	1300	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

dllhost.exedllhost.execolorcpl.exe

pid	process
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1036	dllhost.exe
1036	dllhost.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dllhost.execolorcpl.exe

pid process

1036 dllhost.exe
1036 dllhost.exe
1036 dllhost.exe
1300 colorcpl.exe
1300 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dllhost.exedllhost.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1324 dllhost.exe
Token: SeDebugPrivilege 1036 dllhost.exe
Token: SeDebugPrivilege 1300 colorcpl.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1036	dllhost.exe
1036	dllhost.exe
1036	dllhost.exe
1300	colorcpl.exe
1300	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1324	dllhost.exe
Token: SeDebugPrivilege	1036	dllhost.exe
Token: SeDebugPrivilege	1300	colorcpl.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

dllhost.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
3⤵
- Deletes itself
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-72-0x0000000000000000-mapping.dmp

Download
memory/1036-65-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/1036-66-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1036-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1036-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1036-63-0x000000000041EB80-mapping.dmp

Download
memory/1244-75-0x00000000062B0000-0x00000000063D1000-memory.dmp

Filesize
1.1MB

Download
memory/1244-67-0x0000000004AB0000-0x0000000004B87000-memory.dmp

Filesize
860KB

Download
memory/1300-68-0x0000000000000000-mapping.dmp

Download
memory/1300-70-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Filesize
96KB

Download
memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1300-73-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/1300-74-0x0000000000890000-0x0000000000923000-memory.dmp

Filesize
588KB

Download
memory/1324-59-0x0000000004C00000-0x0000000004C50000-memory.dmp

Filesize
320KB

Download
memory/1324-58-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/1324-54-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1324-57-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1324-56-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads