dllhost.exe

General
Target

dllhost.exe

Filesize

485KB

Completed

12-10-2021 10:48

Score
10/10
MD5

1fe73fe4d37cae6a02262b5164f3def0

SHA1

80b03eb27651723bded1fd1425f489225b3bba3b

SHA256

0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Signatures 10

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral1/memory/1036-63-0x000000000041EB80-mapping.dmpformbook
    behavioral1/memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmpformbook
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1016cmd.exe
  • Suspicious use of SetThreadContext
    dllhost.exedllhost.execolorcpl.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1324 set thread context of 10361324dllhost.exedllhost.exe
    PID 1036 set thread context of 12441036dllhost.exeExplorer.EXE
    PID 1300 set thread context of 12441300colorcpl.exeExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    dllhost.exedllhost.execolorcpl.exe

    Reported IOCs

    pidprocess
    1324dllhost.exe
    1324dllhost.exe
    1324dllhost.exe
    1324dllhost.exe
    1324dllhost.exe
    1324dllhost.exe
    1324dllhost.exe
    1036dllhost.exe
    1036dllhost.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
    1300colorcpl.exe
  • Suspicious behavior: MapViewOfSection
    dllhost.execolorcpl.exe

    Reported IOCs

    pidprocess
    1036dllhost.exe
    1036dllhost.exe
    1036dllhost.exe
    1300colorcpl.exe
    1300colorcpl.exe
  • Suspicious use of AdjustPrivilegeToken
    dllhost.exedllhost.execolorcpl.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1324dllhost.exe
    Token: SeDebugPrivilege1036dllhost.exe
    Token: SeDebugPrivilege1300colorcpl.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
    1244Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
    1244Explorer.EXE
  • Suspicious use of WriteProcessMemory
    dllhost.exeExplorer.EXEcolorcpl.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1324 wrote to memory of 10361324dllhost.exedllhost.exe
    PID 1244 wrote to memory of 13001244Explorer.EXEcolorcpl.exe
    PID 1244 wrote to memory of 13001244Explorer.EXEcolorcpl.exe
    PID 1244 wrote to memory of 13001244Explorer.EXEcolorcpl.exe
    PID 1244 wrote to memory of 13001244Explorer.EXEcolorcpl.exe
    PID 1300 wrote to memory of 10161300colorcpl.execmd.exe
    PID 1300 wrote to memory of 10161300colorcpl.execmd.exe
    PID 1300 wrote to memory of 10161300colorcpl.execmd.exe
    PID 1300 wrote to memory of 10161300colorcpl.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
        "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1036
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
        Deletes itself
        PID:1016
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1016-72-0x0000000000000000-mapping.dmp

                          • memory/1036-65-0x0000000000A70000-0x0000000000D73000-memory.dmp

                          • memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/1036-63-0x000000000041EB80-mapping.dmp

                          • memory/1036-66-0x00000000001D0000-0x00000000001E4000-memory.dmp

                          • memory/1036-60-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/1036-61-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/1244-75-0x00000000062B0000-0x00000000063D1000-memory.dmp

                          • memory/1244-67-0x0000000004AB0000-0x0000000004B87000-memory.dmp

                          • memory/1300-70-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

                          • memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp

                          • memory/1300-73-0x0000000001FC0000-0x00000000022C3000-memory.dmp

                          • memory/1300-68-0x0000000000000000-mapping.dmp

                          • memory/1300-74-0x0000000000890000-0x0000000000923000-memory.dmp

                          • memory/1324-59-0x0000000004C00000-0x0000000004C50000-memory.dmp

                          • memory/1324-58-0x0000000000440000-0x0000000000445000-memory.dmp

                          • memory/1324-57-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                          • memory/1324-56-0x0000000075661000-0x0000000075663000-memory.dmp

                          • memory/1324-54-0x0000000000120000-0x0000000000121000-memory.dmp