dllhost.exe

max time kernel147s
max time network143s
platformwindows7_x64
resourcewin7-en-20210920
submitted12-10-2021 10:45

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

dllhost.exe

Filesize

485KB

Completed

12-10-2021 10:48

Score

10^/10

MD5

1fe73fe4d37cae6a02262b5164f3def0

SHA1

80b03eb27651723bded1fd1425f489225b3bba3b

SHA256

0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

Extracted

Family	formbook
Version	4.1
Campaign	kzk9
C2	http://www.yourmajordomo.com/kzk9/ http://www.yourmajordomo.com/kzk9/
Decoy	tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com

Formbook

Description

Formbook is a data stealing malware which is capable of stealing data.

Tags

trojan spyware stealer formbook

Formbook Payload

Reported IOCs

resource	yara_rule
behavioral1/memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1036-63-0x000000000041EB80-mapping.dmp	formbook
behavioral1/memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself
cmd.exe

Reported IOCs

pid process

1016 cmd.exe

pid	process
1016	cmd.exe

Suspicious use of SetThreadContext

dllhost.exedllhost.execolorcpl.exe

Reported IOCs

description	pid	process	target process
PID 1324 set thread context of 1036	1324	dllhost.exe	dllhost.exe
PID 1036 set thread context of 1244	1036	dllhost.exe	Explorer.EXE
PID 1300 set thread context of 1244	1300	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses

dllhost.exedllhost.execolorcpl.exe

Reported IOCs

pid	process
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1324	dllhost.exe
1036	dllhost.exe
1036	dllhost.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe
1300	colorcpl.exe

Suspicious behavior: MapViewOfSection
dllhost.execolorcpl.exe

Reported IOCs

pid process

1036 dllhost.exe
1036 dllhost.exe
1036 dllhost.exe
1300 colorcpl.exe
1300 colorcpl.exe
Suspicious use of AdjustPrivilegeToken
dllhost.exedllhost.execolorcpl.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1324 dllhost.exe
Token: SeDebugPrivilege 1036 dllhost.exe
Token: SeDebugPrivilege 1300 colorcpl.exe
Suspicious use of FindShellTrayWindow
Explorer.EXE

Reported IOCs

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage
Explorer.EXE

Reported IOCs

pid process

1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1036	dllhost.exe
1036	dllhost.exe
1036	dllhost.exe
1300	colorcpl.exe
1300	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1324	dllhost.exe
Token: SeDebugPrivilege	1036	dllhost.exe
Token: SeDebugPrivilege	1300	colorcpl.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory

dllhost.exeExplorer.EXEcolorcpl.exe

Reported IOCs

description	pid	process	target process
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1324 wrote to memory of 1036	1324	dllhost.exe	dllhost.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1244 wrote to memory of 1300	1244	Explorer.EXE	colorcpl.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe
PID 1300 wrote to memory of 1016	1300	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory

PID:1244

C:\Users\Admin\AppData\Local\Temp\dllhost.exe

"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1324

C:\Users\Admin\AppData\Local\Temp\dllhost.exe

"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken

PID:1036

C:\Windows\SysWOW64\colorcpl.exe

"C:\Windows\SysWOW64\colorcpl.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1300

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"

Deletes itself

PID:1016

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1016-72-0x0000000000000000-mapping.dmp

Download
memory/1036-65-0x0000000000A70000-0x0000000000D73000-memory.dmp

Download
memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp

Download
memory/1036-63-0x000000000041EB80-mapping.dmp

Download
memory/1036-66-0x00000000001D0000-0x00000000001E4000-memory.dmp

Download
memory/1036-60-0x0000000000400000-0x000000000042E000-memory.dmp

Download
memory/1036-61-0x0000000000400000-0x000000000042E000-memory.dmp

Download
memory/1244-75-0x00000000062B0000-0x00000000063D1000-memory.dmp

Download
memory/1244-67-0x0000000004AB0000-0x0000000004B87000-memory.dmp

Download
memory/1300-70-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Download
memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp

Download
memory/1300-73-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Download
memory/1300-68-0x0000000000000000-mapping.dmp

Download
memory/1300-74-0x0000000000890000-0x0000000000923000-memory.dmp

Download
memory/1324-59-0x0000000004C00000-0x0000000004C50000-memory.dmp

Download
memory/1324-58-0x0000000000440000-0x0000000000445000-memory.dmp

Download
memory/1324-57-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Download
memory/1324-56-0x0000000075661000-0x0000000075663000-memory.dmp

Download
memory/1324-54-0x0000000000120000-0x0000000000121000-memory.dmp

Download

dllhost.exe

Extracted

Filter: none

Description

Tags

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title