6923309c1cf759930f67710ac9dfd328

General
Target

6923309c1cf759930f67710ac9dfd328.exe

Filesize

511KB

Completed

21-10-2021 18:48

Score
10/10
MD5

6923309c1cf759930f67710ac9dfd328

SHA1

e74291e311e8466dd7222a2eb3779848385dd3fa

SHA256

3c4aa39e200cb4303a3e5970bbedb5a1bb1baa656c3fc2286f82392a91e4a4ea

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Signatures 6

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4416-124-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral2/memory/4416-125-0x000000000041EB80-mapping.dmpformbook
  • Suspicious use of SetThreadContext
    6923309c1cf759930f67710ac9dfd328.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3556 set thread context of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
  • Suspicious behavior: EnumeratesProcesses
    6923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe

    Reported IOCs

    pidprocess
    35566923309c1cf759930f67710ac9dfd328.exe
    35566923309c1cf759930f67710ac9dfd328.exe
    35566923309c1cf759930f67710ac9dfd328.exe
    35566923309c1cf759930f67710ac9dfd328.exe
    35566923309c1cf759930f67710ac9dfd328.exe
    35566923309c1cf759930f67710ac9dfd328.exe
    44166923309c1cf759930f67710ac9dfd328.exe
    44166923309c1cf759930f67710ac9dfd328.exe
  • Suspicious use of AdjustPrivilegeToken
    6923309c1cf759930f67710ac9dfd328.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege35566923309c1cf759930f67710ac9dfd328.exe
  • Suspicious use of WriteProcessMemory
    6923309c1cf759930f67710ac9dfd328.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3556 wrote to memory of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
    PID 3556 wrote to memory of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
    PID 3556 wrote to memory of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
    PID 3556 wrote to memory of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
    PID 3556 wrote to memory of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
    PID 3556 wrote to memory of 441635566923309c1cf759930f67710ac9dfd328.exe6923309c1cf759930f67710ac9dfd328.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\6923309c1cf759930f67710ac9dfd328.exe
    "C:\Users\Admin\AppData\Local\Temp\6923309c1cf759930f67710ac9dfd328.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\6923309c1cf759930f67710ac9dfd328.exe
      "C:\Users\Admin\AppData\Local\Temp\6923309c1cf759930f67710ac9dfd328.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:4416
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/3556-115-0x0000000000170000-0x0000000000171000-memory.dmp

                          • memory/3556-117-0x00000000073D0000-0x00000000073D1000-memory.dmp

                          • memory/3556-118-0x0000000006F70000-0x0000000006F71000-memory.dmp

                          • memory/3556-119-0x0000000006ED0000-0x00000000073CE000-memory.dmp

                          • memory/3556-120-0x0000000006F00000-0x0000000006F01000-memory.dmp

                          • memory/3556-121-0x0000000007170000-0x0000000007177000-memory.dmp

                          • memory/3556-122-0x0000000007B70000-0x0000000007B71000-memory.dmp

                          • memory/3556-123-0x0000000007B20000-0x0000000007B6F000-memory.dmp

                          • memory/4416-124-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/4416-125-0x000000000041EB80-mapping.dmp

                          • memory/4416-126-0x0000000001430000-0x0000000001750000-memory.dmp