Behavioral Report

General

Target

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
Size

519KB
MD5

8841b1ae5968f38059f8acc8e53c982a
SHA1

8aca7316435c75b0e8e5f453f9b93572afe64b6b
SHA256

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88
SHA512

994fee7c54b995caf22dfae31f3b6102077e59c49929a426f0b604f55d62c727b01c7c9c8bf8cf53cbcbf9239401554b39665cf8e8868fb57f44ffbe8aa96953

Score

10^/10

formbook kzk9 rat spyware stealer trojan

Malware Config

Extracted

Family	formbook
Version	4.1
Campaign	kzk9
C2	http://www.yourmajordomo.com/kzk9/ http://www.yourmajordomo.com/kzk9/
Decoy	tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload ⋅ 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3864-124-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/3864-125-0x000000000041EB80-mapping.dmp	formbook

Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

description	pid	process	target process
PID 4332 set thread context of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

Suspicious behavior: EnumeratesProcesses ⋅ 8 IoCs

Processes:

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

pid	process
4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
3864	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
3864	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes:

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

description pid process

Token: SeDebugPrivilege 4332 2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

description	pid	process
Token: SeDebugPrivilege	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

Suspicious use of WriteProcessMemory ⋅ 6 IoCs

Processes:

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

description	pid	process	target process
PID 4332 wrote to memory of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
PID 4332 wrote to memory of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
PID 4332 wrote to memory of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
PID 4332 wrote to memory of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
PID 4332 wrote to memory of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
PID 4332 wrote to memory of 3864	4332	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe	2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

"C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:4332

C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

"C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe"

Suspicious behavior: EnumeratesProcesses

PID:3864

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/3864-124-0x0000000000400000-0x000000000042E000-memory.dmp

Download
memory/3864-125-0x000000000041EB80-mapping.dmp

Download
memory/3864-126-0x0000000001490000-0x00000000017B0000-memory.dmp

Download
memory/4332-115-0x0000000000D80000-0x0000000000D81000-memory.dmp

Download
memory/4332-117-0x0000000005A40000-0x0000000005A41000-memory.dmp

Download
memory/4332-118-0x0000000005640000-0x0000000005641000-memory.dmp

Download
memory/4332-119-0x00000000056F0000-0x00000000056F1000-memory.dmp

Download
memory/4332-120-0x0000000005540000-0x0000000005A3E000-memory.dmp

Download
memory/4332-121-0x0000000006430000-0x0000000006437000-memory.dmp

Download
memory/4332-122-0x0000000009360000-0x0000000009361000-memory.dmp

Download
memory/4332-123-0x0000000009310000-0x000000000935F000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads