2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88

General
Target

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

Filesize

519KB

Completed

22-10-2021 02:53

Score
10/10
MD5

8841b1ae5968f38059f8acc8e53c982a

SHA1

8aca7316435c75b0e8e5f453f9b93572afe64b6b

SHA256

2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/
Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com
Signatures 6

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/3864-124-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral1/memory/3864-125-0x000000000041EB80-mapping.dmpformbook
  • Suspicious use of SetThreadContext
    2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4332 set thread context of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
  • Suspicious behavior: EnumeratesProcesses
    2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

    Reported IOCs

    pidprocess
    43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    38642d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    38642d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
  • Suspicious use of AdjustPrivilegeToken
    2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege43322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
  • Suspicious use of WriteProcessMemory
    2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4332 wrote to memory of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    PID 4332 wrote to memory of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    PID 4332 wrote to memory of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    PID 4332 wrote to memory of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    PID 4332 wrote to memory of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    PID 4332 wrote to memory of 386443322d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
    "C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe
      "C:\Users\Admin\AppData\Local\Temp\2d21e970df7a629322de2c466d276d3a36f5bc742800459a76a12a7d71575f88.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:3864
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/3864-124-0x0000000000400000-0x000000000042E000-memory.dmp

                            Download

                          • memory/3864-125-0x000000000041EB80-mapping.dmp

                            Download

                          • memory/3864-126-0x0000000001490000-0x00000000017B0000-memory.dmp

                            Download

                          • memory/4332-115-0x0000000000D80000-0x0000000000D81000-memory.dmp

                            Download

                          • memory/4332-117-0x0000000005A40000-0x0000000005A41000-memory.dmp

                            Download

                          • memory/4332-121-0x0000000006430000-0x0000000006437000-memory.dmp

                            Download

                          • memory/4332-122-0x0000000009360000-0x0000000009361000-memory.dmp

                            Download

                          • memory/4332-123-0x0000000009310000-0x000000000935F000-memory.dmp

                            Download

                          • memory/4332-118-0x0000000005640000-0x0000000005641000-memory.dmp

                            Download

                          • memory/4332-119-0x00000000056F0000-0x00000000056F1000-memory.dmp

                            Download

                          • memory/4332-120-0x0000000005540000-0x0000000005A3E000-memory.dmp

                            Download