d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

General
Target

d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe

Filesize

697KB

Completed

22-10-2021 15:58

Score
10/10
MD5

f94dd54fedbdf4f0f6992c781476e4a4

SHA1

93fb57ab3c31b5fa13827670a003ea203ff904d5

SHA256

d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/
Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com
Signatures 6

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/3796-124-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral1/memory/3796-125-0x000000000041EB80-mapping.dmpformbook
  • Suspicious use of SetThreadContext
    d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2744 set thread context of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
  • Suspicious behavior: EnumeratesProcesses
    d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe

    Reported IOCs

    pidprocess
    2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    3796d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    3796d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
  • Suspicious use of AdjustPrivilegeToken
    d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
  • Suspicious use of WriteProcessMemory
    d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2744 wrote to memory of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    PID 2744 wrote to memory of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    PID 2744 wrote to memory of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    PID 2744 wrote to memory of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    PID 2744 wrote to memory of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    PID 2744 wrote to memory of 37962744d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exed9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
    "C:\Users\Admin\AppData\Local\Temp\d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Users\Admin\AppData\Local\Temp\d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe
      "C:\Users\Admin\AppData\Local\Temp\d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:3796
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/2744-115-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

                            Download

                          • memory/2744-117-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

                            Download

                          • memory/2744-118-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

                            Download

                          • memory/2744-119-0x00000000079F0000-0x0000000007EEE000-memory.dmp

                            Download

                          • memory/2744-120-0x0000000007A60000-0x0000000007A61000-memory.dmp

                            Download

                          • memory/2744-121-0x0000000007D60000-0x0000000007D67000-memory.dmp

                            Download

                          • memory/2744-122-0x000000000A2F0000-0x000000000A2F1000-memory.dmp

                            Download

                          • memory/2744-123-0x0000000008D80000-0x0000000008DCF000-memory.dmp

                            Download

                          • memory/3796-124-0x0000000000400000-0x000000000042E000-memory.dmp

                            Download

                          • memory/3796-125-0x000000000041EB80-mapping.dmp

                            Download

                          • memory/3796-126-0x0000000001A10000-0x0000000001D30000-memory.dmp

                            Download