fdebcac35105439faeecb9658e617a8c

General
Target

fdebcac35105439faeecb9658e617a8c.exe

Filesize

393KB

Completed

28-10-2021 11:42

Score
10/10
MD5

fdebcac35105439faeecb9658e617a8c

SHA1

2ab30ddc845cf8664fbc96f82263f89fca255cec

SHA256

3f8d5d1f035d14a94abe8191fb35dd70961af3590ec61a0e90afdb322cd5e18b

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Signatures 6

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/852-125-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral2/memory/852-126-0x000000000041EB80-mapping.dmpformbook
  • Suspicious use of SetThreadContext
    fdebcac35105439faeecb9658e617a8c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3780 set thread context of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
  • Suspicious behavior: EnumeratesProcesses
    fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe

    Reported IOCs

    pidprocess
    3780fdebcac35105439faeecb9658e617a8c.exe
    3780fdebcac35105439faeecb9658e617a8c.exe
    3780fdebcac35105439faeecb9658e617a8c.exe
    3780fdebcac35105439faeecb9658e617a8c.exe
    3780fdebcac35105439faeecb9658e617a8c.exe
    3780fdebcac35105439faeecb9658e617a8c.exe
    852fdebcac35105439faeecb9658e617a8c.exe
    852fdebcac35105439faeecb9658e617a8c.exe
  • Suspicious use of AdjustPrivilegeToken
    fdebcac35105439faeecb9658e617a8c.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3780fdebcac35105439faeecb9658e617a8c.exe
  • Suspicious use of WriteProcessMemory
    fdebcac35105439faeecb9658e617a8c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3780 wrote to memory of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
    PID 3780 wrote to memory of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
    PID 3780 wrote to memory of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
    PID 3780 wrote to memory of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
    PID 3780 wrote to memory of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
    PID 3780 wrote to memory of 8523780fdebcac35105439faeecb9658e617a8c.exefdebcac35105439faeecb9658e617a8c.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe
    "C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe
      "C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:852
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/852-125-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/852-126-0x000000000041EB80-mapping.dmp

                          • memory/852-127-0x0000000001760000-0x0000000001A80000-memory.dmp

                          • memory/3780-116-0x0000000000670000-0x0000000000671000-memory.dmp

                          • memory/3780-118-0x0000000005450000-0x0000000005451000-memory.dmp

                          • memory/3780-122-0x0000000005180000-0x0000000005186000-memory.dmp

                          • memory/3780-123-0x0000000007650000-0x0000000007651000-memory.dmp

                          • memory/3780-124-0x0000000007600000-0x000000000764F000-memory.dmp

                          • memory/3780-119-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

                          • memory/3780-120-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

                          • memory/3780-121-0x0000000004F50000-0x000000000544E000-memory.dmp