1ad9efcddab819d24cca2f9323395f9e

General
Target

1ad9efcddab819d24cca2f9323395f9e.exe

Filesize

329KB

Completed

13-11-2021 10:57

Score
10/10
MD5

1ad9efcddab819d24cca2f9323395f9e

SHA1

1ffcdd188cb66666cdac14bb8d8b48902bd666e6

SHA256

8b249a16ea50d01651cf9c1f01c97deea48293f1b28735450d62bd0413b93653

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Signatures 6

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1012-124-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral2/memory/1012-125-0x000000000041EB80-mapping.dmpformbook
  • Suspicious use of SetThreadContext
    1ad9efcddab819d24cca2f9323395f9e.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2680 set thread context of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
  • Suspicious behavior: EnumeratesProcesses
    1ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe

    Reported IOCs

    pidprocess
    26801ad9efcddab819d24cca2f9323395f9e.exe
    26801ad9efcddab819d24cca2f9323395f9e.exe
    26801ad9efcddab819d24cca2f9323395f9e.exe
    26801ad9efcddab819d24cca2f9323395f9e.exe
    26801ad9efcddab819d24cca2f9323395f9e.exe
    26801ad9efcddab819d24cca2f9323395f9e.exe
    10121ad9efcddab819d24cca2f9323395f9e.exe
    10121ad9efcddab819d24cca2f9323395f9e.exe
  • Suspicious use of AdjustPrivilegeToken
    1ad9efcddab819d24cca2f9323395f9e.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege26801ad9efcddab819d24cca2f9323395f9e.exe
  • Suspicious use of WriteProcessMemory
    1ad9efcddab819d24cca2f9323395f9e.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2680 wrote to memory of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
    PID 2680 wrote to memory of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
    PID 2680 wrote to memory of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
    PID 2680 wrote to memory of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
    PID 2680 wrote to memory of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
    PID 2680 wrote to memory of 101226801ad9efcddab819d24cca2f9323395f9e.exe1ad9efcddab819d24cca2f9323395f9e.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\1ad9efcddab819d24cca2f9323395f9e.exe
    "C:\Users\Admin\AppData\Local\Temp\1ad9efcddab819d24cca2f9323395f9e.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\1ad9efcddab819d24cca2f9323395f9e.exe
      "C:\Users\Admin\AppData\Local\Temp\1ad9efcddab819d24cca2f9323395f9e.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:1012
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1012-124-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/1012-125-0x000000000041EB80-mapping.dmp

                          • memory/1012-126-0x00000000012C0000-0x00000000015E0000-memory.dmp

                          • memory/2680-115-0x0000000000210000-0x0000000000211000-memory.dmp

                          • memory/2680-117-0x00000000051E0000-0x00000000051E1000-memory.dmp

                          • memory/2680-121-0x0000000004F90000-0x0000000004F97000-memory.dmp

                          • memory/2680-122-0x0000000007380000-0x0000000007381000-memory.dmp

                          • memory/2680-123-0x0000000007420000-0x000000000746B000-memory.dmp

                          • memory/2680-118-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                          • memory/2680-119-0x0000000004CE0000-0x00000000051DE000-memory.dmp

                          • memory/2680-120-0x0000000004C70000-0x0000000004C71000-memory.dmp