Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    165s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    14-09-2021 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c.exe

  • Size

    500KB

  • MD5

    f0f4b5aa6183bbc5265f26e47aaeb579

  • SHA1

    81f06990ec9c83d755d5023f95af114d92e68d45

  • SHA256

    f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c

  • SHA512

    3bc8bb2ac4dc15c484aac016b5c09ff55c45f7db2127a10ba5621711d66dc6287ad109906a1707dcbf0f6c8ba0078b8f6b4603e4a6365726ef419aabe7cf02e6

Score
10/10
formbookm8g0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m8g0

C2

http://www.corbvalperu.com/m8g0/

Decoy

exclusivecan.com

junzhesuji.com

acces-credit-mutuel.com

iknitvintage.com

solonmodelun.com

debekia.com

peanutskitchen.com

kamanantzin.com

personalmodeststyle.com

qo49.com

googman.site

maisonshahnaz.com

annaalexandrovich.com

californiacashcars.com

ncafashionboutique.com

nsu0.com

cloudfirstlender.com

allforchildren.net

vn80000.com

restroon.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c.exe
    "C:\Users\Admin\AppData\Local\Temp\f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c.exe
      "C:\Users\Admin\AppData\Local\Temp\f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1304-126-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1304-128-0x0000000001510000-0x0000000001830000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1304-127-0x000000000041EB70-mapping.dmp
    Download
  • memory/3972-122-0x00000000088C0000-0x00000000088C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-120-0x0000000005210000-0x0000000005211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-121-0x0000000004ED0000-0x00000000053CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3972-115-0x00000000005D0000-0x00000000005D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-123-0x0000000008830000-0x0000000008837000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3972-124-0x0000000008E30000-0x0000000008E99000-memory.dmp
    Filesize

    420KB

    Download
  • memory/3972-125-0x000000000B610000-0x000000000B643000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3972-119-0x00000000058D0000-0x00000000058D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-118-0x0000000004F70000-0x0000000004F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-117-0x00000000053D0000-0x00000000053D1000-memory.dmp
    Filesize

    4KB

    Download