Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4ce42b0b74090b13a3a1692caeabfd4df748e8fa0220ba1342765fe56b399348

  • Size

    684KB

  • Sample

    211015-q7et2abgar

  • MD5

    f1d94fcc611053cd5162e70dc36fddfa

  • SHA1

    52ecf628c9fe25f2eedca8da56aa0785958e2638

  • SHA256

    4ce42b0b74090b13a3a1692caeabfd4df748e8fa0220ba1342765fe56b399348

  • SHA512

    f422f6332bb00eabec395ce4154c940632feafba67a2206cbfa5700114dee0bc38b394febe09aecdf4cae6f9bdfd232491c1f8a179813c52c763ce3b7bbd87f7

Score
10/10
formbookhs3hevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

C2

http://www.alefisrael.com/hs3h/

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

    • Target

      4ce42b0b74090b13a3a1692caeabfd4df748e8fa0220ba1342765fe56b399348

    • Size

      684KB

    • MD5

      f1d94fcc611053cd5162e70dc36fddfa

    • SHA1

      52ecf628c9fe25f2eedca8da56aa0785958e2638

    • SHA256

      4ce42b0b74090b13a3a1692caeabfd4df748e8fa0220ba1342765fe56b399348

    • SHA512

      f422f6332bb00eabec395ce4154c940632feafba67a2206cbfa5700114dee0bc38b394febe09aecdf4cae6f9bdfd232491c1f8a179813c52c763ce3b7bbd87f7

    Score
    10/10
    formbookhs3hevasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks