Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    01-11-2021 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2.exe

  • Size

    560KB

  • MD5

    9536e16deb13831cf97edebfc43c3794

  • SHA1

    1664b14b033e31e03b94ce4b3d89d883a39a6222

  • SHA256

    0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2

  • SHA512

    825b989b036fc8a6f07f7664eae5ff18c47c0e0623003f6e1fe4454dabfd334bc9ee2825e65d270598dfd0cee79fe4ede4e2e0e2813980a4e04f26459365e6bd

Score
10/10
formbookmxwfratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mxwf

C2

http://www.zahnimplantatangebotede.com/mxwf/

Decoy

orders-cialis.info

auctionorbuy.com

meanmugsamore.com

yachtcrewmark.com

sacredkashilifestudio.net

themintyard.com

bragafoods.com

sierp.com

hausofdeme.com

anthonyjames915.com

bajardepesoencasa.com

marciaroyal.com

earringlifter.com

dsdjfhd9ddksa1as.info

bmzproekt.com

employmentbc.com

ptsdtreatment.space

vrchance.com

cnrongding.com

welovelit.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2.exe
    "C:\Users\Admin\AppData\Local\Temp\0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2.exe
      "C:\Users\Admin\AppData\Local\Temp\0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/700-124-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/700-125-0x000000000041EBA0-mapping.dmp
    Download
  • memory/700-126-0x0000000001600000-0x0000000001920000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2192-115-0x00000000003D0000-0x00000000003D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2192-117-0x00000000052B0000-0x00000000052B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2192-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2192-119-0x0000000004C20000-0x0000000004CB2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2192-120-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2192-121-0x0000000005150000-0x0000000005157000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2192-122-0x0000000008350000-0x0000000008351000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2192-123-0x0000000006B90000-0x0000000006BE1000-memory.dmp
    Filesize

    324KB

    Download