Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    10-12-2021 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011.exe

  • Size

    271KB

  • MD5

    7b36ace1c180faa31de8b7390b166f7b

  • SHA1

    dbec78f06cacd2fb4083b2fc4280aecc5128953f

  • SHA256

    f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011

  • SHA512

    b3a7c4f92f8fa56cd61e9f8a3dd19c7bae2af505bda4d74f778ce7e1e8d452b708dc6a98e43dc726ea54d2a8275e6fae69228dbf74d6e03312958e06bee35dc9

Score
10/10
formbookh4d0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

C2

http://www.voxelsoxx.xyz/h4d0/

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Users\Admin\AppData\Local\Temp\f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011.exe
      "C:\Users\Admin\AppData\Local\Temp\f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsiA579.tmp\fxzwpczmg.dll
    MD5

    98f06e6592cb90006b67b41115dd5d46

    SHA1

    a56cd9f81f6c7e633b4980f25a3421e5b10411fb

    SHA256

    dc01f5aeeceed8d2b59729813ab4ef2b2d0b453ecde4b3575148c0346f9d5004

    SHA512

    c475351e55654b64aa370855c108daf143316c3bb54f0c1ee04c8686c412b0b07796d6621ce8ef9a62e3c98f8d56bdff1648131734a2c34c115b789022e72084

    Download Submit
  • memory/672-116-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/672-117-0x000000000041F130-mapping.dmp
    Download
  • memory/672-118-0x00000000009D0000-0x0000000000CF0000-memory.dmp
    Filesize

    3.1MB

    Download