Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9.exe

  • Size

    510KB

  • MD5

    9e50ed09439b4f2206f6cee1b233677c

  • SHA1

    719705903de481a3c680db18f8cef892efef3dc7

  • SHA256

    b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9

  • SHA512

    927789d6fca24317b1cc41825485cf06cf337204d8007b32220ef2fb28ee48275102a9148682336f76e7586e5ed714d1de2098c08886ea1b76007880a5c45d80

Score
10/10
formbookbt33persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bt33

Decoy

mbaonlinefreedegress.info

myforevermaid.com

daoyi365.com

weientm.com

legal-mx.com

formationrigging.com

heidiet.xyz

school-prosto.store

healthvitaminnutrition.com

digitalsolutionusa.com

little-bazar.com

jnbeautycanada.com

optoelek.com

learntoairmail.com

hawkminer.com

kingofearth.love

ktnstay.xyz

zouxin.love

mainlandpr.com

mamm-hummel.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9.exe
    "C:\Users\Admin\AppData\Local\Temp\b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9.exe
      "C:\Users\Admin\AppData\Local\Temp\b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3240
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 28d0bc1d5816cbad20acf6bdf648b01d rEcNAZsAOEW++cZOK4xq1g.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1940
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1868-130-0x00000000001C0000-0x0000000000246000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1868-131-0x0000000004D80000-0x0000000004D81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1868-132-0x0000000004E30000-0x0000000004EC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1868-133-0x00000000009A0000-0x0000000000A3C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1868-134-0x0000000005830000-0x0000000005DD4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3240-135-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3240-136-0x0000000000FC0000-0x000000000176A000-memory.dmp
      Filesize

      7.7MB

      Download