Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92def0a070b0a1a1aa3c2b1ae43b197906d69a87014636106f1614e496a45c37.exe

  • Size

    316KB

  • MD5

    3aa0e6e99975a48bcec1d2baf1f7bd36

  • SHA1

    5e49f0fc1f352b896305996dad3c05d8c2e69b21

  • SHA256

    92def0a070b0a1a1aa3c2b1ae43b197906d69a87014636106f1614e496a45c37

  • SHA512

    51cfb187147f55699e23e916c98a0bfe129e458ed275ca3ed90efee6bcf922c87d27ed7ed0fb23be7406a8a1a8efa872a1694c5cf379ac95138ff99306cedf20

  • SSDEEP

    6144:HT5V3EklozCalSsWJrzt8ZGEl9BzSPiQ9oRnmU+qJ8gCIMh:HT5V0XCtsyeZHh2PiQ9o/+qJ8gCIMh

Score
10/10
formbooktu7gratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

tu7g

Decoy

fbbktzFKN8MB1h8=

FPidEXGfkl0WqgXoVhHehw==

iHEjIL7XwJdpN6Er4Evhu03o

fHQTMsjqD3cPpQ==

VDXmCsr22oYhshz/Fg305nF21Q==

j4ZHfk5rRf6tVtwbMRU=

AORqAXKWy4R+//VwFdB6VVk=

9PW0Yw9RkIfer5+/bum7nlxwy1QfDQ==

ZU8mUjRgSOn3d0eFD3puQgVpnaAj

nlHgT2aJaMMB1h8=

+qc6XcgwdjVsEgKQ2zT+

/gCHJbBZrWjx1OZN40Hhu03o

48dX+WeLWAjFZMR2lItP8bJ87X4=

+N6H9VVzix7uogI=

Jf/NAPQe+8we7uftVhHehw==

YmANk8T+ix7uogI=

GTKxpLAYsJTl

pT8FM/QacYAV/+VInxn0

8JAnF9PnyZA29xH3Iw==

8ZdFPhCvGxYBxRCTqtB6VVk=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\92def0a070b0a1a1aa3c2b1ae43b197906d69a87014636106f1614e496a45c37.exe
      "C:\Users\Admin\AppData\Local\Temp\92def0a070b0a1a1aa3c2b1ae43b197906d69a87014636106f1614e496a45c37.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1248

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/780-141-0x0000000007E70000-0x0000000007F9F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/780-151-0x00000000078C0000-0x000000000796D000-memory.dmp

      Filesize

      692KB

      Download

    • memory/780-149-0x00000000078C0000-0x000000000796D000-memory.dmp

      Filesize

      692KB

      Download

    • memory/4876-132-0x00000000007B0000-0x0000000000806000-memory.dmp

      Filesize

      344KB

      Download

    • memory/5064-145-0x0000000000860000-0x0000000000887000-memory.dmp

      Filesize

      156KB

      Download

    • memory/5064-146-0x00000000011B0000-0x00000000011DD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5064-150-0x00000000011B0000-0x00000000011DD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5064-148-0x0000000003090000-0x000000000311F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/5064-147-0x0000000003270000-0x00000000035BA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5116-144-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5116-139-0x0000000001350000-0x000000000169A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5116-136-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5116-143-0x0000000000401000-0x000000000042F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5116-140-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-134-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5116-137-0x0000000000401000-0x000000000042F000-memory.dmp

      Filesize

      184KB

      Download