Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb

  • Size

    342KB

  • Sample

    221206-jggglsag5x

  • MD5

    cd0e4cab67b7fd76ef5d6bdcb7f25a21

  • SHA1

    a27ade3067d85e7ed462266b503caed5ef89d3dc

  • SHA256

    c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb

  • SHA512

    c3ae7c68e14ddd2064c926d419ca88531d0344868792b81f8daab42c63aa28a096781fbb0cf38fd367cbf64d94ef073c17d17cef762b5e99bb110ebe00345195

  • SSDEEP

    6144:ZBnbr9ZL8bW6Bg1GzljLDEkYiDifeaOcpTlSxbJ3bzGUAR6ZTu:HfL8bQalnDlRexQxNSlR7

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Targets

    • Target

      c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb

    • Size

      342KB

    • MD5

      cd0e4cab67b7fd76ef5d6bdcb7f25a21

    • SHA1

      a27ade3067d85e7ed462266b503caed5ef89d3dc

    • SHA256

      c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb

    • SHA512

      c3ae7c68e14ddd2064c926d419ca88531d0344868792b81f8daab42c63aa28a096781fbb0cf38fd367cbf64d94ef073c17d17cef762b5e99bb110ebe00345195

    • SSDEEP

      6144:ZBnbr9ZL8bW6Bg1GzljLDEkYiDifeaOcpTlSxbJ3bzGUAR6ZTu:HfL8bQalnDlRexQxNSlR7

    Score
    10/10
    formbookf4caratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks