Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-09-2021 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe

  • Size

    421KB

  • MD5

    859a1a6574e4a09027f729908318b282

  • SHA1

    bf7c9e96ca263d7811f7357f8645af42b04c093b

  • SHA256

    d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7

  • SHA512

    4163390db6bf2d8f66e8575e8d116df222e8d72b97037eca614fdb2d94d8cd686c31eb4593ce1164dfc398fe03a7b3ac97bfee61fc2e3ddb27e566c39cb234ec

Score
10/10
xloaderaruploaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arup

C2

http://www.sapphiretype.com/arup/

Decoy

mezonpezon.com

bellapbd.com

xn--2kr800ab2z.group

cupecoysuites.com

extractselect.com

cherrycooky.com

reshawna.com

bluewinetours.com

dez2fly.com

washedproductions.com

om-asahi-kasei-jp.com

talkingpoint.tours

avaspacecompany.com

fbtvmall.com

trocaoferta.com

mionegozio.com

reitschuetz.com

basepicks.com

networkagricity.com

kastore.club

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    "C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
      "C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1520-125-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1520-126-0x000000000041D4B0-mapping.dmp
    Download
  • memory/1520-127-0x00000000013D0000-0x00000000016F0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2372-115-0x00000000002E0000-0x00000000002E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-117-0x0000000005120000-0x0000000005121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-118-0x0000000004B70000-0x0000000004B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-119-0x0000000004C20000-0x000000000511E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2372-120-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-121-0x0000000006FC0000-0x0000000006FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-122-0x0000000004EC0000-0x0000000004EC4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2372-123-0x0000000007440000-0x000000000749C000-memory.dmp
    Filesize

    368KB

    Download
  • memory/2372-124-0x00000000074A0000-0x00000000074CC000-memory.dmp
    Filesize

    176KB

    Download