Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    28-10-2021 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe

  • Size

    414KB

  • MD5

    ff1c94584214d5eef525a0d3ff196a8b

  • SHA1

    64841f419c3d8bff98b1ada134ecb8d63be07ec4

  • SHA256

    92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8

  • SHA512

    9070de7cca07bde86414050f16a73f51c8573e07dca0e8cbac09c870d6f902890d1282dc6f9b1702feb059ad96938ca05dc466bd2004b2c2f670e60ad32f6daa

Score
10/10
xloadermwevloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe
    "C:\Users\Admin\AppData\Local\Temp\92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Users\Admin\AppData\Local\Temp\92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe
      "C:\Users\Admin\AppData\Local\Temp\92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe"
      2⤵
        PID:616
      • C:\Users\Admin\AppData\Local\Temp\92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe
        "C:\Users\Admin\AppData\Local\Temp\92206b9fa1251b589ab6d14b4828cafe0ec9d9b44df469602b7d3d1ed16ae0e8.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:352

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/352-124-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/352-125-0x000000000041D480-mapping.dmp
      Download
    • memory/352-126-0x0000000001150000-0x0000000001470000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3684-115-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-117-0x0000000005EF0000-0x0000000005EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-118-0x00000000059F0000-0x00000000059F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-119-0x00000000059D0000-0x00000000059D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-120-0x0000000005B00000-0x0000000005B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-121-0x0000000005CE0000-0x0000000005CE6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3684-122-0x0000000008280000-0x0000000008281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-123-0x0000000008230000-0x000000000827B000-memory.dmp
      Filesize

      300KB

      Download