Overview

overview

10

Static

static

10

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

  • Size

    1023KB

  • Sample

    211103-kajttsaegm

  • MD5

    34c80f81e518370f859cc9f2454e6d83

  • SHA1

    dbb94e0f0a99558b8786a2c2ce3322ba281e7f9c

  • SHA256

    9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

  • SHA512

    6d458b21e8beb210a3a385a56fba3c362e9e74d1005a59a2a735ab593c8a298559b7fc96c32dc6e4659a64c3010c19436af6f499ad5ced84322ecbfa17222a8c

Score
10/10
neshtaxloaderrqanloaderpersistenceratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rqan

C2

http://www.cardboutiqueapp.com/rqan/

Decoy

panda.wiki

gailkannamassage.com

ungravitystudio.com

coraggiomusicschool.com

51walkerstreetrippleside.com

infemax.store

mapara-foundation.net

elitespeedwaxs.com

manateeprint.com

thelocksmithtradeshow.com

phoenix-out-of-ashes.com

marionkgregory.store

abasketofwords.com

century21nokta.com

anthonyaarnold.com

forevermyanmar.com

ramashi.com

uniquecarbonbrush.com

packecco.com

appelnacrtl.quest

Targets

    • Target

      9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

    • Size

      1023KB

    • MD5

      34c80f81e518370f859cc9f2454e6d83

    • SHA1

      dbb94e0f0a99558b8786a2c2ce3322ba281e7f9c

    • SHA256

      9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

    • SHA512

      6d458b21e8beb210a3a385a56fba3c362e9e74d1005a59a2a735ab593c8a298559b7fc96c32dc6e4659a64c3010c19436af6f499ad5ced84322ecbfa17222a8c

    Score
    10/10
    neshtaxloaderrqanloaderpersistenceratspywarestealersuricata

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks