Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    13-11-2021 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506.exe

  • Size

    700KB

  • MD5

    abbd913fabcce80fe6c14f8103800378

  • SHA1

    bbfd5bd99597e246fe61dc8fa4cbaa99c1808b1b

  • SHA256

    e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506

  • SHA512

    7eb56ebeac274545ccbf91ed01e1290ccd168b5b506a027993745ad6d8255ed652d32c1570218aca10434c40c7218f5e088e8d2021b30f8eef674d22dcc64655

Score
10/10
xloadern58iloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

n58i

C2

http://www.makingitreignz.com/n58i/

Decoy

charlottebishop.com

afafshawwabibi.com

salomesac.com

albaelectric.info

ashcm.com

cxlgroups.com

kbittesting.com

stogelair.com

dgredg.com

smokersoutletinc.com

gdmo112.com

innovationmotive.xyz

outbarter.info

abevegege.online

peterjhill.com

fubosportsbetting.com

probristow.com

despirad.com

halloweengeneral.com

milesofsmileskinder.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506.exe
    "C:\Users\Admin\AppData\Local\Temp\e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506.exe
      "C:\Users\Admin\AppData\Local\Temp\e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2568-118-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2568-120-0x0000000005430000-0x0000000005431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2568-121-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2568-122-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2568-123-0x0000000004D40000-0x0000000004D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2568-124-0x0000000004F20000-0x0000000004F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3084-125-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3084-126-0x000000000041D470-mapping.dmp
    Download
  • memory/3084-127-0x0000000000E10000-0x0000000001130000-memory.dmp
    Filesize

    3.1MB

    Download