Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-11-2021 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa.exe

  • Size

    575KB

  • MD5

    b7d948e18b116624ee4a0e2e4c6e21e9

  • SHA1

    d0ccf7375cdf29e0071dce6fe8405d0007f51e94

  • SHA256

    7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa

  • SHA512

    553a9a44a6123705d91eae9d593d2a494b85dc527ab4aec7c964dc657486091143b2ddc15e5c209e27d88deaa5683096131018cc4d6d715085caf2fb6080cc70

Score
10/10
xloadermwevloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa.exe
    "C:\Users\Admin\AppData\Local\Temp\7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa.exe
      "C:\Users\Admin\AppData\Local\Temp\7a0cd1587a69eaf31f745c4f39b0bfbbfbf23f1d1b483b1448da6b90fdaf6caa.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2196-115-0x00000000007D0000-0x00000000007D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-117-0x00000000057B0000-0x00000000057B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-118-0x00000000051D0000-0x00000000051D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-119-0x00000000052B0000-0x00000000057AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2196-120-0x0000000005270000-0x0000000005271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-121-0x0000000005390000-0x0000000005396000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2196-122-0x0000000008A90000-0x0000000008A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-123-0x0000000008A00000-0x0000000008A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-124-0x0000000008C90000-0x0000000008CE9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/2400-125-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2400-126-0x000000000041D480-mapping.dmp
    Download
  • memory/2400-127-0x0000000001870000-0x0000000001B90000-memory.dmp
    Filesize

    3.1MB

    Download