Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe

  • Size

    245KB

  • MD5

    de0aa0304f6880c7263d35fc7d487278

  • SHA1

    e392b2e0163130093d1b4afddbd318266a02a386

  • SHA256

    a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a

  • SHA512

    f8f8b94e4dc99524210487daf9a273a9ce44328a249afd372c72b360bfc3905cf034c713fb1052e9a3e51e58ad844fa18dd7ac12cbe183c1c998dfd5b4376d6e

Score
10/10
xloaderjdo2loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

jdo2

Decoy

adopte-un-per.com

lmandarin.com

shonemurawni.quest

bantasis.com

jsdigitalekuns.net

hiddenroom.net

arungjerampangalengan.com

yinghongxw.com

buzzcupid.com

lattent.digital

faxtoemailguide.com

romanticfriryrose.com

ruleaou.com

mochiko-blog.com

sekireixploit.com

bcx-wiremesh.com

jobportalsg.com

wysspirit.com

iflycny.com

sh-cy17.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe
    "C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe
      "C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsk4F76.tmp\esuhbnkmi.dll
    MD5

    0b413fd318116a350c284756fd075656

    SHA1

    e89886c492c5183a9e1fa5e5af0ce08c5b6b0f2f

    SHA256

    5db476cb59fd2f92f113ee07523cf1f9dd620e2f17557ac6914a58cab23e9d07

    SHA512

    566ae6e7b8a0882954f801028614d741aec451aa9477132528b016cc0e7581090aa3d575b4c7eda0c1ca54a7f8cbd0717df800fabef3a64675ca4a38d23e1299

    Download Submit
  • memory/3556-116-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3556-117-0x00000000009B0000-0x0000000000CD0000-memory.dmp
    Filesize

    3.1MB

    Download