Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ae89b5ad57da10b0c320c7ec489f66cd5e5888458d9dd8430d438df4a68456af

  • Size

    381KB

  • Sample

    220127-qs383sddgk

  • MD5

    45e5dea524b2d42e2f1fd24ee1bd18de

  • SHA1

    35041d4b682b60813c07ec4a1551a51090d075aa

  • SHA256

    ae89b5ad57da10b0c320c7ec489f66cd5e5888458d9dd8430d438df4a68456af

  • SHA512

    2291aaf9080b2ebf668eab6cec31b0b79ec0a73099d58776dca5110585b666c39003f387a525ac4861a047d733d22f6e8c0d33d6344c3b5b372ad32669a7eb2c

Score
10/10
xloadernt3floaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Targets

    • Target

      ae89b5ad57da10b0c320c7ec489f66cd5e5888458d9dd8430d438df4a68456af

    • Size

      381KB

    • MD5

      45e5dea524b2d42e2f1fd24ee1bd18de

    • SHA1

      35041d4b682b60813c07ec4a1551a51090d075aa

    • SHA256

      ae89b5ad57da10b0c320c7ec489f66cd5e5888458d9dd8430d438df4a68456af

    • SHA512

      2291aaf9080b2ebf668eab6cec31b0b79ec0a73099d58776dca5110585b666c39003f387a525ac4861a047d733d22f6e8c0d33d6344c3b5b372ad32669a7eb2c

    Score
    10/10
    xloadernt3floaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks