Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    172s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a.exe

  • Size

    250KB

  • MD5

    fe1b3c933234d3a68d7b0722a177ba07

  • SHA1

    7a2c6caf667483e57b9c183935e83c435ff5efd4

  • SHA256

    89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

  • SHA512

    6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

Score
10/10
xloaderndf8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ndf8

Decoy

cantobait.com

theangularteam.com

qq2222.xyz

floridasteamclean.com

daffodilhilldesigns.com

mindfulagilecoaching.com

xbyll.com

jessicaepedro2021.net

ccssv.top

zenginbilgiler.com

partumball.com

1681890.com

schippermediaproductions.com

m2volleyballclub.com

ooiase.com

sharingtechnology.net

kiminplaka.com

usedgeartrader.com

cosyba.com

foodfriendshipandyou.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a.exe
    "C:\Users\Admin\AppData\Local\Temp\89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a.exe
      "C:\Users\Admin\AppData\Local\Temp\89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nskF550.tmp\pmtkix.dll
    MD5

    ce596d4e7b4b245db309b1b623224007

    SHA1

    43be7a62ec59a3840e068804b586a8a4e120eb45

    SHA256

    c8ea1dec9c0638bc133a1958552a697d6f420ccf7bde149722a01fe718926c37

    SHA512

    723625756169a56c43ddf465ad4f064684997b8a2f771979b697c717e998522553109159090d34c26ac7b202ac53128e2a177b7a55f471803e9f0cb6370e6534

    Download Submit
  • memory/1892-118-0x0000000002380000-0x00000000023A3000-memory.dmp
    Filesize

    140KB

    Download
  • memory/3048-116-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3048-117-0x00000000009A0000-0x0000000000CC0000-memory.dmp
    Filesize

    3.1MB

    Download