Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    31-01-2022 00:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7.exe

  • Size

    246KB

  • MD5

    0e738f5922ef1bed63478ca5ccbe4ab5

  • SHA1

    3518eb79082655a27598a1025d581ffdba11fb6c

  • SHA256

    fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

  • SHA512

    1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

Score
10/10
xloaderb80iloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

yixuan5.com

jiazheng369.com

danielleefelipe.net

micorgas.com

uvywah.com

nbjcgl.com

streets4suites.com

hempgotas.com

postmoon.xyz

gaboshoes.com

pastodwes.com

libes.asia

damusalama.com

youngliving1.com

mollyagee.com

branchwallet.com

seebuehnegoerlitz.com

inventors.community

teentykarm.quest

927291.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7.exe
    "C:\Users\Admin\AppData\Local\Temp\fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7.exe
      "C:\Users\Admin\AppData\Local\Temp\fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsmEF06.tmp\vjajvyqaen.dll
    MD5

    7529eb937b2b5aed57e2080060610f15

    SHA1

    491873f93d62e1105d65c5c045d5d64053cc248d

    SHA256

    1fd1c12a1ee7c824471fba69a0d9e5aaf62003605a3569567a302b3df714f85a

    SHA512

    998c2aa8bb2374e121a82d5be63063d8fea379b77c9b2aa0142bedc04504ae6187563ef05602696fdc8cf2fdc9fee7c4468b5a9fe80b029ccf47d8688cefdd92

    Download Submit
  • memory/1804-119-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1804-121-0x0000000000AB0000-0x0000000000DD0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2564-120-0x00000000021A0000-0x00000000021C3000-memory.dmp
    Filesize

    140KB

    Download