Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    50s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-02-2022 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f.exe

  • Size

    1.0MB

  • MD5

    5d6dba1a42b0579aea51e3875bd171c4

  • SHA1

    bacbe628d565ede6c15550469e912a1c6bba16ee

  • SHA256

    60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f

  • SHA512

    20ba7979b210768c4cb83f1849e240b28389a946d2ac12986bffb1a8309ddbcb33ac0235b30a821fdccbe0c11aa19de61037f92dcb8b1d0e1d5a0243ed540b0f

Score
10/10
xloadermc3wloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mc3w

Decoy

pegasusworlddigital.com

lumbungpanganreborn.com

familyresourcesystems.com

smallbusniessbenefits.com

strategia-firm.xyz

rokkos.club

geo1.tirol

dreamnft.xyz

yourprofits6.com

plshi.top

atmosferas.net

appcast-76.com

lilufigu.digital

jobby.guide

bregnic.art

stooshbotanicals.com

tiktok-lifts.com

dozercafe.com

parmarthmissionhospital.com

yufude.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f.exe
    "C:\Users\Admin\AppData\Local\Temp\60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f.exe
      "C:\Users\Admin\AppData\Local\Temp\60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2056-125-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2056-126-0x0000000001010000-0x0000000001330000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3016-115-0x000000007335E000-0x000000007335F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-116-0x0000000000610000-0x0000000000722000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3016-117-0x00000000055B0000-0x0000000005AAE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3016-118-0x0000000004FD0000-0x0000000005062000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3016-119-0x0000000004F60000-0x0000000004F6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3016-120-0x0000000005260000-0x0000000005261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-121-0x0000000005210000-0x0000000005220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3016-122-0x0000000008920000-0x00000000089BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3016-123-0x0000000008B30000-0x0000000008BF4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/3016-124-0x0000000008890000-0x00000000088D4000-memory.dmp

    Filesize

    272KB

    Download