Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f1b06407f8fe5e17a2bca06f7c7d54711f41df69163f3e9027c7521c0b17a864

  • Size

    337KB

  • Sample

    220302-x2yhhsgae4

  • MD5

    d6cb6f4304865dcfc312a32d1f2e7880

  • SHA1

    e96f64cec39d44a820d637bdd522d3a8e71d854f

  • SHA256

    f1b06407f8fe5e17a2bca06f7c7d54711f41df69163f3e9027c7521c0b17a864

  • SHA512

    948569df69e08ab6cc8e01dcb0301aa40a9832d96b350d13e2bfd84ec56f66f401ce902f7c3774bee0b371a345804b3607eea6047d53ffd979a448acd4a1730c

Score
10/10
formbookxloaderp2a5loaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

Targets

    • Target

      f1b06407f8fe5e17a2bca06f7c7d54711f41df69163f3e9027c7521c0b17a864

    • Size

      337KB

    • MD5

      d6cb6f4304865dcfc312a32d1f2e7880

    • SHA1

      e96f64cec39d44a820d637bdd522d3a8e71d854f

    • SHA256

      f1b06407f8fe5e17a2bca06f7c7d54711f41df69163f3e9027c7521c0b17a864

    • SHA512

      948569df69e08ab6cc8e01dcb0301aa40a9832d96b350d13e2bfd84ec56f66f401ce902f7c3774bee0b371a345804b3607eea6047d53ffd979a448acd4a1730c

    Score
    10/10
    formbookxloaderp2a5loaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks