Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-20220223-en
  • submitted
    03-03-2022 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe

  • Size

    15KB

  • MD5

    40674110ecc6a402569f906e115d3d8b

  • SHA1

    6771637dd6d3d89a9fd630f7b179d379b558bf77

  • SHA256

    c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557

  • SHA512

    809c144a8418c0cd06ff365f51602000b2cc836d9cf49e8c9b2c394e1de9a61941cf461beec169d6837a2b29ad7aa70a936ddc59b9c1ea99e24efeae76bab018

Score
10/10
xloaderahc8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe
    "C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe
      "C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe"
      2⤵
        PID:3280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 188
          3⤵
          • Program crash
          PID:2440

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2024-114-0x0000000000700000-0x000000000070A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2024-115-0x00000000055F0000-0x0000000005AEE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2024-116-0x0000000004F90000-0x0000000005022000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2024-117-0x0000000073700000-0x0000000073DEE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2024-118-0x0000000004F30000-0x0000000004F3A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2024-119-0x0000000004EF0000-0x0000000004F82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2024-120-0x0000000004F70000-0x0000000004F8E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2024-121-0x00000000060F0000-0x000000000618C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3280-123-0x0000000000500000-0x0000000000529000-memory.dmp
      Filesize

      164KB

      Download