Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

  • Size

    757KB

  • Sample

    220308-warp8acgfm

  • MD5

    5c4dd55a06141f850ddcedb9253ed84c

  • SHA1

    cf217d41e06f4c35eb00e8ad95bbfcd419a75424

  • SHA256

    98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

  • SHA512

    f74078346a44c1902ff2a4bb53ba3cd7dda8a957d8a7ee7033a1739c48f33df363efce6235195dbb46ef3ec4814922bfc08c53750a0300fe1085f7d4d9e33232

Score
10/10
xloaderp2a5evasionloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

Targets

    • Target

      98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

    • Size

      757KB

    • MD5

      5c4dd55a06141f850ddcedb9253ed84c

    • SHA1

      cf217d41e06f4c35eb00e8ad95bbfcd419a75424

    • SHA256

      98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

    • SHA512

      f74078346a44c1902ff2a4bb53ba3cd7dda8a957d8a7ee7033a1739c48f33df363efce6235195dbb46ef3ec4814922bfc08c53750a0300fe1085f7d4d9e33232

    Score
    10/10
    xloaderp2a5evasionloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Xloader Payload

      rat

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks