xloader | 559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

General

Target

RFQ8943.pdf.exe
Size

276KB
MD5

89e074f1f6ffd1421078fdab1a00ab5d
SHA1

a5c4d75dbbe10ed36f1ffaba930456592e268169
SHA256

559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
SHA512

2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Score

10^/10

xloader dhua loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1572-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1000-65-0x0000000000110000-0x0000000000139000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	help.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XXWT4RBPT = "C:\\Program Files (x86)\\Twptlwb\\systraynpe0p08h.exe"	help.exe

Executes dropped EXE 2 IoCs

Processes:

systraynpe0p08h.exesystraynpe0p08h.exe

pid process

1464 systraynpe0p08h.exe
1764 systraynpe0p08h.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1724 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

RFQ8943.pdf.exesystraynpe0p08h.exe

pid process

1464 RFQ8943.pdf.exe
1464 systraynpe0p08h.exe

pid	process
1464	systraynpe0p08h.exe
1764	systraynpe0p08h.exe

pid	process
1724	cmd.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

RFQ8943.pdf.exeRFQ8943.pdf.exehelp.exesystraynpe0p08h.exe

description	pid	process	target process
PID 1464 set thread context of 1572	1464	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 1572 set thread context of 1388	1572	RFQ8943.pdf.exe	Explorer.EXE
PID 1572 set thread context of 1388	1572	RFQ8943.pdf.exe	Explorer.EXE
PID 1000 set thread context of 1388	1000	help.exe	Explorer.EXE
PID 1464 set thread context of 1764	1464	systraynpe0p08h.exe	systraynpe0p08h.exe

Drops file in Program Files directory 2 IoCs

Processes:

help.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	help.exe
File created	C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	nsis_installer_1
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	nsis_installer_2
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	nsis_installer_1
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	nsis_installer_2
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	nsis_installer_1
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

RFQ8943.pdf.exehelp.exesystraynpe0p08h.exe

pid	process
1572	RFQ8943.pdf.exe
1572	RFQ8943.pdf.exe
1572	RFQ8943.pdf.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1764	systraynpe0p08h.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe
1000	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

RFQ8943.pdf.exeRFQ8943.pdf.exehelp.exesystraynpe0p08h.exe

pid	process
1464	RFQ8943.pdf.exe
1572	RFQ8943.pdf.exe
1572	RFQ8943.pdf.exe
1572	RFQ8943.pdf.exe
1572	RFQ8943.pdf.exe
1000	help.exe
1000	help.exe
1000	help.exe
1464	systraynpe0p08h.exe
1000	help.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RFQ8943.pdf.exehelp.exeExplorer.EXEsystraynpe0p08h.exe

description	pid	process
Token: SeDebugPrivilege	1572	RFQ8943.pdf.exe
Token: SeDebugPrivilege	1000	help.exe
Token: SeShutdownPrivilege	1388	Explorer.EXE
Token: SeDebugPrivilege	1764	systraynpe0p08h.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

Explorer.EXE

pid	process
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

RFQ8943.pdf.exeRFQ8943.pdf.exehelp.exeExplorer.EXEsystraynpe0p08h.exe

description	pid	process	target process
PID 1464 wrote to memory of 1572	1464	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 1464 wrote to memory of 1572	1464	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 1464 wrote to memory of 1572	1464	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 1464 wrote to memory of 1572	1464	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 1464 wrote to memory of 1572	1464	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 1572 wrote to memory of 1000	1572	RFQ8943.pdf.exe	help.exe
PID 1572 wrote to memory of 1000	1572	RFQ8943.pdf.exe	help.exe
PID 1572 wrote to memory of 1000	1572	RFQ8943.pdf.exe	help.exe
PID 1572 wrote to memory of 1000	1572	RFQ8943.pdf.exe	help.exe
PID 1000 wrote to memory of 1724	1000	help.exe	cmd.exe
PID 1000 wrote to memory of 1724	1000	help.exe	cmd.exe
PID 1000 wrote to memory of 1724	1000	help.exe	cmd.exe
PID 1000 wrote to memory of 1724	1000	help.exe	cmd.exe
PID 1000 wrote to memory of 1760	1000	help.exe	Firefox.exe
PID 1000 wrote to memory of 1760	1000	help.exe	Firefox.exe
PID 1000 wrote to memory of 1760	1000	help.exe	Firefox.exe
PID 1000 wrote to memory of 1760	1000	help.exe	Firefox.exe
PID 1388 wrote to memory of 1464	1388	Explorer.EXE	systraynpe0p08h.exe
PID 1388 wrote to memory of 1464	1388	Explorer.EXE	systraynpe0p08h.exe
PID 1388 wrote to memory of 1464	1388	Explorer.EXE	systraynpe0p08h.exe
PID 1388 wrote to memory of 1464	1388	Explorer.EXE	systraynpe0p08h.exe
PID 1464 wrote to memory of 1764	1464	systraynpe0p08h.exe	systraynpe0p08h.exe
PID 1464 wrote to memory of 1764	1464	systraynpe0p08h.exe	systraynpe0p08h.exe
PID 1464 wrote to memory of 1764	1464	systraynpe0p08h.exe	systraynpe0p08h.exe
PID 1464 wrote to memory of 1764	1464	systraynpe0p08h.exe	systraynpe0p08h.exe
PID 1464 wrote to memory of 1764	1464	systraynpe0p08h.exe	systraynpe0p08h.exe
PID 1000 wrote to memory of 1760	1000	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
4⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"
5⤵
- Deletes itself
PID:1724

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
5⤵
PID:1760

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:980

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:544

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1764

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1508

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1384

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1516

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1920

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1788

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:804

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1140

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:524

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:596

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:332

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:792

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:708

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1292

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:896

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:580

C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe
"C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464

C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe
"C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe
MD5
89e074f1f6ffd1421078fdab1a00ab5d

SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169

SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Download Submit
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe
MD5
89e074f1f6ffd1421078fdab1a00ab5d

SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169

SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Download Submit
C:\Program Files (x86)\Twptlwb\systraynpe0p08h.exe
MD5
89e074f1f6ffd1421078fdab1a00ab5d

SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169

SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsbAF23.tmp\qrtethbaa.dll
MD5
15f7482c81007eff5abdca2a8fcf93b9

SHA1
c6aad787f62ee9e6421cd8d7bcce78cdd812df4e

SHA256
acc5d7029dd7c89f300f07f3743772417081e3acc13e054f4dbfb8bf84796569

SHA512
ab6e6d602d156dc408275e03043a6f5096c31b9f9668adfe5b62335fefe43637a4a10941b011a88ac6cbbf2e0ec50ddf21c4b835a275a80cfdc9bc86d526fcf5

Download Submit
\Users\Admin\AppData\Local\Temp\nsiBD47.tmp\qrtethbaa.dll
MD5
15f7482c81007eff5abdca2a8fcf93b9

SHA1
c6aad787f62ee9e6421cd8d7bcce78cdd812df4e

SHA256
acc5d7029dd7c89f300f07f3743772417081e3acc13e054f4dbfb8bf84796569

SHA512
ab6e6d602d156dc408275e03043a6f5096c31b9f9668adfe5b62335fefe43637a4a10941b011a88ac6cbbf2e0ec50ddf21c4b835a275a80cfdc9bc86d526fcf5

Download Submit
memory/1000-65-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/1000-62-0x0000000000000000-mapping.dmp

Download
memory/1000-64-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/1000-66-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1000-67-0x0000000000420000-0x00000000004B0000-memory.dmp

Filesize
576KB

Download
memory/1388-68-0x0000000008810000-0x0000000008942000-memory.dmp

Filesize
1.2MB

Download
memory/1388-61-0x00000000069A0000-0x0000000006AA1000-memory.dmp

Filesize
1.0MB

Download
memory/1388-59-0x0000000004320000-0x0000000004430000-memory.dmp

Filesize
1.1MB

Download
memory/1464-70-0x0000000000000000-mapping.dmp

Download
memory/1464-53-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1572-57-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1572-60-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1572-58-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/1572-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1572-55-0x000000000041D4E0-mapping.dmp

Download
memory/1724-63-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x0000000000000000-mapping.dmp

Download
memory/1760-79-0x000000013F410000-0x000000013F4A3000-memory.dmp

Filesize
588KB

Download
memory/1760-80-0x00000000023D0000-0x00000000024BB000-memory.dmp

Filesize
940KB

Download
memory/1764-75-0x000000000041D4E0-mapping.dmp

Download
memory/1764-77-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads