xloader | fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1

General

Target

HSBC94302,pdf.exe
Size

255KB
MD5

f074678a2c588e8741918098804e2a54
SHA1

8f6ece4353671a76abea3621a1ae05886bfd181c
SHA256

fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
SHA512

21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2

Score

10^/10

xloader dhua loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4176-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4176-117-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/8-123-0x0000000000500000-0x0000000000529000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

HSBC94302,pdf.exe

pid process

3704 HSBC94302,pdf.exe

pid	process
3704	HSBC94302,pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

HSBC94302,pdf.exeHSBC94302,pdf.execmd.exe

description	pid	process	target process
PID 3704 set thread context of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 4176 set thread context of 3048	4176	HSBC94302,pdf.exe	Explorer.EXE
PID 8 set thread context of 3048	8	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

HSBC94302,pdf.execmd.exe

pid	process
4176	HSBC94302,pdf.exe
4176	HSBC94302,pdf.exe
4176	HSBC94302,pdf.exe
4176	HSBC94302,pdf.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe
8	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

HSBC94302,pdf.execmd.exe

pid process

4176 HSBC94302,pdf.exe
4176 HSBC94302,pdf.exe
4176 HSBC94302,pdf.exe
8 cmd.exe
8 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HSBC94302,pdf.execmd.exe

description pid process

Token: SeDebugPrivilege 4176 HSBC94302,pdf.exe
Token: SeDebugPrivilege 8 cmd.exe

pid	process
3048	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4176	HSBC94302,pdf.exe
Token: SeDebugPrivilege	8	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HSBC94302,pdf.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 3704 wrote to memory of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 3704 wrote to memory of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 3704 wrote to memory of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 3704 wrote to memory of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 3704 wrote to memory of 4176	3704	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 3048 wrote to memory of 8	3048	Explorer.EXE	cmd.exe
PID 3048 wrote to memory of 8	3048	Explorer.EXE	cmd.exe
PID 3048 wrote to memory of 8	3048	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 2096	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 2096	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 2096	8	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"
3⤵
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsl89D8.tmp\injpp.dll
MD5
52230408da822ac77450b0e11c41d28d

SHA1
7c5394bb747a4a6fea18955e1da878cd87a7e86a

SHA256
7318f7a1bb662ba2d27530ec87866144ac7a0532a642a27e1924987e498af153

SHA512
fae0a23cb2e3bcecaca88307c1584462645db1c7fab08fc9327419fdae533e213e5968604d7ea49b4705f62c29824e171bb004b9ae426bff3aa7ae0dd4079ef1

Download Submit
memory/8-121-0x0000000000000000-mapping.dmp

Download
memory/8-126-0x0000000000C60000-0x0000000000CF0000-memory.dmp

Filesize
576KB

Download
memory/8-125-0x0000000000D90000-0x00000000010B0000-memory.dmp

Filesize
3.1MB

Download
memory/8-123-0x0000000000500000-0x0000000000529000-memory.dmp

Filesize
164KB

Download
memory/8-122-0x00000000012A0000-0x00000000012F9000-memory.dmp

Filesize
356KB

Download
memory/2096-124-0x0000000000000000-mapping.dmp

Download
memory/3048-120-0x0000000002400000-0x00000000024D7000-memory.dmp

Filesize
860KB

Download
memory/3048-127-0x0000000005750000-0x00000000057EE000-memory.dmp

Filesize
632KB

Download
memory/4176-119-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/4176-118-0x0000000000A40000-0x0000000000D60000-memory.dmp

Filesize
3.1MB

Download
memory/4176-117-0x000000000041D4E0-mapping.dmp

Download
memory/4176-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads