xloader | 93400ffcff8607b9cb7642b7fe7f53d2e70e94bdf50f7aa8ca1696b28a93e80f

General

Target

BERN210819.exe
Size

284KB
MD5

b0f2fa7defaf207ebf652f84d9fc52ed
SHA1

9edb65c5fc90b3221ce5d291e7809aa328b80976
SHA256

93400ffcff8607b9cb7642b7fe7f53d2e70e94bdf50f7aa8ca1696b28a93e80f
SHA512

100426d03e8893de86bca50b3152913d1e198d41b5b1b4a2baec1b45cac98d280f8d300fb5d2c83b651604b84afc2086a62a51a2121fa6048a5c809d9277c108

Score

10^/10

xloader dhua loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1592-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1592-63-0x000000000041D4E0-mapping.dmp	xloader
behavioral1/memory/2044-73-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1756 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

BERN210819.exe

pid process

1104 BERN210819.exe

pid	process
1756	cmd.exe

pid	process
1104	BERN210819.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

BERN210819.exeBERN210819.exerundll32.exe

description	pid	process	target process
PID 1104 set thread context of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1592 set thread context of 1244	1592	BERN210819.exe	Explorer.EXE
PID 1592 set thread context of 1244	1592	BERN210819.exe	Explorer.EXE
PID 2044 set thread context of 1244	2044	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

BERN210819.exerundll32.exe

pid	process
1592	BERN210819.exe
1592	BERN210819.exe
1592	BERN210819.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

BERN210819.exerundll32.exe

pid process

1592 BERN210819.exe
1592 BERN210819.exe
1592 BERN210819.exe
1592 BERN210819.exe
2044 rundll32.exe
2044 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BERN210819.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1592 BERN210819.exe
Token: SeDebugPrivilege 2044 rundll32.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1244	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1592	BERN210819.exe
Token: SeDebugPrivilege	2044	rundll32.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

BERN210819.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1104 wrote to memory of 1592	1104	BERN210819.exe	BERN210819.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 2044	1244	Explorer.EXE	rundll32.exe
PID 2044 wrote to memory of 1756	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1756	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1756	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1756	2044	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\BERN210819.exe
"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\BERN210819.exe
"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
3⤵
- Deletes itself
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsqCFCD.tmp\bzkahjp.dll
MD5
2c04f5d982279cac9278682eb2d948d5

SHA1
8e632d91fe7645c3f093587d4200d7b6e0d1726a

SHA256
41dca50a93e75e133a04b71bc3b274e68eff1e6355e0ccfd6b41388011144666

SHA512
a3758e250ec220298f2abd7365906258579f37c47ee7f8bf88474e1213335ffa357f2a6d37e482df72e3b1a976435b868bb6e498625e9c0e7e289267e6c483f9

Download Submit
memory/1104-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1244-66-0x0000000004E20000-0x0000000004F4B000-memory.dmp

Filesize
1.2MB

Download
memory/1244-77-0x0000000007200000-0x0000000007343000-memory.dmp

Filesize
1.3MB

Download
memory/1244-75-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1244-68-0x0000000004F50000-0x00000000050E6000-memory.dmp

Filesize
1.6MB

Download
memory/1592-65-0x0000000000580000-0x0000000000591000-memory.dmp

Filesize
68KB

Download
memory/1592-67-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/1592-64-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1592-63-0x000000000041D4E0-mapping.dmp

Download
memory/1592-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-74-0x0000000000000000-mapping.dmp

Download
memory/2044-69-0x0000000000000000-mapping.dmp

Download
memory/2044-71-0x0000000000D60000-0x0000000000D6E000-memory.dmp

Filesize
56KB

Download
memory/2044-72-0x0000000002170000-0x0000000002473000-memory.dmp

Filesize
3.0MB

Download
memory/2044-73-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2044-76-0x00000000009F0000-0x0000000000A80000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads