xloader | 93400ffcff8607b9cb7642b7fe7f53d2e70e94bdf50f7aa8ca1696b28a93e80f

General

Target

BERN210819.exe
Size

284KB
MD5

b0f2fa7defaf207ebf652f84d9fc52ed
SHA1

9edb65c5fc90b3221ce5d291e7809aa328b80976
SHA256

93400ffcff8607b9cb7642b7fe7f53d2e70e94bdf50f7aa8ca1696b28a93e80f
SHA512

100426d03e8893de86bca50b3152913d1e198d41b5b1b4a2baec1b45cac98d280f8d300fb5d2c83b651604b84afc2086a62a51a2121fa6048a5c809d9277c108

Score

10^/10

xloader dhua loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2596-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2596-117-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/2660-123-0x00000000027D0000-0x00000000027F9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

BERN210819.exe

pid process

2384 BERN210819.exe

pid	process
2384	BERN210819.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

BERN210819.exeBERN210819.exesvchost.exe

description	pid	process	target process
PID 2384 set thread context of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2596 set thread context of 1588	2596	BERN210819.exe	Explorer.EXE
PID 2660 set thread context of 1588	2660	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

BERN210819.exesvchost.exe

pid	process
2596	BERN210819.exe
2596	BERN210819.exe
2596	BERN210819.exe
2596	BERN210819.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1588 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

BERN210819.exesvchost.exe

pid process

2596 BERN210819.exe
2596 BERN210819.exe
2596 BERN210819.exe
2660 svchost.exe
2660 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BERN210819.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2596 BERN210819.exe
Token: SeDebugPrivilege 2660 svchost.exe

pid	process
1588	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2596	BERN210819.exe
Token: SeDebugPrivilege	2660	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

BERN210819.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 1588 wrote to memory of 2660	1588	Explorer.EXE	svchost.exe
PID 1588 wrote to memory of 2660	1588	Explorer.EXE	svchost.exe
PID 1588 wrote to memory of 2660	1588	Explorer.EXE	svchost.exe
PID 2660 wrote to memory of 2720	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 2720	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 2720	2660	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\BERN210819.exe
"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\BERN210819.exe
"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
3⤵
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsm8BAD.tmp\bzkahjp.dll
MD5
2c04f5d982279cac9278682eb2d948d5

SHA1
8e632d91fe7645c3f093587d4200d7b6e0d1726a

SHA256
41dca50a93e75e133a04b71bc3b274e68eff1e6355e0ccfd6b41388011144666

SHA512
a3758e250ec220298f2abd7365906258579f37c47ee7f8bf88474e1213335ffa357f2a6d37e482df72e3b1a976435b868bb6e498625e9c0e7e289267e6c483f9

Download Submit
memory/1588-127-0x0000000006760000-0x00000000068E5000-memory.dmp

Filesize
1.5MB

Download
memory/1588-120-0x0000000004FF0000-0x0000000005191000-memory.dmp

Filesize
1.6MB

Download
memory/2596-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-117-0x000000000041D4E0-mapping.dmp

Download
memory/2596-119-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2596-118-0x0000000000A40000-0x0000000000D60000-memory.dmp

Filesize
3.1MB

Download
memory/2660-121-0x0000000000000000-mapping.dmp

Download
memory/2660-124-0x0000000003120000-0x0000000003440000-memory.dmp

Filesize
3.1MB

Download
memory/2660-122-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2660-126-0x0000000002F90000-0x0000000003020000-memory.dmp

Filesize
576KB

Download
memory/2660-123-0x00000000027D0000-0x00000000027F9000-memory.dmp

Filesize
164KB

Download
memory/2720-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads