xloader | 6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

General

Target

HTK TT600202109300860048866 Payment Proof.pdf.exe
Size

461KB
MD5

f12bf73a1cb81b5ddd8dd6ed66e610f1
SHA1

cb8b0497c95512bf9233823f7d20937424c87207
SHA256

6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
SHA512

385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Score

10^/10

xloader euzn loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euzn

C2

http://www.heser.net/euzn/

Decoy

235296tyc.com

gold12guide.art

baibuaherb.com

weberwines.tax

chezvitoria.com

aidenb.tech

pitchdeckservice.com

surgeryforfdf.xyz

workunvaccinated.com

hrtaro.com

yourotcs.com

sonimultispecialityclinic.com

consultantadvisors.com

pentesting-consulting.com

dantechs.digital

longshifa.online

taweilai.net

imyusuke.com

cashndashfinancial.com

fasiglimt.quest

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/784-64-0x000000000041D420-mapping.dmp	xloader
behavioral1/memory/672-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/2012-89-0x000000000041D420-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZWT4RBPT = "C:\\Program Files (x86)\\Cnng4x\\services7nmdpl.exe"	netsh.exe

Executes dropped EXE 3 IoCs

Processes:

services7nmdpl.exeservices7nmdpl.exeservices7nmdpl.exe

pid process

1948 services7nmdpl.exe
948 services7nmdpl.exe
2012 services7nmdpl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

336 cmd.exe

pid	process
1948	services7nmdpl.exe
948	services7nmdpl.exe
2012	services7nmdpl.exe

pid	process
336	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

HTK TT600202109300860048866 Payment Proof.pdf.exeHTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exeservices7nmdpl.exe

description	pid	process	target process
PID 1156 set thread context of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 784 set thread context of 1420	784	HTK TT600202109300860048866 Payment Proof.pdf.exe	Explorer.EXE
PID 672 set thread context of 1420	672	netsh.exe	Explorer.EXE
PID 1948 set thread context of 2012	1948	services7nmdpl.exe	services7nmdpl.exe

Drops file in Program Files directory 2 IoCs

Processes:

netsh.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Cnng4x\services7nmdpl.exe	netsh.exe
File created	C:\Program Files (x86)\Cnng4x\services7nmdpl.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exeservices7nmdpl.exeservices7nmdpl.exe

pid	process
784	HTK TT600202109300860048866 Payment Proof.pdf.exe
784	HTK TT600202109300860048866 Payment Proof.pdf.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
1948	services7nmdpl.exe
2012	services7nmdpl.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

HTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exe

pid	process
784	HTK TT600202109300860048866 Payment Proof.pdf.exe
784	HTK TT600202109300860048866 Payment Proof.pdf.exe
784	HTK TT600202109300860048866 Payment Proof.pdf.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe
672	netsh.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

HTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exeservices7nmdpl.exeservices7nmdpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	784	HTK TT600202109300860048866 Payment Proof.pdf.exe
Token: SeDebugPrivilege	672	netsh.exe
Token: SeDebugPrivilege	1948	services7nmdpl.exe
Token: SeDebugPrivilege	2012	services7nmdpl.exe
Token: SeShutdownPrivilege	1420	Explorer.EXE
Token: SeShutdownPrivilege	1420	Explorer.EXE
Token: SeShutdownPrivilege	1420	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
1420 Explorer.EXE
1420 Explorer.EXE

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

HTK TT600202109300860048866 Payment Proof.pdf.exeExplorer.EXEnetsh.exeservices7nmdpl.exetaskeng.exe

description	pid	process	target process
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1156 wrote to memory of 784	1156	HTK TT600202109300860048866 Payment Proof.pdf.exe	HTK TT600202109300860048866 Payment Proof.pdf.exe
PID 1420 wrote to memory of 672	1420	Explorer.EXE	netsh.exe
PID 1420 wrote to memory of 672	1420	Explorer.EXE	netsh.exe
PID 1420 wrote to memory of 672	1420	Explorer.EXE	netsh.exe
PID 1420 wrote to memory of 672	1420	Explorer.EXE	netsh.exe
PID 672 wrote to memory of 336	672	netsh.exe	cmd.exe
PID 672 wrote to memory of 336	672	netsh.exe	cmd.exe
PID 672 wrote to memory of 336	672	netsh.exe	cmd.exe
PID 672 wrote to memory of 336	672	netsh.exe	cmd.exe
PID 672 wrote to memory of 1908	672	netsh.exe	Firefox.exe
PID 672 wrote to memory of 1908	672	netsh.exe	Firefox.exe
PID 672 wrote to memory of 1908	672	netsh.exe	Firefox.exe
PID 672 wrote to memory of 1908	672	netsh.exe	Firefox.exe
PID 1420 wrote to memory of 1948	1420	Explorer.EXE	services7nmdpl.exe
PID 1420 wrote to memory of 1948	1420	Explorer.EXE	services7nmdpl.exe
PID 1420 wrote to memory of 1948	1420	Explorer.EXE	services7nmdpl.exe
PID 1420 wrote to memory of 1948	1420	Explorer.EXE	services7nmdpl.exe
PID 672 wrote to memory of 1908	672	netsh.exe	Firefox.exe
PID 1948 wrote to memory of 948	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 948	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 948	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 948	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1948 wrote to memory of 2012	1948	services7nmdpl.exe	services7nmdpl.exe
PID 1148 wrote to memory of 1540	1148	taskeng.exe	default-browser-agent.exe
PID 1148 wrote to memory of 1540	1148	taskeng.exe	default-browser-agent.exe
PID 1148 wrote to memory of 1540	1148	taskeng.exe	default-browser-agent.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"
3⤵
- Deletes itself
PID:336

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1908

C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
"C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
"C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"
3⤵
- Executes dropped EXE
PID:948

C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
"C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\taskeng.exe
taskeng.exe {F37FA4C3-E7B7-442A-8A39-0EB1583E63BA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1784

C:\Windows\system32\taskeng.exe
taskeng.exe {37883A03-041F-48F6-A2AE-BC3A73BB5131} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
MD5
f12bf73a1cb81b5ddd8dd6ed66e610f1

SHA1
cb8b0497c95512bf9233823f7d20937424c87207

SHA256
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

SHA512
385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Download Submit
C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
MD5
f12bf73a1cb81b5ddd8dd6ed66e610f1

SHA1
cb8b0497c95512bf9233823f7d20937424c87207

SHA256
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

SHA512
385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Download Submit
C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
MD5
f12bf73a1cb81b5ddd8dd6ed66e610f1

SHA1
cb8b0497c95512bf9233823f7d20937424c87207

SHA256
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

SHA512
385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Download Submit
C:\Program Files (x86)\Cnng4x\services7nmdpl.exe
MD5
f12bf73a1cb81b5ddd8dd6ed66e610f1

SHA1
cb8b0497c95512bf9233823f7d20937424c87207

SHA256
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

SHA512
385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Download Submit
memory/336-70-0x0000000000000000-mapping.dmp

Download
memory/672-71-0x0000000001770000-0x000000000178B000-memory.dmp

Filesize
108KB

Download
memory/672-69-0x0000000000000000-mapping.dmp

Download
memory/672-74-0x0000000000570000-0x0000000000600000-memory.dmp

Filesize
576KB

Download
memory/672-73-0x0000000000C90000-0x0000000000F93000-memory.dmp

Filesize
3.0MB

Download
memory/672-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/784-67-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/784-64-0x000000000041D420-mapping.dmp

Download
memory/784-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/784-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/784-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/784-65-0x0000000000B40000-0x0000000000E43000-memory.dmp

Filesize
3.0MB

Download
memory/1156-55-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1156-58-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1156-60-0x0000000004BF0000-0x0000000004C3B000-memory.dmp

Filesize
300KB

Download
memory/1156-59-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/1156-57-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1420-75-0x0000000006BF0000-0x0000000006D2B000-memory.dmp

Filesize
1.2MB

Download
memory/1420-68-0x0000000004310000-0x00000000043BD000-memory.dmp

Filesize
692KB

Download
memory/1540-92-0x0000000000000000-mapping.dmp

Download
memory/1948-77-0x0000000000000000-mapping.dmp

Download
memory/1948-83-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1948-80-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2012-89-0x000000000041D420-mapping.dmp

Download
memory/2012-91-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads