xloader | 4c382fc031bb1ca0e9e075fe60ec6ce335050799c3ebff9fea3bd1531f2aceae

General

Target

DH146890Y.exe
Size

256KB
MD5

acaef58b0bb5cb7965052d41570b5686
SHA1

1668c7470fe1c5d9330f66267d987b0e08b0f8ad
SHA256

4c382fc031bb1ca0e9e075fe60ec6ce335050799c3ebff9fea3bd1531f2aceae
SHA512

cf843e25a0c707bc0070913b2b240fb5818de2daefd1c76798b3538fbefb9da0b08bdbf58764c463385eb4876556b85c83b73643098bbffd32ac6b95bd8f4da6

Score

10^/10

xloader u5eh loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u5eh

C2

http://www.retonamoss.com/u5eh/

Decoy

tryafaq.com

bobcathntshop.com

oglead.com

026skz.xyz

brasbux.com

adna17.com

noveltyrofjiy.xyz

realestatecompanys.com

leman-web.com

df5686.com

jonathonhawkins.com

juliedominyfloralartistry.com

classyeventsco.com

aquaticatt.com

iotworld.xyz

hoc8.com

disposablediapers.store

peregovorim.online

advancebits.club

getaburialplan.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/644-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/644-57-0x000000000041D3E0-mapping.dmp	xloader
behavioral1/memory/644-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/620-67-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

340 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

DH146890Y.exe

pid process

1880 DH146890Y.exe

pid	process
340	cmd.exe

pid	process
1880	DH146890Y.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

DH146890Y.exeDH146890Y.exenetsh.exe

description	pid	process	target process
PID 1880 set thread context of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 644 set thread context of 1356	644	DH146890Y.exe	Explorer.EXE
PID 644 set thread context of 1356	644	DH146890Y.exe	Explorer.EXE
PID 620 set thread context of 1356	620	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

DH146890Y.exenetsh.exe

pid	process
644	DH146890Y.exe
644	DH146890Y.exe
644	DH146890Y.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe
620	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

DH146890Y.exenetsh.exe

pid process

644 DH146890Y.exe
644 DH146890Y.exe
644 DH146890Y.exe
644 DH146890Y.exe
620 netsh.exe
620 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DH146890Y.exenetsh.exe

description pid process

Token: SeDebugPrivilege 644 DH146890Y.exe
Token: SeDebugPrivilege 620 netsh.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE

pid	process
1356	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	644	DH146890Y.exe
Token: SeDebugPrivilege	620	netsh.exe

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DH146890Y.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1880 wrote to memory of 644	1880	DH146890Y.exe	DH146890Y.exe
PID 1356 wrote to memory of 620	1356	Explorer.EXE	netsh.exe
PID 1356 wrote to memory of 620	1356	Explorer.EXE	netsh.exe
PID 1356 wrote to memory of 620	1356	Explorer.EXE	netsh.exe
PID 1356 wrote to memory of 620	1356	Explorer.EXE	netsh.exe
PID 620 wrote to memory of 340	620	netsh.exe	cmd.exe
PID 620 wrote to memory of 340	620	netsh.exe	cmd.exe
PID 620 wrote to memory of 340	620	netsh.exe	cmd.exe
PID 620 wrote to memory of 340	620	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe
"C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe
"C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"
3⤵
- Deletes itself
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnAC66.tmp\xemqunqqv.dll
MD5
e53cae86a6072f87b9b9c0aa93ba0957

SHA1
ff14dbb706f476863d9f15b9dfb79328c7ea688a

SHA256
c1331b89e53012ba8c4631c7a9bfe207dd65aa4fcefd063da72b86236e86e372

SHA512
8a171df40498daa5aa742812ca8a56d943e52877d9b2020dce53ef208da59a18adc1b9a8c576901c0b77064d236ae6783fccb1b22bf773ee9e03e19f361da9e4

Download Submit
memory/340-68-0x0000000000000000-mapping.dmp

Download
memory/620-65-0x0000000000000000-mapping.dmp

Download
memory/620-70-0x0000000000450000-0x00000000004E0000-memory.dmp

Filesize
576KB

Download
memory/620-69-0x0000000000CE0000-0x0000000000FE3000-memory.dmp

Filesize
3.0MB

Download
memory/620-67-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/620-66-0x0000000001310000-0x000000000132B000-memory.dmp

Filesize
108KB

Download
memory/644-60-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/644-63-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/644-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/644-59-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/644-57-0x000000000041D3E0-mapping.dmp

Download
memory/644-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1356-64-0x00000000071C0000-0x00000000072FF000-memory.dmp

Filesize
1.2MB

Download
memory/1356-61-0x00000000064C0000-0x00000000065DA000-memory.dmp

Filesize
1.1MB

Download
memory/1356-71-0x0000000008E60000-0x0000000008F65000-memory.dmp

Filesize
1.0MB

Download
memory/1880-54-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads