xloader | 5111f4fa05b89a9d727c4686485acedc16553a7715fd36776c68972acf8e5382

General

Target

DHL_AWB# 9678547836.exe
Size

326KB
MD5

c8df5e6047cd338743e32c7e79067a45
SHA1

848cdb2e9b7415ca7689b74ffd076fb92a8637a4
SHA256

5111f4fa05b89a9d727c4686485acedc16553a7715fd36776c68972acf8e5382
SHA512

c18533cd152b2ea6c395d6224f0dcbc73f3583bb4b8b902cf967c906a5c5df634976741a9f90977fa05e487277d79c4ac7e85f5216921f4c78bde1abd7f36436

Score

10^/10

xloader dtt3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dtt3

Decoy

edilononlineshop.com

cursosd.com

viellacharteredland.com

increasey0urenergylevels.codes

yjy-hotel.com

claym.xyz

reelsguide.com

gives-cardano.com

ashrafannuar.com

mammalians.com

rocketleaguedads.com

yubierp.com

minimi36.com

chn-chn.com

jagojp888.com

parsian-shetab.com

273351.com

mdtouhid.com

babedads.com

vallinam2.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2096-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2096-122-0x00000000009B0000-0x0000000000ED0000-memory.dmp	xloader
behavioral2/memory/3320-125-0x00000000027B0000-0x00000000027D9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

DHL_AWB# 9678547836.exe

pid process

2684 DHL_AWB# 9678547836.exe

pid	process
2684	DHL_AWB# 9678547836.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL_AWB# 9678547836.exeDHL_AWB# 9678547836.exeraserver.exe

description	pid	process	target process
PID 2684 set thread context of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 2096 set thread context of 3068	2096	DHL_AWB# 9678547836.exe	Explorer.EXE
PID 3320 set thread context of 3068	3320	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

DHL_AWB# 9678547836.exeraserver.exe

pid	process
2096	DHL_AWB# 9678547836.exe
2096	DHL_AWB# 9678547836.exe
2096	DHL_AWB# 9678547836.exe
2096	DHL_AWB# 9678547836.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe
3320	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL_AWB# 9678547836.exeraserver.exe

pid process

2096 DHL_AWB# 9678547836.exe
2096 DHL_AWB# 9678547836.exe
2096 DHL_AWB# 9678547836.exe
3320 raserver.exe
3320 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL_AWB# 9678547836.exeraserver.exe

description pid process

Token: SeDebugPrivilege 2096 DHL_AWB# 9678547836.exe
Token: SeDebugPrivilege 3320 raserver.exe

pid	process
3068	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2096	DHL_AWB# 9678547836.exe
Token: SeDebugPrivilege	3320	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL_AWB# 9678547836.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2684 wrote to memory of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 2684 wrote to memory of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 2684 wrote to memory of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 2684 wrote to memory of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 2684 wrote to memory of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 2684 wrote to memory of 2096	2684	DHL_AWB# 9678547836.exe	DHL_AWB# 9678547836.exe
PID 3068 wrote to memory of 3320	3068	Explorer.EXE	raserver.exe
PID 3068 wrote to memory of 3320	3068	Explorer.EXE	raserver.exe
PID 3068 wrote to memory of 3320	3068	Explorer.EXE	raserver.exe
PID 3320 wrote to memory of 508	3320	raserver.exe	cmd.exe
PID 3320 wrote to memory of 508	3320	raserver.exe	cmd.exe
PID 3320 wrote to memory of 508	3320	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"
3⤵
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsbD341.tmp\vbxaftxp.dll
MD5
b352c7e713aa81796cbdc8bf0827b5f0

SHA1
2e0a7c042322c8beb99ac7a9b66645e6f35b8c2a

SHA256
e096ec2151b53c081e3c7a6e712c04632dc6173f5d2f9a9ad3981da8ce718ef7

SHA512
22fc7ca17f8459a996823d8c37bf835927a58f564f0998aeeab77d7f1ee64484199f2be16c41c2b0ce021b4c1edda3c499b80ed1a757b957abb29d0cf3ab5e1f

Download Submit
memory/2096-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-121-0x00000000009B0000-0x0000000000CD0000-memory.dmp

Filesize
3.1MB

Download
memory/2096-122-0x00000000009B0000-0x0000000000ED0000-memory.dmp

Filesize
5.1MB

Download
memory/3068-123-0x0000000001100000-0x00000000011EE000-memory.dmp

Filesize
952KB

Download
memory/3068-128-0x0000000006870000-0x000000000698A000-memory.dmp

Filesize
1.1MB

Download
memory/3320-124-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/3320-125-0x00000000027B0000-0x00000000027D9000-memory.dmp

Filesize
164KB

Download
memory/3320-126-0x00000000047A0000-0x0000000004AC0000-memory.dmp

Filesize
3.1MB

Download
memory/3320-127-0x0000000004470000-0x00000000045FE000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads