Overview

overview

10

Static

static

DHL Shipment Doc.exe

windows7_x64

10

DHL Shipment Doc.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Shipment Doc.exe

  • Size

    817KB

  • MD5

    53af702f438bffc2adb85ae9f5b8c879

  • SHA1

    e6aae502e5ea273f1367efd874bf44745d409549

  • SHA256

    95ebd87f0d2e1ef1fdbf4e35290a0e9deb65b021acf657e396e960142e80eedb

  • SHA512

    4e67eaaff0c8c2297b2f31040debf32b74048aa7deb8bb9498368d19966108400c12592b55e0a29bd173271b6b8d120fac5b2d1096cf318cf7edcba1527e1283

Score
10/10
xloaderhow6loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

how6

Decoy

wealthcabana.com

fourfortyfourcreations.com

cqqcsy.com

bhwzjd.com

niftyfashionrewards.com

andersongiftemporium.com

smarttradingcoin.com

ilarealty.com

sherrywine.net

fsecg.info

xoti.top

pirosconsulting.com

fundapie.com

bbgm4egda.xyz

legalfortmyers.com

improvizy.com

yxdyhs.com

lucky2balls.com

panelmall.com

davenportkartway.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:696
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"
        3⤵
        • Deletes itself
        PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/680-70-0x0000000000130000-0x0000000000144000-memory.dmp
    Filesize

    80KB

    Download
  • memory/680-73-0x0000000002350000-0x00000000023E0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/680-71-0x0000000002040000-0x0000000002343000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/680-72-0x0000000000090000-0x00000000000B9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/696-67-0x0000000000390000-0x00000000003A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/696-66-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/696-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/696-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/696-63-0x0000000000820000-0x0000000000B23000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/696-64-0x0000000000200000-0x0000000000211000-memory.dmp
    Filesize

    68KB

    Download
  • memory/696-59-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1408-65-0x0000000006A40000-0x0000000006B8A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1408-68-0x00000000072C0000-0x00000000073F4000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1408-74-0x0000000003B10000-0x0000000003BA3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1724-54-0x00000000011A0000-0x0000000001274000-memory.dmp
    Filesize

    848KB

    Download
  • memory/1724-58-0x0000000004950000-0x00000000049B2000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1724-57-0x00000000003A0000-0x00000000003AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1724-56-0x0000000004E90000-0x0000000004E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-55-0x0000000076C91000-0x0000000076C93000-memory.dmp
    Filesize

    8KB

    Download