xloader | 392d53e0df22582568a42204601870498810ad743786731f45e7850f8761d6f7

General

Target

DHL Shipment Doc.exe
Size

817KB
MD5

53af702f438bffc2adb85ae9f5b8c879
SHA1

e6aae502e5ea273f1367efd874bf44745d409549
SHA256

95ebd87f0d2e1ef1fdbf4e35290a0e9deb65b021acf657e396e960142e80eedb
SHA512

4e67eaaff0c8c2297b2f31040debf32b74048aa7deb8bb9498368d19966108400c12592b55e0a29bd173271b6b8d120fac5b2d1096cf318cf7edcba1527e1283

Score

10^/10

xloader how6 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

how6

Decoy

wealthcabana.com

fourfortyfourcreations.com

cqqcsy.com

bhwzjd.com

niftyfashionrewards.com

andersongiftemporium.com

smarttradingcoin.com

ilarealty.com

sherrywine.net

fsecg.info

xoti.top

pirosconsulting.com

fundapie.com

bbgm4egda.xyz

legalfortmyers.com

improvizy.com

yxdyhs.com

lucky2balls.com

panelmall.com

davenportkartway.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4468-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4468-129-0x0000000001070000-0x000000000120B000-memory.dmp	xloader
behavioral2/memory/4364-132-0x0000000002C30000-0x0000000002C59000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL Shipment Doc.exeDHL Shipment Doc.exeNETSTAT.EXE

description	pid	process	target process
PID 3668 set thread context of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 4468 set thread context of 372	4468	DHL Shipment Doc.exe	Explorer.EXE
PID 4364 set thread context of 372	4364	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4364 NETSTAT.EXE

pid	process
4364	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

DHL Shipment Doc.exeNETSTAT.EXE

pid	process
4468	DHL Shipment Doc.exe
4468	DHL Shipment Doc.exe
4468	DHL Shipment Doc.exe
4468	DHL Shipment Doc.exe
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE
4364	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

372 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL Shipment Doc.exeNETSTAT.EXE

pid process

4468 DHL Shipment Doc.exe
4468 DHL Shipment Doc.exe
4468 DHL Shipment Doc.exe
4364 NETSTAT.EXE
4364 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL Shipment Doc.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4468 DHL Shipment Doc.exe
Token: SeDebugPrivilege 4364 NETSTAT.EXE

pid	process
372	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4468	DHL Shipment Doc.exe
Token: SeDebugPrivilege	4364	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL Shipment Doc.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3668 wrote to memory of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 3668 wrote to memory of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 3668 wrote to memory of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 3668 wrote to memory of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 3668 wrote to memory of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 3668 wrote to memory of 4468	3668	DHL Shipment Doc.exe	DHL Shipment Doc.exe
PID 372 wrote to memory of 4364	372	Explorer.EXE	NETSTAT.EXE
PID 372 wrote to memory of 4364	372	Explorer.EXE	NETSTAT.EXE
PID 372 wrote to memory of 4364	372	Explorer.EXE	NETSTAT.EXE
PID 4364 wrote to memory of 736	4364	NETSTAT.EXE	cmd.exe
PID 4364 wrote to memory of 736	4364	NETSTAT.EXE	cmd.exe
PID 4364 wrote to memory of 736	4364	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4356

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"
3⤵
PID:736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-130-0x0000000005A10000-0x0000000005B42000-memory.dmp

Filesize
1.2MB

Download
memory/372-135-0x0000000005B50000-0x0000000005C59000-memory.dmp

Filesize
1.0MB

Download
memory/3668-119-0x0000000005760000-0x0000000005C5E000-memory.dmp

Filesize
5.0MB

Download
memory/3668-120-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/3668-121-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/3668-122-0x0000000005260000-0x000000000575E000-memory.dmp

Filesize
5.0MB

Download
memory/3668-123-0x0000000005750000-0x000000000575C000-memory.dmp

Filesize
48KB

Download
memory/3668-124-0x0000000007A90000-0x0000000007B2C000-memory.dmp

Filesize
624KB

Download
memory/3668-125-0x0000000007B30000-0x0000000007B92000-memory.dmp

Filesize
392KB

Download
memory/3668-118-0x0000000000860000-0x0000000000934000-memory.dmp

Filesize
848KB

Download
memory/4364-131-0x0000000000C10000-0x0000000000C1B000-memory.dmp

Filesize
44KB

Download
memory/4364-132-0x0000000002C30000-0x0000000002C59000-memory.dmp

Filesize
164KB

Download
memory/4364-133-0x0000000003750000-0x0000000003A70000-memory.dmp

Filesize
3.1MB

Download
memory/4364-134-0x0000000003410000-0x00000000035A2000-memory.dmp

Filesize
1.6MB

Download
memory/4468-129-0x0000000001070000-0x000000000120B000-memory.dmp

Filesize
1.6MB

Download
memory/4468-128-0x00000000014B0000-0x00000000017D0000-memory.dmp

Filesize
3.1MB

Download
memory/4468-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads