Overview

overview

10

Static

static

1

DHL Express.exe

windows7_x64

10

DHL Express.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-01-2022 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Express.exe

  • Size

    248KB

  • MD5

    bba45c96ad4627c4c0b1f25fb7a23c7a

  • SHA1

    6f9c219a08aca7c57f6add9d8a730be6178713c6

  • SHA256

    d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8

  • SHA512

    4b823ce229d01060b72ea7ace20d81c9be83462af38c29fad0de9ae493c4db18ae2dbaa53cbb32086082b83246d6467a4a7c81bebf016bdd00c303aaa44a0e31

Score
10/10
xloader3a4hloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

3a4h

Decoy

mohamedmansour.net

asap.green

influxair.com

45mpt.xyz

cablerailingdesign.com

salesdisrupter.com

cxfarms.com

enerconfederal.com

pl1x.top

nyoz.top

fitnesz.website

minimi36.com

borealiselectricalrepair.com

miskalqurashi.com

importacionesdelfuturo.com

cigfinanacial.com

luxamata.xyz

digicoin724.com

gozabank.com

tribal-treasures.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\DHL Express.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Users\Admin\AppData\Local\Temp\DHL Express.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1096
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"
        3⤵
        • Deletes itself
        PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsdFC99.tmp\arsuqoaglot.dll
    MD5

    91a0e308489a8497f9fac56ae8b1d917

    SHA1

    f9b110e6440c47bc8173b9f841b70f7593d8b030

    SHA256

    89064afbf0ea46077e909aed5eed52181cf79e66c0390c256d769b4162fe4947

    SHA512

    df2b4a2a800d098313be1c75e83b0e46213fd269236ea4fc988d4262a5ecc575f7449c24d471f747f6ac0b3e28f0c48958de7629874dbbdce800f33badc1cf0f

    Download Submit
  • memory/800-61-0x00000000007C0000-0x00000000007C6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/800-62-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/800-63-0x0000000000960000-0x0000000000C63000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/800-64-0x0000000000400000-0x0000000000951000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1088-54-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1096-56-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1096-58-0x0000000000930000-0x0000000000C33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1096-59-0x0000000000370000-0x0000000000381000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1248-60-0x00000000061F0000-0x00000000062FB000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1248-65-0x00000000073D0000-0x00000000074DC000-memory.dmp
    Filesize

    1.0MB

    Download