xloader | b04aa6e695c5275ae754bd61c9f45bc3ebdfcc8aed769fae0d744284d072b15e

General

Target

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Size

17KB
MD5

aeaddb6a276a6dff4f24b8588c5e67f8
SHA1

00bb4c75c0227f965bc76bd2bef1a4aca9687d30
SHA256

b04aa6e695c5275ae754bd61c9f45bc3ebdfcc8aed769fae0d744284d072b15e
SHA512

47fefb178984e1eb736e17d78ee2ea1f269e7306f6c0b192b31748af3db33ef91d9d6213cfd96391fdaf71c00d9612a6d10012f4d2dc3f5707ca3de8eeb8fc01

Score

10^/10

xloader po6r loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

po6r

Decoy

jnhuichuangxin.com

mubashir.art

extol.design

doyyindh.xyz

milanoautoexperts.com

4thefringe.com

453511.com

sellathonautocredit.com

velgian.com

6672pk.com

wodeluzhou.com

sumiyoshiku-hizaita.xyz

imoveldeprimeira.com

dgjssp.com

endokc.com

side-clicks.com

cashndashfinancial.com

vanhemelryck.info

agamitrading.com

woofgang.xyz

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\verify.exe\","	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1808-139-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1808-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2152-147-0x0000000000780000-0x00000000007A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exe

description	pid	process	target process
PID 660 set thread context of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 1808 set thread context of 992	1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	Explorer.EXE
PID 2152 set thread context of 992	2152	WWAHost.exe	Explorer.EXE

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exe

pid	process
660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe
2152	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

992 Explorer.EXE

pid	process
992	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exe

pid	process
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
2152	WWAHost.exe
2152	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exesvchost.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exe

description	pid	process
Token: SeDebugPrivilege	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Token: SeShutdownPrivilege	4052	svchost.exe
Token: SeCreatePagefilePrivilege	4052	svchost.exe
Token: SeShutdownPrivilege	4052	svchost.exe
Token: SeCreatePagefilePrivilege	4052	svchost.exe
Token: SeShutdownPrivilege	4052	svchost.exe
Token: SeCreatePagefilePrivilege	4052	svchost.exe
Token: SeDebugPrivilege	1808	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Token: SeDebugPrivilege	2152	WWAHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeExplorer.EXE

description	pid	process	target process
PID 660 wrote to memory of 2876	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 2876	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 2876	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 660 wrote to memory of 1808	660	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 992 wrote to memory of 2152	992	Explorer.EXE	WWAHost.exe
PID 992 wrote to memory of 2152	992	Explorer.EXE	WWAHost.exe
PID 992 wrote to memory of 2152	992	Explorer.EXE	WWAHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"
2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"
3⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-136-0x000000000C430000-0x000000000C480000-memory.dmp

Filesize
320KB

Download
memory/660-131-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/660-132-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/660-138-0x0000000006260000-0x00000000062F2000-memory.dmp

Filesize
584KB

Download
memory/660-130-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/660-137-0x000000000C540000-0x000000000C5F2000-memory.dmp

Filesize
712KB

Download
memory/992-150-0x0000000008390000-0x0000000008482000-memory.dmp

Filesize
968KB

Download
memory/992-144-0x0000000008260000-0x0000000008333000-memory.dmp

Filesize
844KB

Download
memory/1808-145-0x00000000013B0000-0x00000000013C1000-memory.dmp

Filesize
68KB

Download
memory/1808-143-0x0000000001690000-0x00000000019DA000-memory.dmp

Filesize
3.3MB

Download
memory/1808-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1808-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1808-142-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/2152-147-0x0000000000780000-0x00000000007A9000-memory.dmp

Filesize
164KB

Download
memory/2152-146-0x0000000000650000-0x000000000072C000-memory.dmp

Filesize
880KB

Download
memory/2152-148-0x0000000001610000-0x000000000195A000-memory.dmp

Filesize
3.3MB

Download
memory/2152-149-0x0000000001470000-0x0000000001500000-memory.dmp

Filesize
576KB

Download
memory/4052-135-0x000001E3505C0000-0x000001E3505C4000-memory.dmp

Filesize
16KB

Download
memory/4052-134-0x000001E34DF20000-0x000001E34DF30000-memory.dmp

Filesize
64KB

Download
memory/4052-133-0x000001E34D960000-0x000001E34D970000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads