xloader | 881a005a3684cd93dfc393b9fe95264cafbf8635680ea32b9b51d5b554bf0a95

General

Target

Shipping Document.exe
Size

601KB
MD5

ebd2b970f19465c6961cb4e7afa761fa
SHA1

ec75f0f121dc77f60ed6142d7fa898e578d2d7bb
SHA256

881a005a3684cd93dfc393b9fe95264cafbf8635680ea32b9b51d5b554bf0a95
SHA512

72e69b386619dbcf22e2561702f6d11f68ad90ba830802cae83a55aad57af41c9f95c168e1e6133f43573605201cfbdd5dd1c9db40ba2cf2fe6739545aa73611

Score

10^/10

xloader a8hq loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1680-75-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1680-76-0x000000000041F2C0-mapping.dmp	xloader
behavioral1/memory/1680-86-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1680-91-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1352-95-0x00000000000E0000-0x000000000010B000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1152 cmd.exe

pid	process
1152	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ILR89RNH5F = "C:\\Program Files (x86)\\Jl4wtitix\\ThumbCachelpb.exe"	wininit.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Shipping Document.exeShipping Document.exewininit.exe

description	pid	process	target process
PID 1044 set thread context of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1680 set thread context of 1232	1680	Shipping Document.exe	Explorer.EXE
PID 1680 set thread context of 1232	1680	Shipping Document.exe	Explorer.EXE
PID 1352 set thread context of 1232	1352	wininit.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wininit.exe

description ioc process

File opened for modification C:\Program Files (x86)\Jl4wtitix\ThumbCachelpb.exe wininit.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Jl4wtitix\ThumbCachelpb.exe	wininit.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Shipping Document.exeShipping Document.exewininit.exe

pid	process
1044	Shipping Document.exe
1680	Shipping Document.exe
1680	Shipping Document.exe
1680	Shipping Document.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Shipping Document.exewininit.exe

pid	process
1680	Shipping Document.exe
1680	Shipping Document.exe
1680	Shipping Document.exe
1680	Shipping Document.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe
1352	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Shipping Document.exeShipping Document.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1044	Shipping Document.exe
Token: SeDebugPrivilege	1680	Shipping Document.exe
Token: SeDebugPrivilege	1352	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Shipping Document.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1044 wrote to memory of 1732	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1732	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1732	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1732	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1044 wrote to memory of 1680	1044	Shipping Document.exe	Shipping Document.exe
PID 1232 wrote to memory of 1352	1232	Explorer.EXE	wininit.exe
PID 1232 wrote to memory of 1352	1232	Explorer.EXE	wininit.exe
PID 1232 wrote to memory of 1352	1232	Explorer.EXE	wininit.exe
PID 1232 wrote to memory of 1352	1232	Explorer.EXE	wininit.exe
PID 1352 wrote to memory of 1152	1352	wininit.exe	cmd.exe
PID 1352 wrote to memory of 1152	1352	wininit.exe	cmd.exe
PID 1352 wrote to memory of 1152	1352	wininit.exe	cmd.exe
PID 1352 wrote to memory of 1152	1352	wininit.exe	cmd.exe
PID 1352 wrote to memory of 1496	1352	wininit.exe	Firefox.exe
PID 1352 wrote to memory of 1496	1352	wininit.exe	Firefox.exe
PID 1352 wrote to memory of 1496	1352	wininit.exe	Firefox.exe
PID 1352 wrote to memory of 1496	1352	wininit.exe	Firefox.exe
PID 1352 wrote to memory of 1496	1352	wininit.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"{path}"
3⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe"
3⤵
- Deletes itself
PID:1152

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-70-0x0000000005230000-0x00000000052B4000-memory.dmp

Filesize
528KB

Download
memory/1044-61-0x0000000073F90000-0x000000007408C000-memory.dmp

Filesize
1008KB

Download
memory/1044-56-0x0000000074290000-0x0000000074424000-memory.dmp

Filesize
1.6MB

Download
memory/1044-82-0x0000000074290000-0x0000000074424000-memory.dmp

Filesize
1.6MB

Download
memory/1044-58-0x0000000070D60000-0x0000000071A7D000-memory.dmp

Filesize
13.1MB

Download
memory/1044-59-0x0000000070580000-0x0000000070D60000-memory.dmp

Filesize
7.9MB

Download
memory/1044-60-0x00000000740B0000-0x0000000074281000-memory.dmp

Filesize
1.8MB

Download
memory/1044-71-0x0000000000C00000-0x0000000000C32000-memory.dmp

Filesize
200KB

Download
memory/1044-62-0x0000000071A80000-0x0000000072490000-memory.dmp

Filesize
10.1MB

Download
memory/1044-63-0x000000006FE40000-0x000000007057E000-memory.dmp

Filesize
7.2MB

Download
memory/1044-64-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1044-65-0x0000000072490000-0x000000007381F000-memory.dmp

Filesize
19.6MB

Download
memory/1044-66-0x0000000074290000-0x0000000074424000-memory.dmp

Filesize
1.6MB

Download
memory/1044-81-0x0000000072490000-0x000000007381F000-memory.dmp

Filesize
19.6MB

Download
memory/1044-68-0x00000000740B0000-0x0000000074281000-memory.dmp

Filesize
1.8MB

Download
memory/1044-69-0x0000000071A80000-0x0000000072490000-memory.dmp

Filesize
10.1MB

Download
memory/1044-57-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1044-55-0x0000000072490000-0x000000007381F000-memory.dmp

Filesize
19.6MB

Download
memory/1044-67-0x0000000070D60000-0x0000000071A7D000-memory.dmp

Filesize
13.1MB

Download
memory/1044-79-0x00000000740B0000-0x0000000074281000-memory.dmp

Filesize
1.8MB

Download
memory/1044-54-0x0000000000F10000-0x0000000000FAC000-memory.dmp

Filesize
624KB

Download
memory/1044-78-0x0000000070D60000-0x0000000071A7D000-memory.dmp

Filesize
13.1MB

Download
memory/1044-77-0x0000000071A80000-0x0000000072490000-memory.dmp

Filesize
10.1MB

Download
memory/1152-92-0x0000000000000000-mapping.dmp

Download
memory/1232-97-0x0000000004B70000-0x0000000004C7B000-memory.dmp

Filesize
1.0MB

Download
memory/1232-98-0x0000000004B70000-0x0000000004C7B000-memory.dmp

Filesize
1.0MB

Download
memory/1232-85-0x00000000062B0000-0x000000000644B000-memory.dmp

Filesize
1.6MB

Download
memory/1232-89-0x0000000003EC0000-0x0000000003F73000-memory.dmp

Filesize
716KB

Download
memory/1352-96-0x0000000000950000-0x00000000009E0000-memory.dmp

Filesize
576KB

Download
memory/1352-90-0x0000000000000000-mapping.dmp

Download
memory/1352-95-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/1352-94-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/1352-93-0x0000000000C60000-0x0000000000C7A000-memory.dmp

Filesize
104KB

Download
memory/1680-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1680-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1680-88-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/1680-86-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1680-83-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1680-84-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1680-76-0x000000000041F2C0-mapping.dmp

Download
memory/1680-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1680-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads