xloader | 73b3fa9d738ba7f1e520e06b4760b77d9b044a3f5e96c9e13227255875e43bfa

General

Target

Products.xlsx
Size

446KB
MD5

aae56ba84519c7b28bba6f8240f2d169
SHA1

a90d2dcf16df76c5db19d2c48cb7148b4b675d75
SHA256

73b3fa9d738ba7f1e520e06b4760b77d9b044a3f5e96c9e13227255875e43bfa
SHA512

114b77853961ff46c52af2d38f4216f570aa5bab1b65d7b973db3725d1cebe9a68fead9e31ac54df2b41d2d3681c12886d09708481a82b1bfc13b52fc1c3395c

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.paintersdistrictcouncil.com/vu9b/

Decoy

longdoggy.net

gylvs.com

evonnemccray.com

nicemoneymaker.com

baby-schutzen.com

xgahovzm.icu

psdcompany.com

makeupjunkiewholesale.com

vz357.com

carshownet.com

forneyus.com

nfoptic.com

lampacosmetiques.com

newmandu.com

localupdate.net

theartofmajur1.com

bancosecurity.website

cabinhealthy.com

tiprent.com

lloydwellsandassociates.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1692-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1692-23-0x000000000041D0A0-mapping.dmp	xloader
behavioral1/memory/1032-32-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1780 EQNEDT32.EXE
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

620 vbc.exe
1784 vbc.exe
1692 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1780 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	1780	EQNEDT32.EXE

pid	process
620	vbc.exe
1784	vbc.exe
1692	vbc.exe

pid	process
1780	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exemsiexec.exe

description	pid	process	target process
PID 620 set thread context of 1692	620	vbc.exe	vbc.exe
PID 1692 set thread context of 1200	1692	vbc.exe	Explorer.EXE
PID 1032 set thread context of 1200	1032	msiexec.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1780 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1780	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1752 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

vbc.exevbc.exemsiexec.exe

pid process

620 vbc.exe
620 vbc.exe
620 vbc.exe
620 vbc.exe
1692 vbc.exe
1692 vbc.exe
1032 msiexec.exe
1032 msiexec.exe
1032 msiexec.exe
1032 msiexec.exe
1032 msiexec.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exemsiexec.exe

pid process

1692 vbc.exe
1692 vbc.exe
1692 vbc.exe
1032 msiexec.exe
1032 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 620 vbc.exe
Token: SeDebugPrivilege 1692 vbc.exe
Token: SeDebugPrivilege 1032 msiexec.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1752 EXCEL.EXE
1752 EXCEL.EXE
1752 EXCEL.EXE

pid	process
1752	EXCEL.EXE

pid	process
620	vbc.exe
620	vbc.exe
620	vbc.exe
620	vbc.exe
1692	vbc.exe
1692	vbc.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe

pid	process
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1032	msiexec.exe
1032	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	620	vbc.exe
Token: SeDebugPrivilege	1692	vbc.exe
Token: SeDebugPrivilege	1032	msiexec.exe

pid	process
1752	EXCEL.EXE
1752	EXCEL.EXE
1752	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EXCEL.EXEEQNEDT32.EXEvbc.exeExplorer.EXE

description	pid	process	target process
PID 1752 wrote to memory of 1988	1752	EXCEL.EXE	splwow64.exe
PID 1752 wrote to memory of 1988	1752	EXCEL.EXE	splwow64.exe
PID 1752 wrote to memory of 1988	1752	EXCEL.EXE	splwow64.exe
PID 1752 wrote to memory of 1988	1752	EXCEL.EXE	splwow64.exe
PID 1780 wrote to memory of 620	1780	EQNEDT32.EXE	vbc.exe
PID 1780 wrote to memory of 620	1780	EQNEDT32.EXE	vbc.exe
PID 1780 wrote to memory of 620	1780	EQNEDT32.EXE	vbc.exe
PID 1780 wrote to memory of 620	1780	EQNEDT32.EXE	vbc.exe
PID 620 wrote to memory of 1784	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1784	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1784	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1784	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 620 wrote to memory of 1692	620	vbc.exe	vbc.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe
PID 1200 wrote to memory of 1032	1200	Explorer.EXE	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Products.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1988

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1784

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
d381b0a2268051aa83b031ddc87ee7df

SHA1
7c580bde96219de369ad1503d62703e77c4c3fa6

SHA256
da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47

SHA512
d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5

Download Submit
C:\Users\Public\vbc.exe
MD5
d381b0a2268051aa83b031ddc87ee7df

SHA1
7c580bde96219de369ad1503d62703e77c4c3fa6

SHA256
da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47

SHA512
d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5

Download Submit
C:\Users\Public\vbc.exe
MD5
d381b0a2268051aa83b031ddc87ee7df

SHA1
7c580bde96219de369ad1503d62703e77c4c3fa6

SHA256
da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47

SHA512
d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5

Download Submit
C:\Users\Public\vbc.exe
MD5
d381b0a2268051aa83b031ddc87ee7df

SHA1
7c580bde96219de369ad1503d62703e77c4c3fa6

SHA256
da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47

SHA512
d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5

Download Submit
\Users\Public\vbc.exe
MD5
d381b0a2268051aa83b031ddc87ee7df

SHA1
7c580bde96219de369ad1503d62703e77c4c3fa6

SHA256
da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47

SHA512
d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5

Download Submit
memory/620-17-0x0000000000680000-0x0000000000684000-memory.dmp

Filesize
16KB

Download
memory/620-10-0x0000000000000000-mapping.dmp

Download
memory/620-13-0x000000006C130000-0x000000006C81E000-memory.dmp

Filesize
6.9MB

Download
memory/620-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/620-16-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/620-18-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/620-19-0x00000000053A0000-0x0000000005414000-memory.dmp

Filesize
464KB

Download
memory/620-20-0x00000000006B0000-0x00000000006DE000-memory.dmp

Filesize
184KB

Download
memory/1032-29-0x0000000000000000-mapping.dmp

Download
memory/1032-34-0x0000000001F20000-0x0000000001FB0000-memory.dmp

Filesize
576KB

Download
memory/1032-33-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/1032-31-0x0000000000570000-0x0000000000584000-memory.dmp

Filesize
80KB

Download
memory/1032-32-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/1200-28-0x0000000004ED0000-0x0000000005028000-memory.dmp

Filesize
1.3MB

Download
memory/1684-8-0x000007FEF7160000-0x000007FEF73DA000-memory.dmp

Filesize
2.5MB

Download
memory/1692-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1692-23-0x000000000041D0A0-mapping.dmp

Download
memory/1692-26-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1692-27-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1752-3-0x0000000071011000-0x0000000071013000-memory.dmp

Filesize
8KB

Download
memory/1752-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1752-2-0x000000002F0F1000-0x000000002F0F4000-memory.dmp

Filesize
12KB

Download
memory/1780-7-0x0000000075EB1000-0x0000000075EB3000-memory.dmp

Filesize
8KB

Download
memory/1988-5-0x0000000000000000-mapping.dmp

Download
memory/1988-6-0x000007FEFB811000-0x000007FEFB813000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads