xloader | 5e918aec8ebdbc9ca2fd81f3685740d087332635e9c78cbd3616c482469054d0

General

Target

d801e424_by_Libranalysis.doc
Size

10KB
MD5

d801e4244d30d948a98f68d37abbaed3
SHA1

0f82739fc9522c5b06f591df09755f98316fc7e4
SHA256

5e918aec8ebdbc9ca2fd81f3685740d087332635e9c78cbd3616c482469054d0
SHA512

187059596d5842fbf2db9ccc435964c554ffcf72b557815f39eed18ab5c37cab372e11cddae4b074744b9b97fca8e1325fb9d479330ee6a38923f14c74ef56d4

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.gailrichardson.com/qjnt/

Decoy

funeralinsurancetoppro.info

californiaredstate.com

xn--jpr220deud640b.com

playx.finance

siamfellow.com

tekirdagvethelp.com

forrealmodels.com

desenergie.info

whynotplus.com

graniteinaminute.com

satgurucolorlabs.com

potviper.com

racevx.xyz

thebluefishhotel.net

elletesla.com

4608capaydrive.com

buckhead-meat.com

garage-repair-near-me.com

ubique.works

markokuzmanovicpreduzetnik.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/280-72-0x000000000041D090-mapping.dmp	xloader
behavioral1/memory/280-71-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1608-84-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

13 1100 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

344 vbc.exe
280 vbc.exe

flow	pid	process
13	1100	EQNEDT32.EXE

pid	process
344	vbc.exe
280	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://cutt.ly/abfROoi	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1100 EQNEDT32.EXE
1100 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1100	EQNEDT32.EXE
1100	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exeipconfig.exe

description	pid	process	target process
PID 344 set thread context of 280	344	vbc.exe	vbc.exe
PID 280 set thread context of 1272	280	vbc.exe	Explorer.EXE
PID 1608 set thread context of 1272	1608	ipconfig.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1608 ipconfig.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1100 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1608	ipconfig.exe

pid	process
1100	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1824 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

vbc.exeipconfig.exe

pid	process
280	vbc.exe
280	vbc.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe
1608	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exeipconfig.exe

pid process

280 vbc.exe
280 vbc.exe
280 vbc.exe
1608 ipconfig.exe
1608 ipconfig.exe

pid	process
1272	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

vbc.exeExplorer.EXEipconfig.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	280	vbc.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeDebugPrivilege	1608	ipconfig.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1824	WINWORD.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXEvbc.exe

pid	process
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
1824	WINWORD.EXE
344	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exeWINWORD.EXEExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1100 wrote to memory of 344	1100	EQNEDT32.EXE	vbc.exe
PID 1100 wrote to memory of 344	1100	EQNEDT32.EXE	vbc.exe
PID 1100 wrote to memory of 344	1100	EQNEDT32.EXE	vbc.exe
PID 1100 wrote to memory of 344	1100	EQNEDT32.EXE	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 344 wrote to memory of 280	344	vbc.exe	vbc.exe
PID 1824 wrote to memory of 1988	1824	WINWORD.EXE	splwow64.exe
PID 1824 wrote to memory of 1988	1824	WINWORD.EXE	splwow64.exe
PID 1824 wrote to memory of 1988	1824	WINWORD.EXE	splwow64.exe
PID 1824 wrote to memory of 1988	1824	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 1608	1272	Explorer.EXE	ipconfig.exe
PID 1272 wrote to memory of 1608	1272	Explorer.EXE	ipconfig.exe
PID 1272 wrote to memory of 1608	1272	Explorer.EXE	ipconfig.exe
PID 1272 wrote to memory of 1608	1272	Explorer.EXE	ipconfig.exe
PID 1608 wrote to memory of 1100	1608	ipconfig.exe	cmd.exe
PID 1608 wrote to memory of 1100	1608	ipconfig.exe	cmd.exe
PID 1608 wrote to memory of 1100	1608	ipconfig.exe	cmd.exe
PID 1608 wrote to memory of 1100	1608	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d801e424_by_Libranalysis.doc"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1988

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1100

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Command-Line Interface

1

T1059

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
1d0d4b1031abf4a7e6da58d81bc98d6b

SHA1
65ffa307e1b9888f83cc554c818ad5e061963d0b

SHA256
ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

SHA512
1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

Download Submit
C:\Users\Public\vbc.exe
MD5
1d0d4b1031abf4a7e6da58d81bc98d6b

SHA1
65ffa307e1b9888f83cc554c818ad5e061963d0b

SHA256
ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

SHA512
1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

Download Submit
C:\Users\Public\vbc.exe
MD5
1d0d4b1031abf4a7e6da58d81bc98d6b

SHA1
65ffa307e1b9888f83cc554c818ad5e061963d0b

SHA256
ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

SHA512
1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

Download Submit
\Users\Public\vbc.exe
MD5
1d0d4b1031abf4a7e6da58d81bc98d6b

SHA1
65ffa307e1b9888f83cc554c818ad5e061963d0b

SHA256
ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

SHA512
1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

Download Submit
\Users\Public\vbc.exe
MD5
1d0d4b1031abf4a7e6da58d81bc98d6b

SHA1
65ffa307e1b9888f83cc554c818ad5e061963d0b

SHA256
ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

SHA512
1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

Download Submit
memory/280-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/280-78-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/280-77-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/280-72-0x000000000041D090-mapping.dmp

Download
memory/344-66-0x0000000000000000-mapping.dmp

Download
memory/1100-82-0x0000000000000000-mapping.dmp

Download
memory/1100-63-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1272-79-0x0000000006B50000-0x0000000006CB2000-memory.dmp

Filesize
1.4MB

Download
memory/1272-87-0x0000000004990000-0x0000000004A40000-memory.dmp

Filesize
704KB

Download
memory/1608-84-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1608-80-0x0000000000000000-mapping.dmp

Download
memory/1608-83-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/1608-85-0x0000000002380000-0x0000000002683000-memory.dmp

Filesize
3.0MB

Download
memory/1608-86-0x00000000004A0000-0x0000000000530000-memory.dmp

Filesize
576KB

Download
memory/1824-61-0x0000000070261000-0x0000000070263000-memory.dmp

Filesize
8KB

Download
memory/1824-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1824-60-0x00000000727E1000-0x00000000727E4000-memory.dmp

Filesize
12KB

Download
memory/1824-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1988-75-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1988-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads