xloader | ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95

General

Target

40HQ_of_CI_PL_SC_HR210503.docx
Size

10KB
MD5

78e85cb8cd9169dfe6fe6ddcf4090a97
SHA1

6ca04ffc772794b12f4b6c724387823c185cce6e
SHA256

ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95
SHA512

d330a14930f4fe9e74a0973e261bd060844b62211fa00f316c4d8233907a7cd845b6782a2cb646c5eb33246cad65d9f41dc42c57d57401f5ec0425e686e3256d

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1104-75-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1072-85-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 800 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

824 vbc.exe
1104 vbc.exe

flow	pid	process
8	800	EQNEDT32.EXE

pid	process
824	vbc.exe
1104	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://107.173.219.80/prf/regasm.dot	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exe

pid process

800 EQNEDT32.EXE
800 EQNEDT32.EXE
800 EQNEDT32.EXE
824 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
800	EQNEDT32.EXE
800	EQNEDT32.EXE
800	EQNEDT32.EXE
824	vbc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exevbc.exemsdt.exe

description	pid	process	target process
PID 824 set thread context of 1104	824	vbc.exe	vbc.exe
PID 1104 set thread context of 1292	1104	vbc.exe	Explorer.EXE
PID 1104 set thread context of 1292	1104	vbc.exe	Explorer.EXE
PID 1072 set thread context of 1292	1072	msdt.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

800 EQNEDT32.EXE

pid	process
800	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1116 WINWORD.EXE

pid	process
1116	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exemsdt.exe

pid	process
1104	vbc.exe
1104	vbc.exe
1104	vbc.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe
1072	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.exevbc.exemsdt.exe

pid process

824 vbc.exe
1104 vbc.exe
1104 vbc.exe
1104 vbc.exe
1104 vbc.exe
1072 msdt.exe
1072 msdt.exe

pid	process
1292	Explorer.EXE

pid	process
824	vbc.exe
1104	vbc.exe
1104	vbc.exe
1104	vbc.exe
1104	vbc.exe
1072	msdt.exe
1072	msdt.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

vbc.exeExplorer.EXEmsdt.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1104	vbc.exe
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1072	msdt.exe
Token: SeShutdownPrivilege	1116	WINWORD.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1116 WINWORD.EXE
1116 WINWORD.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

pid	process
1116	WINWORD.EXE
1116	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 800 wrote to memory of 824	800	EQNEDT32.EXE	vbc.exe
PID 800 wrote to memory of 824	800	EQNEDT32.EXE	vbc.exe
PID 800 wrote to memory of 824	800	EQNEDT32.EXE	vbc.exe
PID 800 wrote to memory of 824	800	EQNEDT32.EXE	vbc.exe
PID 1116 wrote to memory of 656	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 656	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 656	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 656	1116	WINWORD.EXE	splwow64.exe
PID 824 wrote to memory of 1104	824	vbc.exe	vbc.exe
PID 824 wrote to memory of 1104	824	vbc.exe	vbc.exe
PID 824 wrote to memory of 1104	824	vbc.exe	vbc.exe
PID 824 wrote to memory of 1104	824	vbc.exe	vbc.exe
PID 824 wrote to memory of 1104	824	vbc.exe	vbc.exe
PID 1292 wrote to memory of 1072	1292	Explorer.EXE	msdt.exe
PID 1292 wrote to memory of 1072	1292	Explorer.EXE	msdt.exe
PID 1292 wrote to memory of 1072	1292	Explorer.EXE	msdt.exe
PID 1292 wrote to memory of 1072	1292	Explorer.EXE	msdt.exe
PID 1072 wrote to memory of 772	1072	msdt.exe	cmd.exe
PID 1072 wrote to memory of 772	1072	msdt.exe	cmd.exe
PID 1072 wrote to memory of 772	1072	msdt.exe	cmd.exe
PID 1072 wrote to memory of 772	1072	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\40HQ_of_CI_PL_SC_HR210503.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:656

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:772

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
716f61cba6d08cd0c1904bcc827b56a0

SHA1
357a1acb28174392e191716972537555790ae792

SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Download Submit
C:\Users\Public\vbc.exe
MD5
716f61cba6d08cd0c1904bcc827b56a0

SHA1
357a1acb28174392e191716972537555790ae792

SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Download Submit
C:\Users\Public\vbc.exe
MD5
716f61cba6d08cd0c1904bcc827b56a0

SHA1
357a1acb28174392e191716972537555790ae792

SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2CFC.tmp\shsmack.dll
MD5
754f65f8025460256126f94d880be78e

SHA1
888427853b9b5d919423eaabe8be2fb126a80203

SHA256
4f70280ff2a0811ddcb7fee2893d432e78234f8121f83c8d51f4ad3f0caaa75d

SHA512
3a1079624bc0b56f14e9b991540d9f8e8ef8085d8b133eb340a0320f6db4a44ecbec778be29cf0bf175c9479b1c88dc0d30b8458750983fbe08229c89cbb197a

Download Submit
\Users\Public\vbc.exe
MD5
716f61cba6d08cd0c1904bcc827b56a0

SHA1
357a1acb28174392e191716972537555790ae792

SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Download Submit
\Users\Public\vbc.exe
MD5
716f61cba6d08cd0c1904bcc827b56a0

SHA1
357a1acb28174392e191716972537555790ae792

SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Download Submit
\Users\Public\vbc.exe
MD5
716f61cba6d08cd0c1904bcc827b56a0

SHA1
357a1acb28174392e191716972537555790ae792

SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Download Submit
memory/656-71-0x0000000000000000-mapping.dmp

Download
memory/656-76-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download
memory/772-86-0x0000000000000000-mapping.dmp

Download
memory/800-62-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/824-74-0x0000000001E00000-0x0000000001E02000-memory.dmp

Filesize
8KB

Download
memory/824-66-0x0000000000000000-mapping.dmp

Download
memory/1072-84-0x0000000000820000-0x0000000000914000-memory.dmp

Filesize
976KB

Download
memory/1072-88-0x0000000000730000-0x00000000007BF000-memory.dmp

Filesize
572KB

Download
memory/1072-87-0x0000000002280000-0x0000000002583000-memory.dmp

Filesize
3.0MB

Download
memory/1072-85-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1072-82-0x0000000000000000-mapping.dmp

Download
memory/1104-72-0x000000000041D010-mapping.dmp

Download
memory/1104-75-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1104-77-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1104-78-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1104-80-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1116-60-0x0000000070881000-0x0000000070883000-memory.dmp

Filesize
8KB

Download
memory/1116-59-0x0000000072E01000-0x0000000072E04000-memory.dmp

Filesize
12KB

Download
memory/1116-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-81-0x0000000006C20000-0x0000000006D2E000-memory.dmp

Filesize
1.1MB

Download
memory/1292-79-0x0000000004740000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/1292-89-0x0000000006A00000-0x0000000006AA2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads