xloader | 7ee841fa5f82f3b229064a75f3454d595899132f93a5d77045cd4786d03615de

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payment-000598635.docx
Size

10KB
MD5

5c73df1769f5842ee5810e849f76479c
SHA1

72282281170957eebefe050b767e9d25b0263ca9
SHA256

7ee841fa5f82f3b229064a75f3454d595899132f93a5d77045cd4786d03615de
SHA512

67471217d91696acc7bd0a1245606f35ebb76df8f09dc17aaef854971df059b76abb6a8c4134ea7e7003dcdf3a3ba5657d3d645f4029e7c1bb18900adbc4e893

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.apluspro.online/bgnq/

Decoy

customsclearingagents.com

vsemasteraokon.online

seeheresthething.com

chozamtravel.com

cjkustom.com

djeffexla.com

survivingks.com

rokascapitalmanagement.net

tekdesignlimited.com

1499parkave.com

fontanerosboadilla.com

jesusencounterminisries.com

uouhodler.com

cordstraw.com

dab50074.com

sarahleinartstore.com

inawinnebago.com

wassersportzentrum.online

giselabustamante.com

gulaturun.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1232-83-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1232-84-0x000000000041D090-mapping.dmp	xloader
behavioral1/memory/1636-94-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

15 1680 EQNEDT32.EXE
16 1680 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1760 vbc.exe
1232 vbc.exe

flow	pid	process
15	1680	EQNEDT32.EXE
16	1680	EQNEDT32.EXE

pid	process
1760	vbc.exe
1232	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://is.gd/2x73Dx	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1680 EQNEDT32.EXE
1680 EQNEDT32.EXE
1680 EQNEDT32.EXE
1680 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1680	EQNEDT32.EXE
1680	EQNEDT32.EXE
1680	EQNEDT32.EXE
1680	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exerundll32.exe

description	pid	process	target process
PID 1760 set thread context of 1232	1760	vbc.exe	vbc.exe
PID 1232 set thread context of 1268	1232	vbc.exe	Explorer.EXE
PID 1636 set thread context of 1268	1636	rundll32.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1680 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1680	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

784 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

vbc.exerundll32.exe

pid process

1232 vbc.exe
1232 vbc.exe
1636 rundll32.exe
1636 rundll32.exe
1636 rundll32.exe
1636 rundll32.exe
1636 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exerundll32.exe

pid process

1232 vbc.exe
1232 vbc.exe
1232 vbc.exe
1636 rundll32.exe
1636 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WINWORD.EXEvbc.exerundll32.exe

description pid process

Token: SeShutdownPrivilege 784 WINWORD.EXE
Token: SeDebugPrivilege 1232 vbc.exe
Token: SeDebugPrivilege 1636 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

784 WINWORD.EXE
784 WINWORD.EXE

pid	process
784	WINWORD.EXE

pid	process
1232	vbc.exe
1232	vbc.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe

pid	process
1268	Explorer.EXE

pid	process
1232	vbc.exe
1232	vbc.exe
1232	vbc.exe
1636	rundll32.exe
1636	rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	784	WINWORD.EXE
Token: SeDebugPrivilege	1232	vbc.exe
Token: SeDebugPrivilege	1636	rundll32.exe

pid	process
784	WINWORD.EXE
784	WINWORD.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1760	1680	EQNEDT32.EXE	vbc.exe
PID 1680 wrote to memory of 1760	1680	EQNEDT32.EXE	vbc.exe
PID 1680 wrote to memory of 1760	1680	EQNEDT32.EXE	vbc.exe
PID 1680 wrote to memory of 1760	1680	EQNEDT32.EXE	vbc.exe
PID 784 wrote to memory of 1700	784	WINWORD.EXE	splwow64.exe
PID 784 wrote to memory of 1700	784	WINWORD.EXE	splwow64.exe
PID 784 wrote to memory of 1700	784	WINWORD.EXE	splwow64.exe
PID 784 wrote to memory of 1700	784	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 1232	1760	vbc.exe	vbc.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1636	1268	Explorer.EXE	rundll32.exe
PID 1636 wrote to memory of 1472	1636	rundll32.exe	cmd.exe
PID 1636 wrote to memory of 1472	1636	rundll32.exe	cmd.exe
PID 1636 wrote to memory of 1472	1636	rundll32.exe	cmd.exe
PID 1636 wrote to memory of 1472	1636	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\payment-000598635.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1700

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1472

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
f0704d234d472b13e856f90d8649806d

SHA1
8b7a926407506c3c3741ca3ff709986d5f1a2387

SHA256
6c3cf8e4e67fb4ea86c48e918d6ebdecc2b4903553798d1e0e1fcb73376105dc

SHA512
a1cacc0dd2b0f4ffdf082980d288e98c493a6581f09265e13b9f94f9efcc7bb4300aa7346e533761315237038990646d267b0b43ca2e71fabd3c6a9d92ee93e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
dcf3106d96d2b26426e5bb52fae5b860

SHA1
fc3524f22fe9d490bb226551b609b0661467aebc

SHA256
eed6ae3690a68553bb2f6ff60513f5e61efc67c7371f24c4aec979e348a10425

SHA512
ce4ce21d0741cd71a3de83054934ff51b46225fe43eceeffdd844bd82d4d5c1f441cea687534cdf4b860fbe9b2f42131845819e0851b74da2962881aa28bbe2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0efdfa7b0372c90ad14de334d2d6b7e9

SHA1
b8ff254645904ba4f667d0a428276eb9adf7f547

SHA256
f2edd8d8bc1ba12b68a99b938a6df7ed03299229faf6bc4af8ffdbbc445246df

SHA512
642f9720c9bf6cb264bdd795c45244d527bd679799728d3032c4fa4356e6ba9f2e393f0032562e09c447dcbcd2d0272513e5fee7cd12eb26e1c5df5800a92fb0

Download Submit
C:\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
C:\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
C:\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
\Users\Public\vbc.exe
MD5
020adea3f32c15a0dc4a23522798c3f2

SHA1
88378c179cc71548d98eb0500829019be8f22dcb

SHA256
e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d

SHA512
1a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8

Download Submit
memory/784-60-0x0000000072391000-0x0000000072394000-memory.dmp

Filesize
12KB

Download
memory/784-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/784-61-0x000000006FE11000-0x000000006FE13000-memory.dmp

Filesize
8KB

Download
memory/784-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1232-83-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1232-88-0x0000000000210000-0x0000000000221000-memory.dmp

Filesize
68KB

Download
memory/1232-87-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/1232-84-0x000000000041D090-mapping.dmp

Download
memory/1268-97-0x0000000006190000-0x0000000006297000-memory.dmp

Filesize
1.0MB

Download
memory/1268-89-0x00000000060C0000-0x000000000618C000-memory.dmp

Filesize
816KB

Download
memory/1472-92-0x0000000000000000-mapping.dmp

Download
memory/1636-95-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/1636-90-0x0000000000000000-mapping.dmp

Download
memory/1636-94-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1636-93-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/1636-96-0x0000000001E30000-0x0000000001EC0000-memory.dmp

Filesize
576KB

Download
memory/1680-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1700-76-0x0000000000000000-mapping.dmp

Download
memory/1700-77-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1760-82-0x0000000004650000-0x00000000046B5000-memory.dmp

Filesize
404KB

Download
memory/1760-81-0x0000000005040000-0x00000000050E8000-memory.dmp

Filesize
672KB

Download
memory/1760-79-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1760-78-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1760-74-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1760-71-0x0000000000000000-mapping.dmp

Download