General

  • Target

    vbc.exe

  • Size

    684KB

  • Sample

    210830-fv47vle4h6

  • MD5

    aca08c69a22e6f4f07cb44a74e7b9dac

  • SHA1

    4bc60c4b13744c992e0a52e295bafc031791ae70

  • SHA256

    8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

  • SHA512

    bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ecuu

C2

http://www.polaritelibrairie.com/ecuu/

Decoy

buoy8boats.com

tomrings.com

o-distribs.com

majesticgroupinc.com

tehridam.com

yzwjtoys.com

castro-online.run

aquarius-twins.com

jamesrrossfineart.com

pavarasupatthonkol.com

rivermarketdentistry.com

gyiblrjd.icu

redcountrypodcast.com

youngbrotherspharmacyga.com

betsysobiech.com

neocleanpro.com

ingpatrimoine.com

mustangsallytransportation.com

jsvfcxzn.com

krsfpjuoekcd.info

Targets

    • Target

      vbc.exe

    • Size

      684KB

    • MD5

      aca08c69a22e6f4f07cb44a74e7b9dac

    • SHA1

      4bc60c4b13744c992e0a52e295bafc031791ae70

    • SHA256

      8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

    • SHA512

      bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Adds policy Run key to start application

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Tasks