Overview

overview

10

Static

static

vbc.exe

windows7_x64

10

vbc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exe

  • Size

    512KB

  • Sample

    210914-qg66laagcm

  • MD5

    b5f072069794e482d7a5940d8ba04a9a

  • SHA1

    c09d4b4b399ff3c346103e33879f0e4bdcc2fa6a

  • SHA256

    a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10

  • SHA512

    900cf03b996c8e553fad6f3a675222865befd9ce15d8ba186edbb2fac1ad0431bcccee23f38cb24e3d76b6b41c494f5d538f7a4ca86455b835a23c6a7672d302

Score
10/10
xloaderb6culoaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6cu

C2

http://www.allfyllofficial.com/b6cu/

Decoy

sxdiyan.com

web0084.com

cpafirmspokane.com

la-bio-geo.com

chacrit.com

stuntfighting.com

rjsworkshop.com

themillennialsfinest.com

thefrontrealestate.com

chairmn.com

best1korea.com

gudssutu.icu

backupchip.net

shrikanthamimports.com

sportrecoverysleeve.com

healthy-shack.com

investperwear.com

intertradeperu.com

resonantonshop.com

greghugheslaw.com

Targets

    • Target

      vbc.exe

    • Size

      512KB

    • MD5

      b5f072069794e482d7a5940d8ba04a9a

    • SHA1

      c09d4b4b399ff3c346103e33879f0e4bdcc2fa6a

    • SHA256

      a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10

    • SHA512

      900cf03b996c8e553fad6f3a675222865befd9ce15d8ba186edbb2fac1ad0431bcccee23f38cb24e3d76b6b41c494f5d538f7a4ca86455b835a23c6a7672d302

    Score
    10/10
    xloaderb6culoaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Deletes itself

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks