xloader | c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198

General

Target

DHL_Sender_Documents_Details_021230900.xlsx
Size

355KB
MD5

e5c6389fe4c43e736bbe304ac2aa9912
SHA1

5d4bb21ef27c9b712c33a367c461ea78defb2849
SHA256

c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198
SHA512

2138ffc7b261c3c81467d8ca7fb9638f82896e74fb5147588a50edf5fc619a26994992bc6de1e455157bf65e2f14bf8fdcc771a8188f1a6a45c7b957bffe0287

Score

10^/10

xloader m0np loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/812-71-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/812-72-0x000000000041D450-mapping.dmp	xloader
behavioral1/memory/540-82-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1724 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

924 vbc.exe
812 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exe

pid process

1724 EQNEDT32.EXE
1724 EQNEDT32.EXE
1724 EQNEDT32.EXE
924 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	1724	EQNEDT32.EXE

pid	process
924	vbc.exe
812	vbc.exe

pid	process
1724	EQNEDT32.EXE
1724	EQNEDT32.EXE
1724	EQNEDT32.EXE
924	vbc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exevbc.exeNETSTAT.EXE

description	pid	process	target process
PID 924 set thread context of 812	924	vbc.exe	vbc.exe
PID 812 set thread context of 1204	812	vbc.exe	Explorer.EXE
PID 812 set thread context of 1204	812	vbc.exe	Explorer.EXE
PID 540 set thread context of 1204	540	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

540 NETSTAT.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1724 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
540	NETSTAT.EXE

pid	process
1724	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

520 EXCEL.EXE

pid	process
520	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exeNETSTAT.EXE

pid	process
812	vbc.exe
812	vbc.exe
812	vbc.exe
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE
540	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exeNETSTAT.EXE

pid process

812 vbc.exe
812 vbc.exe
812 vbc.exe
812 vbc.exe
540 NETSTAT.EXE
540 NETSTAT.EXE

pid	process
1204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

vbc.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	812	vbc.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	540	NETSTAT.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

520 EXCEL.EXE
520 EXCEL.EXE
520 EXCEL.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
520	EXCEL.EXE
520	EXCEL.EXE
520	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1724 wrote to memory of 924	1724	EQNEDT32.EXE	vbc.exe
PID 1724 wrote to memory of 924	1724	EQNEDT32.EXE	vbc.exe
PID 1724 wrote to memory of 924	1724	EQNEDT32.EXE	vbc.exe
PID 1724 wrote to memory of 924	1724	EQNEDT32.EXE	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 924 wrote to memory of 812	924	vbc.exe	vbc.exe
PID 1204 wrote to memory of 540	1204	Explorer.EXE	NETSTAT.EXE
PID 1204 wrote to memory of 540	1204	Explorer.EXE	NETSTAT.EXE
PID 1204 wrote to memory of 540	1204	Explorer.EXE	NETSTAT.EXE
PID 1204 wrote to memory of 540	1204	Explorer.EXE	NETSTAT.EXE
PID 540 wrote to memory of 1788	540	NETSTAT.EXE	cmd.exe
PID 540 wrote to memory of 1788	540	NETSTAT.EXE	cmd.exe
PID 540 wrote to memory of 1788	540	NETSTAT.EXE	cmd.exe
PID 540 wrote to memory of 1788	540	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\DHL_Sender_Documents_Details_021230900.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:520

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1788

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Command-Line Interface

1

T1059

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
62c72f781d7001dff6d747ee91e33e32

SHA1
ed9fb1d769fd4655a335884d26875758fe67433c

SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

Download Submit
C:\Users\Public\vbc.exe
MD5
62c72f781d7001dff6d747ee91e33e32

SHA1
ed9fb1d769fd4655a335884d26875758fe67433c

SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

Download Submit
C:\Users\Public\vbc.exe
MD5
62c72f781d7001dff6d747ee91e33e32

SHA1
ed9fb1d769fd4655a335884d26875758fe67433c

SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

Download Submit
\Users\Admin\AppData\Local\Temp\nsq50FD.tmp\ojcwnasg.dll
MD5
a1c31e0436d00eb00481b5c0f39fa849

SHA1
1c71dc6fb7b93c99722dba7deee53dda9e19f5a5

SHA256
856362062f444906aa7cce79dab2727d9fbcdfc3d6ac5241819c1586d3693f8b

SHA512
466bbf168192502b718eca1e83f5120e4b144f77754ac276b577ec7cddd30dd93c3a3465e1e6ff9db0884cf4c3ca9a62867a9522dd88f20cf93200be3287768b

Download Submit
\Users\Public\vbc.exe
MD5
62c72f781d7001dff6d747ee91e33e32

SHA1
ed9fb1d769fd4655a335884d26875758fe67433c

SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

Download Submit
\Users\Public\vbc.exe
MD5
62c72f781d7001dff6d747ee91e33e32

SHA1
ed9fb1d769fd4655a335884d26875758fe67433c

SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

Download Submit
\Users\Public\vbc.exe
MD5
62c72f781d7001dff6d747ee91e33e32

SHA1
ed9fb1d769fd4655a335884d26875758fe67433c

SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

Download Submit
memory/520-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/520-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/520-59-0x000000002F331000-0x000000002F334000-memory.dmp

Filesize
12KB

Download
memory/520-60-0x00000000716A1000-0x00000000716A3000-memory.dmp

Filesize
8KB

Download
memory/540-84-0x0000000001E80000-0x0000000001F10000-memory.dmp

Filesize
576KB

Download
memory/540-79-0x0000000000000000-mapping.dmp

Download
memory/540-83-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/540-81-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/540-82-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/812-72-0x000000000041D450-mapping.dmp

Download
memory/812-77-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/812-75-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/812-74-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/812-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/924-66-0x0000000000000000-mapping.dmp

Download
memory/1204-78-0x0000000006F60000-0x00000000070A5000-memory.dmp

Filesize
1.3MB

Download
memory/1204-76-0x00000000041D0000-0x00000000042B4000-memory.dmp

Filesize
912KB

Download
memory/1204-85-0x0000000007140000-0x0000000007285000-memory.dmp

Filesize
1.3MB

Download
memory/1724-62-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1788-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads