Analysis

  • max time kernel
    154s
  • max time network
    165s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-09-2021 10:12

General

  • Target

    vbc.exe

  • Size

    421KB

  • MD5

    859a1a6574e4a09027f729908318b282

  • SHA1

    bf7c9e96ca263d7811f7357f8645af42b04c093b

  • SHA256

    d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7

  • SHA512

    4163390db6bf2d8f66e8575e8d116df222e8d72b97037eca614fdb2d94d8cd686c31eb4593ce1164dfc398fe03a7b3ac97bfee61fc2e3ddb27e566c39cb234ec

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arup

C2

http://www.sapphiretype.com/arup/

Decoy

mezonpezon.com

bellapbd.com

xn--2kr800ab2z.group

cupecoysuites.com

extractselect.com

cherrycooky.com

reshawna.com

bluewinetours.com

dez2fly.com

washedproductions.com

om-asahi-kasei-jp.com

talkingpoint.tours

avaspacecompany.com

fbtvmall.com

trocaoferta.com

mionegozio.com

reitschuetz.com

basepicks.com

networkagricity.com

kastore.club

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
          PID:3088

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Defense Evasion

    Scripting

    1
    T1064

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2252-125-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/2252-128-0x0000000001810000-0x0000000001821000-memory.dmp
      Filesize

      68KB

    • memory/2252-127-0x00000000012E0000-0x0000000001600000-memory.dmp
      Filesize

      3.1MB

    • memory/2252-126-0x000000000041D4B0-mapping.dmp
    • memory/2284-121-0x0000000007A10000-0x0000000007A11000-memory.dmp
      Filesize

      4KB

    • memory/2284-117-0x0000000005A10000-0x0000000005A11000-memory.dmp
      Filesize

      4KB

    • memory/2284-122-0x0000000005720000-0x0000000005724000-memory.dmp
      Filesize

      16KB

    • memory/2284-123-0x0000000007D10000-0x0000000007D6C000-memory.dmp
      Filesize

      368KB

    • memory/2284-124-0x00000000059D0000-0x00000000059FC000-memory.dmp
      Filesize

      176KB

    • memory/2284-120-0x00000000054F0000-0x00000000054F1000-memory.dmp
      Filesize

      4KB

    • memory/2284-119-0x0000000005510000-0x0000000005A0E000-memory.dmp
      Filesize

      5.0MB

    • memory/2284-118-0x00000000055B0000-0x00000000055B1000-memory.dmp
      Filesize

      4KB

    • memory/2284-115-0x0000000000C60000-0x0000000000C61000-memory.dmp
      Filesize

      4KB

    • memory/3028-129-0x0000000004E20000-0x0000000004FA9000-memory.dmp
      Filesize

      1.5MB

    • memory/3028-138-0x0000000006350000-0x000000000649D000-memory.dmp
      Filesize

      1.3MB

    • memory/3088-133-0x0000000000000000-mapping.dmp
    • memory/3820-130-0x0000000000000000-mapping.dmp
    • memory/3820-135-0x0000000002F40000-0x0000000002F69000-memory.dmp
      Filesize

      164KB

    • memory/3820-134-0x0000000000C30000-0x0000000000C42000-memory.dmp
      Filesize

      72KB

    • memory/3820-136-0x00000000050C0000-0x00000000053E0000-memory.dmp
      Filesize

      3.1MB

    • memory/3820-137-0x00000000034F0000-0x0000000003580000-memory.dmp
      Filesize

      576KB