Overview

overview

10

Static

static

1

vbc.exe

windows7_x64

10

vbc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exe

  • Size

    249KB

  • Sample

    211012-mt1b2acbg5

  • MD5

    0a0b65f309a35b8c4f2976a97363c398

  • SHA1

    14d9e3a08571169103420909073ac186ae034eee

  • SHA256

    7d193ee636a32820be667d76f35258c087604539f5a52a442ba947339eb8ae58

  • SHA512

    c66de247b8ced1a86eecff73823767b6349a8983267a00bb3f7e5ad7644cbb3fededf442590a32c8dd571c2d83575aa9d49fd69677ce050d5d2bb20f8edbc10b

Score
10/10
xloadermxnuloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

C2

http://www.naplesconciergerealty.com/mxnu/

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Targets

    • Target

      vbc.exe

    • Size

      249KB

    • MD5

      0a0b65f309a35b8c4f2976a97363c398

    • SHA1

      14d9e3a08571169103420909073ac186ae034eee

    • SHA256

      7d193ee636a32820be667d76f35258c087604539f5a52a442ba947339eb8ae58

    • SHA512

      c66de247b8ced1a86eecff73823767b6349a8983267a00bb3f7e5ad7644cbb3fededf442590a32c8dd571c2d83575aa9d49fd69677ce050d5d2bb20f8edbc10b

    Score
    10/10
    xloadermxnuloaderratpersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks