xloader | 8f14202d038576081a716747d905248877b873edcec27a6406201d57b090ae8b

General

Target

vbc.exe
Size

441KB
MD5

35971270d5d0406535ba77fa74bf4f21
SHA1

2ae768c1dd51a1bbefa32f2f8b620490ec026aae
SHA256

8f14202d038576081a716747d905248877b873edcec27a6406201d57b090ae8b
SHA512

e4f164fbdca5636b60e7f015b3f39e46f7188fc7eadc0557a8cce88c3150f2de18f6eb7e51659c3b91b82a5ff8325e7067e7d2061d32f9bc8de31ba7814031cf

Score

10^/10

xloader ea0r loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2216-135-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2216-136-0x000000000041D410-mapping.dmp	xloader
behavioral2/memory/3968-282-0x0000000002880000-0x00000000028A9000-memory.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exeNETSTAT.EXE

description	pid	process	target process
PID 2680 set thread context of 2216	2680	vbc.exe	vbc.exe
PID 2216 set thread context of 3040	2216	vbc.exe	Explorer.EXE
PID 3968 set thread context of 3040	3968	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1676 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3968 NETSTAT.EXE

pid	process
1676	schtasks.exe

pid	process
3968	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

vbc.exepowershell.exevbc.exeNETSTAT.EXE

pid	process
2680	vbc.exe
2680	vbc.exe
1724	powershell.exe
1724	powershell.exe
2216	vbc.exe
2216	vbc.exe
2216	vbc.exe
2216	vbc.exe
1724	powershell.exe
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE
3968	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exeNETSTAT.EXE

pid process

2216 vbc.exe
2216 vbc.exe
2216 vbc.exe
3968 NETSTAT.EXE
3968 NETSTAT.EXE

pid	process
3040	Explorer.EXE

pid	process
2216	vbc.exe
2216	vbc.exe
2216	vbc.exe
3968	NETSTAT.EXE
3968	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exepowershell.exevbc.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2680	vbc.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2216	vbc.exe
Token: SeDebugPrivilege	3968	NETSTAT.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

vbc.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2680 wrote to memory of 1724	2680	vbc.exe	powershell.exe
PID 2680 wrote to memory of 1724	2680	vbc.exe	powershell.exe
PID 2680 wrote to memory of 1724	2680	vbc.exe	powershell.exe
PID 2680 wrote to memory of 1676	2680	vbc.exe	schtasks.exe
PID 2680 wrote to memory of 1676	2680	vbc.exe	schtasks.exe
PID 2680 wrote to memory of 1676	2680	vbc.exe	schtasks.exe
PID 2680 wrote to memory of 2216	2680	vbc.exe	vbc.exe
PID 2680 wrote to memory of 2216	2680	vbc.exe	vbc.exe
PID 2680 wrote to memory of 2216	2680	vbc.exe	vbc.exe
PID 2680 wrote to memory of 2216	2680	vbc.exe	vbc.exe
PID 2680 wrote to memory of 2216	2680	vbc.exe	vbc.exe
PID 2680 wrote to memory of 2216	2680	vbc.exe	vbc.exe
PID 3040 wrote to memory of 3968	3040	Explorer.EXE	NETSTAT.EXE
PID 3040 wrote to memory of 3968	3040	Explorer.EXE	NETSTAT.EXE
PID 3040 wrote to memory of 3968	3040	Explorer.EXE	NETSTAT.EXE
PID 3968 wrote to memory of 3172	3968	NETSTAT.EXE	cmd.exe
PID 3968 wrote to memory of 3172	3968	NETSTAT.EXE	cmd.exe
PID 3968 wrote to memory of 3172	3968	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HWDkRuZX.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HWDkRuZX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A92.tmp"
3⤵
- Creates scheduled task(s)
PID:1676

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4A92.tmp
MD5
64d9146577ee3187e7a2e206d67404f6

SHA1
f3ebcbec06d37eb1ff691f369171fd01cea1028d

SHA256
e2aadd5f873e316c7c22093b4fef6523f252bbc0b4378c73dc2d49976632ad35

SHA512
ddab59da982390bd9803ff7f9ed6044e1fc6fafd781e74b447460ebf887cf63c6a1e3a975f7a52c5e89fddf798edde460e604faedc904c19a311c64a8c809854

Download Submit
memory/1676-129-0x0000000000000000-mapping.dmp

Download
memory/1724-141-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/1724-128-0x0000000000000000-mapping.dmp

Download
memory/1724-143-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1724-172-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/1724-171-0x0000000004783000-0x0000000004784000-memory.dmp

Filesize
4KB

Download
memory/1724-170-0x000000007EA90000-0x000000007EA91000-memory.dmp

Filesize
4KB

Download
memory/1724-169-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/1724-142-0x00000000082F0000-0x00000000082F1000-memory.dmp

Filesize
4KB

Download
memory/1724-164-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/1724-130-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1724-131-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1724-132-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1724-157-0x0000000009160000-0x0000000009193000-memory.dmp

Filesize
204KB

Download
memory/1724-134-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/1724-150-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1724-147-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/1724-137-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/1724-138-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/1724-139-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/1724-140-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/1724-144-0x0000000004782000-0x0000000004783000-memory.dmp

Filesize
4KB

Download
memory/2216-148-0x00000000019D0000-0x00000000019E1000-memory.dmp

Filesize
68KB

Download
memory/2216-145-0x0000000001A90000-0x0000000001DB0000-memory.dmp

Filesize
3.1MB

Download
memory/2216-136-0x000000000041D410-mapping.dmp

Download
memory/2216-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-127-0x0000000007BC0000-0x0000000007C18000-memory.dmp

Filesize
352KB

Download
memory/2680-120-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2680-122-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2680-124-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/2680-126-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/2680-118-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2680-121-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2680-123-0x0000000005B70000-0x0000000005B78000-memory.dmp

Filesize
32KB

Download
memory/2680-125-0x0000000005680000-0x0000000005B7E000-memory.dmp

Filesize
5.0MB

Download
memory/3040-149-0x0000000006E20000-0x0000000006FA4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-392-0x00000000065A0000-0x00000000066C2000-memory.dmp

Filesize
1.1MB

Download
memory/3172-259-0x0000000000000000-mapping.dmp

Download
memory/3968-242-0x0000000000000000-mapping.dmp

Download
memory/3968-280-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/3968-282-0x0000000002880000-0x00000000028A9000-memory.dmp

Filesize
164KB

Download
memory/3968-284-0x0000000002CF0000-0x0000000003010000-memory.dmp

Filesize
3.1MB

Download
memory/3968-391-0x0000000002A40000-0x0000000002AD0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads