xloader | cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4

General

Target

vbc.exe
Size

647KB
MD5

69d6376700fcedd8295c6736ac7a121a
SHA1

f2b84b76afd3e3c47be10841e7532cf8092564d5
SHA256

cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
SHA512

b1d39422cd39db688d15701171932a49b93f6e1b3dd34e5113e961ec7c89fc2820c4a7a2c049ecdbf54dfe0aff0eecf2c20c74688c0b352bfbdd62eb6f63747b

Score

10^/10

xloader ea0r loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1296-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1296-58-0x000000000041D410-mapping.dmp	xloader
behavioral1/memory/1656-66-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

824 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

792 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
824	cmd.exe

pid	process
792	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exemsdt.exe

description	pid	process	target process
PID 792 set thread context of 1296	792	vbc.exe	vbc.exe
PID 1296 set thread context of 1396	1296	vbc.exe	Explorer.EXE
PID 1656 set thread context of 1396	1656	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exemsdt.exe

pid	process
1296	vbc.exe
1296	vbc.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exemsdt.exe

pid process

1296 vbc.exe
1296 vbc.exe
1296 vbc.exe
1656 msdt.exe
1656 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exemsdt.exe

description pid process

Token: SeDebugPrivilege 1296 vbc.exe
Token: SeDebugPrivilege 1656 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE

pid	process
1396	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1296	vbc.exe
Token: SeDebugPrivilege	1656	msdt.exe

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

vbc.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 792 wrote to memory of 1296	792	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1656	1396	Explorer.EXE	msdt.exe
PID 1396 wrote to memory of 1656	1396	Explorer.EXE	msdt.exe
PID 1396 wrote to memory of 1656	1396	Explorer.EXE	msdt.exe
PID 1396 wrote to memory of 1656	1396	Explorer.EXE	msdt.exe
PID 1656 wrote to memory of 824	1656	msdt.exe	cmd.exe
PID 1656 wrote to memory of 824	1656	msdt.exe	cmd.exe
PID 1656 wrote to memory of 824	1656	msdt.exe	cmd.exe
PID 1656 wrote to memory of 824	1656	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Deletes itself
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnDD26.tmp\extrjocw.dll
MD5
feab530e81c9419011fd3c83790c93ca

SHA1
4421a6f114b3286fd512ff0130efbf56c0831be9

SHA256
c4cd4677caae8f56cf40d561167fff7734425a53d08109faab11bd958d4629df

SHA512
d2c781d4c01146f0f4f7ca5a0cadc856ac91dbbbd598f4b2bd3298daa4e8641bc61a7149c1b89c46443bc2b8d050766be2176f0c1fc393d34a2d8b6329caf5da

Download Submit
memory/792-55-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/824-67-0x0000000000000000-mapping.dmp

Download
memory/1296-61-0x0000000000580000-0x0000000000591000-memory.dmp

Filesize
68KB

Download
memory/1296-60-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1296-58-0x000000000041D410-mapping.dmp

Download
memory/1296-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-62-0x0000000006C50000-0x0000000006D9E000-memory.dmp

Filesize
1.3MB

Download
memory/1396-70-0x0000000007250000-0x0000000007374000-memory.dmp

Filesize
1.1MB

Download
memory/1656-63-0x0000000000000000-mapping.dmp

Download
memory/1656-65-0x0000000000D00000-0x0000000000DF4000-memory.dmp

Filesize
976KB

Download
memory/1656-66-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1656-68-0x0000000002200000-0x0000000002503000-memory.dmp

Filesize
3.0MB

Download
memory/1656-69-0x0000000000B70000-0x0000000000C00000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads