xloader | cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4

General

Target

vbc.exe
Size

647KB
MD5

69d6376700fcedd8295c6736ac7a121a
SHA1

f2b84b76afd3e3c47be10841e7532cf8092564d5
SHA256

cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
SHA512

b1d39422cd39db688d15701171932a49b93f6e1b3dd34e5113e961ec7c89fc2820c4a7a2c049ecdbf54dfe0aff0eecf2c20c74688c0b352bfbdd62eb6f63747b

Score

10^/10

xloader ea0r loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2740-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2740-120-0x000000000041D410-mapping.dmp	xloader
behavioral2/memory/3680-127-0x00000000023C0000-0x00000000023E9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

2396 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2396	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exeipconfig.exe

description	pid	process	target process
PID 2396 set thread context of 2740	2396	vbc.exe	vbc.exe
PID 2740 set thread context of 3016	2740	vbc.exe	Explorer.EXE
PID 3680 set thread context of 3016	3680	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3680 ipconfig.exe

pid	process
3680	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

vbc.exeipconfig.exe

pid	process
2740	vbc.exe
2740	vbc.exe
2740	vbc.exe
2740	vbc.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe
3680	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exeipconfig.exe

pid process

2740 vbc.exe
2740 vbc.exe
2740 vbc.exe
3680 ipconfig.exe
3680 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 2740 vbc.exe
Token: SeDebugPrivilege 3680 ipconfig.exe

pid	process
3016	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2740	vbc.exe
Token: SeDebugPrivilege	3680	ipconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

vbc.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 2396 wrote to memory of 2740	2396	vbc.exe	vbc.exe
PID 2396 wrote to memory of 2740	2396	vbc.exe	vbc.exe
PID 2396 wrote to memory of 2740	2396	vbc.exe	vbc.exe
PID 2396 wrote to memory of 2740	2396	vbc.exe	vbc.exe
PID 2396 wrote to memory of 2740	2396	vbc.exe	vbc.exe
PID 2396 wrote to memory of 2740	2396	vbc.exe	vbc.exe
PID 3016 wrote to memory of 3680	3016	Explorer.EXE	ipconfig.exe
PID 3016 wrote to memory of 3680	3016	Explorer.EXE	ipconfig.exe
PID 3016 wrote to memory of 3680	3016	Explorer.EXE	ipconfig.exe
PID 3680 wrote to memory of 3832	3680	ipconfig.exe	cmd.exe
PID 3680 wrote to memory of 3832	3680	ipconfig.exe	cmd.exe
PID 3680 wrote to memory of 3832	3680	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstC006.tmp\extrjocw.dll
MD5
feab530e81c9419011fd3c83790c93ca

SHA1
4421a6f114b3286fd512ff0130efbf56c0831be9

SHA256
c4cd4677caae8f56cf40d561167fff7734425a53d08109faab11bd958d4629df

SHA512
d2c781d4c01146f0f4f7ca5a0cadc856ac91dbbbd598f4b2bd3298daa4e8641bc61a7149c1b89c46443bc2b8d050766be2176f0c1fc393d34a2d8b6329caf5da

Download Submit
memory/2740-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2740-120-0x000000000041D410-mapping.dmp

Download
memory/2740-122-0x0000000000A30000-0x0000000000D50000-memory.dmp

Filesize
3.1MB

Download
memory/2740-123-0x00000000009F0000-0x0000000000A01000-memory.dmp

Filesize
68KB

Download
memory/3016-131-0x0000000003180000-0x0000000003272000-memory.dmp

Filesize
968KB

Download
memory/3016-124-0x0000000001380000-0x000000000144E000-memory.dmp

Filesize
824KB

Download
memory/3680-125-0x0000000000000000-mapping.dmp

Download
memory/3680-126-0x0000000000040000-0x000000000004B000-memory.dmp

Filesize
44KB

Download
memory/3680-128-0x0000000002C50000-0x0000000002F70000-memory.dmp

Filesize
3.1MB

Download
memory/3680-130-0x0000000002A00000-0x0000000002A90000-memory.dmp

Filesize
576KB

Download
memory/3680-127-0x00000000023C0000-0x00000000023E9000-memory.dmp

Filesize
164KB

Download
memory/3832-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads