xloader | 01c9ef989594dd752b02d280530c117f0c744c18fe3351a9ef24e0a6b44c3191

General

Target

PO0932083943974.exe
Size

628KB
MD5

42e8fda0885f8ce54deaabab4d25f775
SHA1

f1173fbe2ddf0b031f4ee189e7448e0d13084595
SHA256

a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e
SHA512

015521a434a05f8fcff947f1dc7bcebf1f1ad9d70dc44612ebed84dfd6de3af96ddf0439a994d0bd16e9e07dc888af20389b606824e700c2557ce95f0c802516

Score

10^/10

xloader b6fg evasion loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1764-61-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral1/memory/1764-62-0x000000000041C160-mapping.dmp	xloader
behavioral1/memory/1764-64-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral1/memory/520-72-0x0000000000080000-0x00000000000A7000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\4HU0EFSP_6U = "C:\\Program Files (x86)\\G-z_\\autochkcz7d.exe"	control.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO0932083943974.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PO0932083943974.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PO0932083943974.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PO0932083943974.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PO0932083943974.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	PO0932083943974.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO0932083943974.exevbc.execontrol.exe

description	pid	process	target process
PID 560 set thread context of 1764	560	PO0932083943974.exe	vbc.exe
PID 1764 set thread context of 1200	1764	vbc.exe	Explorer.EXE
PID 520 set thread context of 1200	520	control.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

control.exe

description ioc process

File opened for modification C:\Program Files (x86)\G-z_\autochkcz7d.exe control.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\G-z_\autochkcz7d.exe	control.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

vbc.execontrol.exe

pid	process
1764	vbc.exe
1764	vbc.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe
520	control.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.execontrol.exe

pid process

1764 vbc.exe
1764 vbc.exe
1764 vbc.exe
520 control.exe
520 control.exe
520 control.exe
520 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.execontrol.exe

description pid process

Token: SeDebugPrivilege 1764 vbc.exe
Token: SeDebugPrivilege 520 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1764	vbc.exe
Token: SeDebugPrivilege	520	control.exe

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PO0932083943974.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 560 wrote to memory of 1764	560	PO0932083943974.exe	vbc.exe
PID 1200 wrote to memory of 520	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 520	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 520	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 520	1200	Explorer.EXE	control.exe
PID 520 wrote to memory of 1820	520	control.exe	cmd.exe
PID 520 wrote to memory of 1820	520	control.exe	cmd.exe
PID 520 wrote to memory of 1820	520	control.exe	cmd.exe
PID 520 wrote to memory of 1820	520	control.exe	cmd.exe
PID 520 wrote to memory of 2024	520	control.exe	Firefox.exe
PID 520 wrote to memory of 2024	520	control.exe	Firefox.exe
PID 520 wrote to memory of 2024	520	control.exe	Firefox.exe
PID 520 wrote to memory of 2024	520	control.exe	Firefox.exe
PID 520 wrote to memory of 2024	520	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\PO0932083943974.exe
"C:\Users\Admin\AppData\Local\Temp\PO0932083943974.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1820

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-74-0x0000000002360000-0x00000000023EF000-memory.dmp

Filesize
572KB

Download
memory/520-73-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/520-72-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/520-71-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/520-68-0x0000000000000000-mapping.dmp

Download
memory/560-55-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/560-56-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/560-57-0x0000000000650000-0x0000000000686000-memory.dmp

Filesize
216KB

Download
memory/560-54-0x0000000000BE0000-0x0000000000C84000-memory.dmp

Filesize
656KB

Download
memory/1200-67-0x0000000006690000-0x00000000067FC000-memory.dmp

Filesize
1.4MB

Download
memory/1200-75-0x0000000007050000-0x0000000007167000-memory.dmp

Filesize
1.1MB

Download
memory/1764-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1764-66-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1764-65-0x0000000000D30000-0x0000000001033000-memory.dmp

Filesize
3.0MB

Download
memory/1764-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1764-62-0x000000000041C160-mapping.dmp

Download
memory/1764-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1764-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1820-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads