Overview

overview

10

Static

static

3

vbc.exe

windows7-x64

10

vbc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    101s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbc.exe

  • Size

    611KB

  • MD5

    da0fe038092ffec4ea327f0ec0d0c290

  • SHA1

    d8bc98b32215c23d8b35bd998f3cb797bea58cbb

  • SHA256

    40900faa35256d3ac7ec7116099f42a085244ecc802e9cea7522a7707eba7b62

  • SHA512

    5c5625bd6d5dbc27e4310174f5bf83a6ec57c65e02911d2f9c101e7b7cc65aa0e7fbf82fb62f391f0f67b5a0706b8aa91ccfa6b9245083779bac4efc737459fb

  • SSDEEP

    12288:V8hgEeGGMIEb/vnpd/OF1HW6nGYidFVDNVjSeUX8/a/zoTexh:VugEeGh/vnpxOT2kUfVjJUX8/abo

Score
10/10
xloadergd9mdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gd9m

Decoy

screens.ma

coachingdiary.com

cannabisconsultant.xyz

sirenonthemoon.com

gabrielatrejo.com

blumenladentampa.com

sturisticosadmcancun.com

qdygo.net

nubearies.com

thedestinationcrafter.com

fastblacktv.com

sanakatha.com

birdviewsecurityandshipping.com

waterfilterhub.xyz

92658.top

xigen.xyz

barikadcrew.com

herzogbjj.com

veminis.com

thnawya.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vbc.exe
    "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 36
        3⤵
        • Program crash
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2412-6-0x0000000002140000-0x000000000215A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2412-1-0x0000000000030000-0x00000000000CE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2412-2-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2412-3-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-4-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2412-5-0x0000000002000000-0x0000000002034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2412-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-7-0x0000000002030000-0x0000000002036000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2412-14-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2668-9-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2668-10-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2668-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download