xloader | ba89ade366c193b814186b75bcadc49c528f0c84a2bf9840b38870bc59835e1b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 20:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vbc.exe
Size

821KB
MD5

d41735b66e58ebee18f4326df912e28b
SHA1

6ee2222ee26abd42c1112841975d2ecc2b09d0c6
SHA256

41fd6b520a4abc453b23329a134e661c39aa19b463dc28bfcbf52bf093661511
SHA512

40d7c1b90d61eecad860d040d03ef7c3a2ec67bd263f2f1d389ade99655dbd5c567983483c48e0b418d9ded7ced1eece6cc26baa75ce43413ebf520ce339dc15
SSDEEP

12288:vFvomht5eIvL6PIJFGMBwbNxZWgT2mn/N4ljTI8Lf8MWakiyfIXy6fsEa:tvvsWweFlBUWg/4lXuFWi6EE

Score

10^/10

xloader dgrg discovery evasion loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dgrg

Decoy

iot-vn.com

gamiteisnowjoyned.com

ak8flfqzm8.com

daliborkokic.com

mrk-9.com

tanzibkarate.quest

mburmtdvccti.mobi

thomas-wildlife-control.com

thebritenseries.com

hkkbags.com

redenyl.com

resilientbutterfly.com

nicethelab.com

xn--1lq90isray30ltdc.xn--czru2d

cyberews.net

naclepin2a.xyz

rodrigocoppa.com

hightings.com

chamaaibrasil.com

bdelsaer.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	vbc.exe

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral4/memory/852-12-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral4/memory/852-15-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral4/memory/2260-25-0x0000000000520000-0x0000000000549000-memory.dmp	xloader

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	vbc.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 852	4028	vbc.exe	84
PID 852 set thread context of 3540	852	msinfo32.exe	56
PID 2260 set thread context of 3540	2260	rundll32.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4028	vbc.exe
4028	vbc.exe
4028	vbc.exe
4028	vbc.exe
4028	vbc.exe
4028	vbc.exe
4028	vbc.exe
4028	vbc.exe
852	msinfo32.exe
852	msinfo32.exe
852	msinfo32.exe
852	msinfo32.exe
4028	vbc.exe
4028	vbc.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe
2260	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
852	msinfo32.exe
852	msinfo32.exe
852	msinfo32.exe
2260	rundll32.exe
2260	rundll32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	vbc.exe
Token: SeDebugPrivilege	852	msinfo32.exe
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeDebugPrivilege	2260	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 4028 wrote to memory of 852	4028	vbc.exe	84
PID 3540 wrote to memory of 2260	3540	Explorer.EXE	85
PID 3540 wrote to memory of 2260	3540	Explorer.EXE	85
PID 3540 wrote to memory of 2260	3540	Explorer.EXE	85
PID 2260 wrote to memory of 5076	2260	rundll32.exe	92
PID 2260 wrote to memory of 5076	2260	rundll32.exe	92
PID 2260 wrote to memory of 5076	2260	rundll32.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\msinfo32.exe
    "C:\Windows\SysWOW64\msinfo32.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\msinfo32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/852-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/852-16-0x00000000014A0000-0x00000000014B1000-memory.dmp

Filesize
68KB

Download
memory/852-13-0x0000000001500000-0x000000000184A000-memory.dmp

Filesize
3.3MB

Download
memory/2260-25-0x0000000000520000-0x0000000000549000-memory.dmp

Filesize
164KB

Download
memory/2260-24-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/2260-22-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/3540-30-0x0000000008A90000-0x0000000008BC4000-memory.dmp

Filesize
1.2MB

Download
memory/3540-29-0x0000000008A90000-0x0000000008BC4000-memory.dmp

Filesize
1.2MB

Download
memory/3540-17-0x0000000008670000-0x0000000008802000-memory.dmp

Filesize
1.6MB

Download
memory/4028-6-0x0000000005BF0000-0x0000000005C46000-memory.dmp

Filesize
344KB

Download
memory/4028-19-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/4028-10-0x0000000006E60000-0x0000000006EA2000-memory.dmp

Filesize
264KB

Download
memory/4028-9-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4028-8-0x0000000006C60000-0x0000000006D1A000-memory.dmp

Filesize
744KB

Download
memory/4028-7-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4028-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/4028-11-0x0000000009690000-0x00000000096F6000-memory.dmp

Filesize
408KB

Download
memory/4028-20-0x0000000070FF5000-0x0000000070FF6000-memory.dmp

Filesize
4KB

Download
memory/4028-21-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4028-5-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/4028-4-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/4028-3-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/4028-2-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/4028-1-0x0000000000DF0000-0x0000000000EC4000-memory.dmp

Filesize
848KB

Download