Malware Analysis Report

2025-03-14 22:09

Sample ID 210515-llxhphsesa
Target 85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221
SHA256 85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221
Tags
vobfus persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221

Threat Level: Known bad

The file 85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221 was found to be: Known bad.

Malicious Activity Summary

vobfus persistence worm

Vobfus

Adds policy Run key to start application

Adds Run key to start application

Script User-Agent

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 17:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 17:18

Reported

2021-05-16 05:45

Platform

win7v20210410

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe"

Signatures

Vobfus

worm vobfus

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe

"C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 migsel.com udp
N/A 95.128.128.129:80 migsel.com tcp
N/A 95.128.128.129:80 migsel.com tcp

Files

memory/1888-59-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 17:18

Reported

2021-05-16 05:45

Platform

win10v20210410

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe"

Signatures

Vobfus

worm vobfus

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe

"C:\Users\Admin\AppData\Local\Temp\85fcefdd695cd70c142e8dd175abc96d8d4c2bdf2ba55b1682c8ea3efe98c221.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 migsel.com udp
N/A 95.128.128.129:80 migsel.com tcp
N/A 95.128.128.129:80 migsel.com tcp

Files

memory/3904-114-0x0000000000400000-0x0000000000434000-memory.dmp