Malware Analysis Report

2025-03-14 22:09

Sample ID 210515-r5l3kd3mvx
Target 7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9
SHA256 7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9
Tags
vobfus persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9

Threat Level: Known bad

The file 7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9 was found to be: Known bad.

Malicious Activity Summary

vobfus persistence worm

Vobfus

Adds policy Run key to start application

Adds Run key to start application

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Script User-Agent

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 16:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 16:53

Reported

2021-05-16 04:51

Platform

win7v20210410

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe"

Signatures

Vobfus

worm vobfus

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe

"C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 migsel.com udp
N/A 95.128.128.129:80 migsel.com tcp
N/A 95.128.128.129:80 migsel.com tcp

Files

memory/1200-60-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 16:53

Reported

2021-05-16 04:51

Platform

win10v20210410

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe"

Signatures

Vobfus

worm vobfus

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe

"C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 migsel.com udp
N/A 95.128.128.129:80 migsel.com tcp
N/A 95.128.128.129:80 migsel.com tcp

Files

memory/3400-114-0x0000000000400000-0x0000000000434000-memory.dmp