General
-
Target
vbc.exe
-
Size
512KB
-
Sample
210914-qg66laagcm
-
MD5
b5f072069794e482d7a5940d8ba04a9a
-
SHA1
c09d4b4b399ff3c346103e33879f0e4bdcc2fa6a
-
SHA256
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
-
SHA512
900cf03b996c8e553fad6f3a675222865befd9ce15d8ba186edbb2fac1ad0431bcccee23f38cb24e3d76b6b41c494f5d538f7a4ca86455b835a23c6a7672d302
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en
Malware Config
Extracted
xloader
2.3
b6cu
http://www.allfyllofficial.com/b6cu/
sxdiyan.com
web0084.com
cpafirmspokane.com
la-bio-geo.com
chacrit.com
stuntfighting.com
rjsworkshop.com
themillennialsfinest.com
thefrontrealestate.com
chairmn.com
best1korea.com
gudssutu.icu
backupchip.net
shrikanthamimports.com
sportrecoverysleeve.com
healthy-shack.com
investperwear.com
intertradeperu.com
resonantonshop.com
greghugheslaw.com
instrumentum.store
creative-cloud.info
sansfoundations.com
pmca.asia
night.doctor
19v5.com
cmas.life
yhanlikho.com
kartikpatelrealtor.com
viralpagi.com
samsonengineeringco.com
mh666.cool
laboratoriosjj.com
produklokal.com
tjhysb.com
solutions-oigroup.com
chictarh.com
gotmail.info
yourvalue.online
mylinkreview.com
champonpowerequipment.com
starcoupeownersindonesia.com
buzagialtligi.com
botol2-lasdnk.com
blunss.info
l3-construction.com
fmodesign.com
silkraga.com
editimpact.com
unionairjordanla.com
lacageavin.com
gushixiu.com
cleanlast.com
awvpvkmzxa.com
xiaosandao.com
nldcostmetics.com
prosperitywithsoul.com
kheticulture.com
booksbykimberlyeandco.com
creativehughes.com
mobilewz.com
arerasols.com
w-hanaemi-personal.com
dynamonetwork.com
Targets
-
-
Target
vbc.exe
-
Size
512KB
-
MD5
b5f072069794e482d7a5940d8ba04a9a
-
SHA1
c09d4b4b399ff3c346103e33879f0e4bdcc2fa6a
-
SHA256
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
-
SHA512
900cf03b996c8e553fad6f3a675222865befd9ce15d8ba186edbb2fac1ad0431bcccee23f38cb24e3d76b6b41c494f5d538f7a4ca86455b835a23c6a7672d302
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Deletes itself
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-