General
-
Target
vbc.exe
-
Size
824KB
-
Sample
220126-stkt8sedhp
-
MD5
112d18adbea1d0a5764043a209cfe2c7
-
SHA1
3e142f060da4c6cfef7aa3398971af1f6cd86037
-
SHA256
5cdd172f465ceffd3bcf25b11515fb6cf382045856f18cf05da436353f672aa4
-
SHA512
a196df55464ccb85837b2decf724a147804586fde3bec4d45c3737e538d3de5e27bd027a9d420d6eda1f19ced14a38d4449a70cba6f27d298abd065986f87e90
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211208
Malware Config
Extracted
xloader
2.5
cxbz
daligtemno.quest
785686.com
jttengineering.com
papayaflorida.com
qinuxshop.net
mihaialexandruhash.com
ezzycoins.com
bseafacepharma.online
relaymondbe.com
straightuppokeronline.com
thebranddanymz.com
derrickgolden.net
missedyou.quest
palmstone-realestate.com
windoors.net
freakyhamster.com
boodtv.com
softsellingsystem.com
axiemng.com
officejava.store
songbirdandfrog.com
dogiadunggiare.online
88y4.com
newtls.com
yeahluck.com
kisah.xyz
sickred.com
infinityinformations.net
impqtantaou.com
gesips.com
elnejjarconsulting.com
cbbworld.com
vaidix.com
cloudx1.com
recoveringerasedhistories.com
botoxbackbay.com
markkevinvirtual.online
cavalli-tower.com
rhynonnfginc.com
sosglobalus.com
yourhandyhelper.biz
carton.tools
millionairedatingnow.com
maderascarril.com
fuju168.com
memf.xyz
fromtotravel.com
timo-music.com
freezecraft.xyz
odieuxclothing.com
besthealthretreats.info
alyum.solutions
classisst.com
skillfulexoticpets.com
luxuryhotelnearme.com
igingood.com
addmarket.agency
crosschainloan.com
indigeneex.com
vanisconsulting.com
lznbe.com
mrssmileys.com
tomessagenow0382.com
gsjbd27.club
spirtlenders.com
Targets
-
-
Target
vbc.exe
-
Size
824KB
-
MD5
112d18adbea1d0a5764043a209cfe2c7
-
SHA1
3e142f060da4c6cfef7aa3398971af1f6cd86037
-
SHA256
5cdd172f465ceffd3bcf25b11515fb6cf382045856f18cf05da436353f672aa4
-
SHA512
a196df55464ccb85837b2decf724a147804586fde3bec4d45c3737e538d3de5e27bd027a9d420d6eda1f19ced14a38d4449a70cba6f27d298abd065986f87e90
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-