Overview

overview

10

Static

static

vbc.exe

windows7_x64

7

vbc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exezxcmvqhq

  • Size

    1.0MB

  • Sample

    220519-ct8nascgfn

  • MD5

    9c57cf589c6ff051d2aec2bbaf515dfb

  • SHA1

    846b8e1244b7a7e2cbddbd837c77708b6bb0bb32

  • SHA256

    4daead502dfca41fa6e5789eb458e5bc60ed7da6c8af2229596e1e0697f50701

  • SHA512

    2947df318501ce13e7b99cf65fc0f18db3086f6ac97727831ffdb253a28fdce3ce10d1d1998b80423d313ae5d375ad2f65ff9b3741774e2a3632de7862364a0e

Score
10/10
xloaderarh2loaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Targets

    • Target

      vbc.exezxcmvqhq

    • Size

      1.0MB

    • MD5

      9c57cf589c6ff051d2aec2bbaf515dfb

    • SHA1

      846b8e1244b7a7e2cbddbd837c77708b6bb0bb32

    • SHA256

      4daead502dfca41fa6e5789eb458e5bc60ed7da6c8af2229596e1e0697f50701

    • SHA512

      2947df318501ce13e7b99cf65fc0f18db3086f6ac97727831ffdb253a28fdce3ce10d1d1998b80423d313ae5d375ad2f65ff9b3741774e2a3632de7862364a0e

    Score
    10/10
    xloaderarh2loaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks