General
-
Target
vbc.exe
-
Size
1.2MB
-
Sample
220519-rq2sxabcgk
-
MD5
77cd3eac0feb00d232d794c3880b9e91
-
SHA1
e258c7782240346e9a3e9897bd1629bbd40dbd15
-
SHA256
ea4ff2f24588108641954f72800aabab7348ccc64d86f8293dd23cfc45f5faa1
-
SHA512
16162f31e50f6f4025f0e0996338e6fb29c3cb20754da8835637a0e9b7c8bd432e8c4ded9febd97cabd4830c5c3940e6ad9b56afcd73c9d447a3d62d92951911
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
ud5f
makcoll.com
mitrachocloud.com
finikilspase.site
vertriebmitherz.gmbh
terapiasdelsinuips.com
schoolmink.online
slotgacor588.xyz
zkf-lawyer.com
daskocleaning.com
baoxin-design.com
hollywoodcuts.net
animefnix.com
trinityhomesolutionsok.com
cfrhsw.xyz
articrowd.com
jlivingfurniture.com
marmolsystem.com
nudehack.com
beam-birds.com
cravensoft.com
bjyunjian.com
naturelleclub.com
reece-family.net
morarmail.com
morgantownpet.supply
recordanalytics.com
factheat.online
mcgillinvestigation.com
tinyhouse.contact
gpbrasilia.com
jacobsclub.com
theboemia.net
balifoodfun.com
alfonshotel.com
spaceokara.com
paraphras.com
ruibaituobj.com
rwbbrwe1.com
turkishrepublik.com
costumeshop.xyz
minatexacess.com
hathor-network.net
02d1qp.xyz
dadagrin.com
lfsijin.com
bupabii.site
mydiga-angststoerung.com
hayatseventeknoloji.com
adv-cleaner.site
ndsnus.com
rebeccabarclaylpc.com
eswpu.com
babbleboat.com
zvmsovsg.com
quantumlab5.com
venerems.com
sh09.fyi
maxpilesclinic.com
luigilucioni.com
yuttie.store
tripnii.com
topings33.com
madetopraisehim.com
tesladoge.info
freerenoadvice.com
Targets
-
-
Target
vbc.exe
-
Size
1.2MB
-
MD5
77cd3eac0feb00d232d794c3880b9e91
-
SHA1
e258c7782240346e9a3e9897bd1629bbd40dbd15
-
SHA256
ea4ff2f24588108641954f72800aabab7348ccc64d86f8293dd23cfc45f5faa1
-
SHA512
16162f31e50f6f4025f0e0996338e6fb29c3cb20754da8835637a0e9b7c8bd432e8c4ded9febd97cabd4830c5c3940e6ad9b56afcd73c9d447a3d62d92951911
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-