General
-
Target
vbc.exe
-
Size
269KB
-
Sample
220621-az9rfahbb3
-
MD5
5bec1fc847c595a94fbe7efb0695c640
-
SHA1
9f37ae30983b62b6101e4a0808b7200312005dfe
-
SHA256
39a3f149c23d6a96537aa6efeeedcd2dacb5d92103c736c115ef37a3054a6aa7
-
SHA512
c1aebac29e304a48cbbf60079bb0a516740b3acb0c35b88281bdf9ecc9bd1ed4316410b7fe065b44723bbb0cd4c7857f1d147c21a69dd1eccf669f1e3d5a5e78
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
uu0p
easeupp.com
ffffcc.xyz
commercialsymposium.com
bahamascargologistics.com
avajwelr.xyz
flipwatch.xyz
serprobumar.com
zlasher.store
zxlsn6.com
xiaojiaowanwan.com
hrkpacking.com
visitprnow.com
stkjzz.com
printfusion.net
blackoakssavannah.com
yuiseika.com
watnefarms.com
oneclickmsp.com
niu-tou.com
wholytraffic.com
selfplce.com
05mac.com
galaxy-med-systems.com
fokustestvoronka.online
enhandednice.com
ojay.xyz
silvermilecap.com
purintonco.online
halvesnwholes.com
visionsbeyondthelight.com
weightin.gold
doublelotusacu.com
mingoenterprises.net
kilostunners.store
hoken-soudan.life
frontporchbliss.com
meditransit.net
supertiresandwheels.com
novusr.com
sinvrealestate.com
princesscuttexas.com
chappyportal.com
jca-okayama.com
apefestotherside.com
yvesmoreaux.com
etsportscenter.net
needel.online
daidokorokara.net
aih.healthcare
click-tokens.com
frontrangeimages.com
lmwyldjkl2.top
ut1r92k4.xyz
the13thflooraustin.com
0531ddcc.com
souduresmartin.com
alphadegenclub.com
enjoypresenting.com
inter-ascot.com
obsidiancult.com
zxlh03.top
enoccomunicaciones.com
nft-coinsbase.com
cocovale.design
wona-nyc.com
Targets
-
-
Target
vbc.exe
-
Size
269KB
-
MD5
5bec1fc847c595a94fbe7efb0695c640
-
SHA1
9f37ae30983b62b6101e4a0808b7200312005dfe
-
SHA256
39a3f149c23d6a96537aa6efeeedcd2dacb5d92103c736c115ef37a3054a6aa7
-
SHA512
c1aebac29e304a48cbbf60079bb0a516740b3acb0c35b88281bdf9ecc9bd1ed4316410b7fe065b44723bbb0cd4c7857f1d147c21a69dd1eccf669f1e3d5a5e78
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-