Malware Analysis Report

2025-08-05 13:51

Sample ID 220621-kvfb5segd3
Target vbc.exe.vir
SHA256 e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d
Tags
xloader vweq loader rat suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

Threat Level: Known bad

The file vbc.exe.vir was found to be: Known bad.

Malicious Activity Summary

xloader vweq loader rat suricata

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader

Xloader Payload

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 08:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 08:55

Reported

2022-06-21 08:57

Platform

win7-20220414-en

Max time kernel

152s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1792 set thread context of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1712 set thread context of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 1252 set thread context of 1204 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\Explorer.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1792 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1204 wrote to memory of 1252 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1204 wrote to memory of 1252 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1204 wrote to memory of 1252 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1204 wrote to memory of 1252 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1252 wrote to memory of 1672 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1252 wrote to memory of 1672 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1252 wrote to memory of 1672 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1252 wrote to memory of 1672 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1252 wrote to memory of 1672 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\vbc.exe

"C:\Users\Admin\AppData\Local\Temp\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\NAPSTAT.EXE

"C:\Windows\SysWOW64\NAPSTAT.EXE"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.leaplifestyleenterprises.com udp
US 34.117.168.233:80 www.leaplifestyleenterprises.com tcp
US 8.8.8.8:53 www.naples-us.com udp
US 34.102.136.180:80 www.naples-us.com tcp
US 8.8.8.8:53 www.tlrohio.com udp
US 34.102.136.180:80 www.tlrohio.com tcp
US 8.8.8.8:53 www.ledgel0ungers.com udp
DE 185.53.179.174:80 www.ledgel0ungers.com tcp
US 8.8.8.8:53 www.518499.com udp
US 192.151.224.140:80 www.518499.com tcp
US 8.8.8.8:53 www.my-wh-webproject.com udp
US 18.65.39.80:80 www.my-wh-webproject.com tcp
US 8.8.8.8:53 www.ownitoffice.com udp
US 35.209.201.133:80 www.ownitoffice.com tcp
US 8.8.8.8:53 www.zxc3426.xyz udp
HK 143.92.32.141:80 www.zxc3426.xyz tcp
US 8.8.8.8:53 www.aitimedia.net udp
US 104.21.40.194:80 www.aitimedia.net tcp
US 8.8.8.8:53 www.rapiturs.com udp
US 162.213.255.237:80 www.rapiturs.com tcp
US 8.8.8.8:53 www.mrsfence.com udp
US 34.102.136.180:80 www.mrsfence.com tcp
US 34.102.136.180:80 www.mrsfence.com tcp
US 8.8.8.8:53 www.bcsantacoloma.online udp
ES 31.214.178.120:80 www.bcsantacoloma.online tcp
ES 31.214.178.120:80 www.bcsantacoloma.online tcp
US 8.8.8.8:53 www.2379.flights udp
CN 160.202.171.101:80 www.2379.flights tcp
CN 160.202.171.101:80 www.2379.flights tcp
US 8.8.8.8:53 www.youhadtobethere.biz udp
US 15.197.142.173:80 www.youhadtobethere.biz tcp
US 15.197.142.173:80 www.youhadtobethere.biz tcp

Files

memory/1792-54-0x0000000000C10000-0x0000000000C62000-memory.dmp

memory/1792-55-0x00000000003E0000-0x0000000000414000-memory.dmp

memory/1712-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1712-57-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1712-59-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1712-60-0x000000000041F280-mapping.dmp

memory/1712-62-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1712-63-0x0000000000B90000-0x0000000000E93000-memory.dmp

memory/1712-64-0x0000000000280000-0x0000000000291000-memory.dmp

memory/1204-65-0x00000000068D0000-0x00000000069EB000-memory.dmp

memory/1252-66-0x0000000000000000-mapping.dmp

memory/1252-67-0x00000000008E0000-0x0000000000926000-memory.dmp

memory/1252-68-0x0000000000080000-0x00000000000AB000-memory.dmp

memory/1252-69-0x0000000002000000-0x0000000002303000-memory.dmp

memory/1252-70-0x0000000001DB0000-0x0000000001E40000-memory.dmp

memory/1204-71-0x0000000006EF0000-0x000000000703C000-memory.dmp

memory/1204-72-0x0000000006EF0000-0x000000000703C000-memory.dmp

memory/1252-73-0x0000000076461000-0x0000000076463000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 08:55

Reported

2022-06-21 08:57

Platform

win10v2004-20220414-en

Max time kernel

36s

Max time network

76s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4684 set thread context of 4336 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4336 set thread context of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 1980 set thread context of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\vbc.exe

"C:\Users\Admin\AppData\Local\Temp\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp

Files

memory/4684-130-0x0000000000720000-0x0000000000772000-memory.dmp

memory/4336-131-0x0000000000000000-mapping.dmp

memory/4336-132-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4336-134-0x00000000012B0000-0x00000000015FA000-memory.dmp

memory/4336-135-0x0000000001270000-0x0000000001281000-memory.dmp

memory/648-136-0x0000000002590000-0x0000000002688000-memory.dmp

memory/1980-137-0x0000000000000000-mapping.dmp

memory/4336-138-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1980-139-0x0000000000050000-0x00000000000AA000-memory.dmp

memory/1980-140-0x0000000001130000-0x000000000147A000-memory.dmp

memory/1980-141-0x0000000000580000-0x00000000005AB000-memory.dmp

memory/1980-142-0x0000000000F60000-0x0000000000FF0000-memory.dmp