Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
vbc (10).exe
Resource
win7-20220414-en
General
-
Target
vbc (10).exe
-
Size
963KB
-
MD5
83dd3acd8f3e455bfd2c4711453399c3
-
SHA1
8895c917c9a3157939036647ba402f02d98f29e4
-
SHA256
ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea
-
SHA512
72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2
Malware Config
Extracted
xloader
2.6
gd9m
screens.ma
coachingdiary.com
cannabisconsultant.xyz
sirenonthemoon.com
gabrielatrejo.com
blumenladentampa.com
sturisticosadmcancun.com
qdygo.net
nubearies.com
thedestinationcrafter.com
fastblacktv.com
sanakatha.com
birdviewsecurityandshipping.com
waterfilterhub.xyz
92658.top
xigen.xyz
barikadcrew.com
herzogbjj.com
veminis.com
thnawya.net
gamertags.xyz
tenergyx.com
truthhaircuts.com
liveorangelake.com
paleosunvibes.com
globalworthy.com
editura-makarije.net
kashifashions.com
donestebanesquel.com
snoopsistahs.com
metatranzact.com
flawlesslook.store
ansiedademansa.com
apb.beauty
selfdefenseandimprovement.com
slr-of.com
nostalgija-sibenik.com
012channel.com
pdms.info
yhhj54.top
szscgz.com
pepsiessence.com
gspleakdetection.com
nephpropulsionsystems.com
pigeonpix.com
universalproviderservicetx.com
tur-v-dagestan.site
iknindia.com
mediacontactservices.com
basslinebeast.net
thinparty.com
nshy.agency
zendflowers.com
ankararuzgarhaliyikama.com
134688703.com
pengshengkeji.com
lequationbasque.com
prednisolone.cfd
menofnyc.com
artfkts.com
njbankruptcy.me
silvblansrl.com
promalehealth.com
futurax.global
yiwajg.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral1/memory/572-63-0x000000000041F270-mapping.dmp xloader behavioral1/memory/572-64-0x00000000001B0000-0x00000000001DB000-memory.dmp xloader behavioral1/memory/1716-73-0x0000000000070000-0x000000000009B000-memory.dmp xloader behavioral1/memory/1716-76-0x0000000000070000-0x000000000009B000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 112 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YJ5DJR5H52 = "C:\\Program Files (x86)\\O1bih\\IconCachek4j88jq8.exe" cscript.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1672 set thread context of 572 1672 vbc (10).exe 28 PID 572 set thread context of 1384 572 vbc (10).exe 14 PID 1716 set thread context of 1384 1716 cscript.exe 14 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\O1bih\IconCachek4j88jq8.exe cscript.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1672 vbc (10).exe 1672 vbc (10).exe 572 vbc (10).exe 572 vbc (10).exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 572 vbc (10).exe 572 vbc (10).exe 572 vbc (10).exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1672 vbc (10).exe Token: SeDebugPrivilege 572 vbc (10).exe Token: SeDebugPrivilege 1716 cscript.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1672 wrote to memory of 572 1672 vbc (10).exe 28 PID 1384 wrote to memory of 1716 1384 Explorer.EXE 29 PID 1384 wrote to memory of 1716 1384 Explorer.EXE 29 PID 1384 wrote to memory of 1716 1384 Explorer.EXE 29 PID 1384 wrote to memory of 1716 1384 Explorer.EXE 29 PID 1716 wrote to memory of 112 1716 cscript.exe 30 PID 1716 wrote to memory of 112 1716 cscript.exe 30 PID 1716 wrote to memory of 112 1716 cscript.exe 30 PID 1716 wrote to memory of 112 1716 cscript.exe 30 PID 1716 wrote to memory of 1760 1716 cscript.exe 33 PID 1716 wrote to memory of 1760 1716 cscript.exe 33 PID 1716 wrote to memory of 1760 1716 cscript.exe 33 PID 1716 wrote to memory of 1760 1716 cscript.exe 33 PID 1716 wrote to memory of 1760 1716 cscript.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"3⤵
- Deletes itself
PID:112
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1760
-
-