Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
vbc (10).exe
Resource
win7-20220414-en
General
-
Target
vbc (10).exe
-
Size
963KB
-
MD5
83dd3acd8f3e455bfd2c4711453399c3
-
SHA1
8895c917c9a3157939036647ba402f02d98f29e4
-
SHA256
ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea
-
SHA512
72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2
Malware Config
Extracted
xloader
2.6
gd9m
screens.ma
coachingdiary.com
cannabisconsultant.xyz
sirenonthemoon.com
gabrielatrejo.com
blumenladentampa.com
sturisticosadmcancun.com
qdygo.net
nubearies.com
thedestinationcrafter.com
fastblacktv.com
sanakatha.com
birdviewsecurityandshipping.com
waterfilterhub.xyz
92658.top
xigen.xyz
barikadcrew.com
herzogbjj.com
veminis.com
thnawya.net
gamertags.xyz
tenergyx.com
truthhaircuts.com
liveorangelake.com
paleosunvibes.com
globalworthy.com
editura-makarije.net
kashifashions.com
donestebanesquel.com
snoopsistahs.com
metatranzact.com
flawlesslook.store
ansiedademansa.com
apb.beauty
selfdefenseandimprovement.com
slr-of.com
nostalgija-sibenik.com
012channel.com
pdms.info
yhhj54.top
szscgz.com
pepsiessence.com
gspleakdetection.com
nephpropulsionsystems.com
pigeonpix.com
universalproviderservicetx.com
tur-v-dagestan.site
iknindia.com
mediacontactservices.com
basslinebeast.net
thinparty.com
nshy.agency
zendflowers.com
ankararuzgarhaliyikama.com
134688703.com
pengshengkeji.com
lequationbasque.com
prednisolone.cfd
menofnyc.com
artfkts.com
njbankruptcy.me
silvblansrl.com
promalehealth.com
futurax.global
yiwajg.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
resource yara_rule behavioral2/memory/2536-137-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/2536-139-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/2536-146-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/116-149-0x0000000000480000-0x00000000004AB000-memory.dmp xloader behavioral2/memory/116-154-0x0000000000480000-0x00000000004AB000-memory.dmp xloader -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BFNDZ4FPZD = "C:\\Program Files (x86)\\Lolj\\audiodgbnuh.exe" help.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1372 set thread context of 2536 1372 vbc (10).exe 89 PID 2536 set thread context of 3152 2536 vbc (10).exe 55 PID 2536 set thread context of 3152 2536 vbc (10).exe 55 PID 116 set thread context of 3152 116 help.exe 55 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Lolj\audiodgbnuh.exe help.exe -
description ioc Process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1372 vbc (10).exe 1372 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe 116 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2536 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 2536 vbc (10).exe 116 help.exe 116 help.exe 116 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1372 vbc (10).exe Token: SeDebugPrivilege 2536 vbc (10).exe Token: SeDebugPrivilege 116 help.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1372 wrote to memory of 2536 1372 vbc (10).exe 89 PID 1372 wrote to memory of 2536 1372 vbc (10).exe 89 PID 1372 wrote to memory of 2536 1372 vbc (10).exe 89 PID 1372 wrote to memory of 2536 1372 vbc (10).exe 89 PID 1372 wrote to memory of 2536 1372 vbc (10).exe 89 PID 1372 wrote to memory of 2536 1372 vbc (10).exe 89 PID 2536 wrote to memory of 116 2536 vbc (10).exe 92 PID 2536 wrote to memory of 116 2536 vbc (10).exe 92 PID 2536 wrote to memory of 116 2536 vbc (10).exe 92 PID 116 wrote to memory of 2236 116 help.exe 93 PID 116 wrote to memory of 2236 116 help.exe 93 PID 116 wrote to memory of 2236 116 help.exe 93 PID 116 wrote to memory of 1948 116 help.exe 95 PID 116 wrote to memory of 1948 116 help.exe 95 PID 116 wrote to memory of 1948 116 help.exe 95 PID 116 wrote to memory of 4620 116 help.exe 97 PID 116 wrote to memory of 4620 116 help.exe 97 PID 116 wrote to memory of 4620 116 help.exe 97 PID 116 wrote to memory of 3144 116 help.exe 99 PID 116 wrote to memory of 3144 116 help.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc (10).exe"5⤵PID:2236
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V5⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V5⤵PID:4620
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:3144
-
-
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:4964
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1360
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574