Resubmissions

21/06/2022, 14:28

220621-rs5btagde6 10

21/06/2022, 14:21

220621-rpgfksgce2 10

General

  • Target

    vbc.exe

  • Size

    507KB

  • Sample

    220621-rpgfksgce2

  • MD5

    ec674714ea9fceaeb27e6ff8254cc6cf

  • SHA1

    2765073f8de6ae7ac1a2fe30cd5fb6b1621de87e

  • SHA256

    d255d1164f43fdf64d7483924dc20bb80bb263cdf25248bba4a319f5e60ae051

  • SHA512

    6586eefa19cdc71f8ded018161406e7e76f56a897bb5a294dd5af7b938d7d671f51e23692ffa30a84cbd8a87568d8b5ee3a9a672432b815786a8ceff91b388ba

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

g36t

Decoy

lMQv4tMwEbmRMHuTS1o=

N0DCrXZexRPYbnjaRwZAcQv9wuLU2A==

dZjxqEkfzPJ/rC5zz3+u/auwfw==

Qlaviswi13AyymE6l0Nw9pzGsc15

33d/rWD46fqQgGMD4ROF

u84/JQPRKEXX3nL935WD2S/LUnho

2/BsWjkFZIwoI8hYvWmn/auwfw==

sdpdc5HpeMOIJ3uTS1o=

ao3LNDlO8s1eUA==

y+JrVFtbE1vDWmvTjBNP0Q==

nTodzb1VAp1PDUqWaI6a

JryNZh35WogavaxJsw==

QM3NudrpXncEvaxJsw==

NUq8ZyY8L4DyvaxJsw==

3MNfTCY6KMnZWGDH

i5YoELxZLuGN

P2bWybaYBCO4tg7AnbMqIEeW

UF7MvWmO6AupQzIVhFI=

XejCnlPw0nErTXmaw/Vouqae

KEClgL0ParZqVnaaw/Vouqae

Targets

    • Target

      vbc.exe

    • Size

      507KB

    • MD5

      ec674714ea9fceaeb27e6ff8254cc6cf

    • SHA1

      2765073f8de6ae7ac1a2fe30cd5fb6b1621de87e

    • SHA256

      d255d1164f43fdf64d7483924dc20bb80bb263cdf25248bba4a319f5e60ae051

    • SHA512

      6586eefa19cdc71f8ded018161406e7e76f56a897bb5a294dd5af7b938d7d671f51e23692ffa30a84cbd8a87568d8b5ee3a9a672432b815786a8ceff91b388ba

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks