General
-
Target
vbc.exe
-
Size
757KB
-
Sample
220623-sjfgrsgdd3
-
MD5
1f65d7826fbcc2d6c50f6c493c901588
-
SHA1
4290f6b300595e807e8cacd5ff172b0a0f37c845
-
SHA256
d0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e
-
SHA512
e3c15d0229433441300b4e129748c10e966de22c926d641b665a91caf7c371a390004abc24d953a80887be4a791514e1670cb0e8723d6a19ffa5210cd9124f5a
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.9
v4qp
je1XQKU1LfJPVLk=
nvf41a7FsTLs6uB/g+CR
U7mryF6DctZn6GEjr9Bm4g==
1SONGrPdh7wGEOXp3g==
2xX859r7qOFq7GYkr9Bm4g==
IYtzVUx0Oo0HmZawLQAARDvBf4dL
NH3iuBPNSzZTvpw/4KaG
rDehfiqIPbdMBS8G1g==
xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==
AFtKux3JgPGRkx3xUsciR6piSg==
m+3VoJadWcBvOAPpzKUNPoAxyplS
1DWKULdka3mxIKhEqGxQr7gxyplS
DGlFGBqWi5CtrCX9alyTuPzq
muvVM4slyTfxORwAZisVksCM78aSEVo=
D3biNgUbyg9E5pl+
/+1QLPssvl/Xxg==
I4lzTjaAcc1iBS8G1g==
wSwc4MmbShojhlZCrniTuPzq
jN5YO6ZXSfJPVLk=
4TUS4+ANuqHCRTM9sniTuPzq
7Ssfd9ru/HPzWMZ42Z+E
TJl+UkzTsY6g86lyegOU3gw=
0juvfNqRgmJwwpc/4KaG
WJuGVDdhQj1Ux5s/4KaG
FHdjPTRtZc1rPwr8zUQfXogxyplS
1yUI9+gAwMPuYMWALzWc+w==
CW1UNSZVQKAlmQep/XYDYGot8HZX30M=
vRqFbt1zJfH304GOeAOU3gw=
P5CIQS65moOingakeAOU3gw=
d9dBqqBI+vgR0Q==
1zElifgR7DjBQhEgnWqTuPzq
Z60BYmHr5eHr4qiedQOU3gw=
HWU4MRo7NYMKvenJppIKPWxeSQ==
e3BN71BTWfJPVLk=
wy7WdMhKC6ZIBS8G1g==
XquYfmaLfMtjMdvi0UJCve3YPQ9/3VBp
KZGA1zHJgWB5XAUCtW5auQQ=
xiMia8hyQfJPVLk=
fs3InobYUU1v
g/FWtqk8QVV2fvykeAOU3gw=
Gk0rieTkzD/cYMxmtQij4wb9
sQ92QpZSTOWOi15IKJWeEYMaENE=
DmfkxD7hjeFXBS8G1g==
AF/WMxGNm+1qwhvu59Ziy96hOpN/3VBp
mPxzMqdFvl/Xxg==
wbYTecjCf2dE5pl+
bM22jGRvLWbm3dd/g+CR
3T4iifwiBwdGDun0r9Bm4g==
hd/Zp4qeQhkDA7I+sXVavwQ=
Y6UNZTVzVVVE5pl+
4V68Jxr1n3hpa/igeQOU3gw=
oxRu5bztvl/Xxg==
IoXeT3nFp316WK0=
LSJ+4y5JmmIN3w==
svtsPL5PAtT1ZVBKmNxkR6piSg==
Tqv+1CqslWNp1Z1v4rzl6xM=
nOjWOqSkigqvKn8jr9Bm4g==
5vNHav9pXUs=
51u5hOzjug9E5pl+
BV3fNCavl2Z69CjsSAHGFiPi
Pov+YD5zJgUUinyAxxhVrb6W7saSEVo=
sfvz0cLqvl/Xxg==
MZ0a3y3CnzpW1DsSU01xouShpVtF
ogaE4dJvYFB76MzDJpoQR6piSg==
erilb.com
Targets
-
-
Target
vbc.exe
-
Size
757KB
-
MD5
1f65d7826fbcc2d6c50f6c493c901588
-
SHA1
4290f6b300595e807e8cacd5ff172b0a0f37c845
-
SHA256
d0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e
-
SHA512
e3c15d0229433441300b4e129748c10e966de22c926d641b665a91caf7c371a390004abc24d953a80887be4a791514e1670cb0e8723d6a19ffa5210cd9124f5a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-