Overview

overview

10

Static

static

vbc.exe

windows7_x64

10

vbc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exebfqesrye

  • Size

    302KB

  • Sample

    220626-gwtz5sbee6

  • MD5

    0236dcc27cfb3d09325c976002567985

  • SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

  • SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

  • SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

Score
10/10
xloadervweqloaderratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Targets

    • Target

      vbc.exebfqesrye

    • Size

      302KB

    • MD5

      0236dcc27cfb3d09325c976002567985

    • SHA1

      e1605510f182a0c6f8d3297355d9ceb00489df7c

    • SHA256

      e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    • SHA512

      512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Score
    10/10
    xloadervweqloaderratsuricataspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks