Overview

overview

10

Static

static

vbc.exe

windows7_x64

10

vbc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exe

  • Size

    598KB

  • Sample

    220629-vegv5sdac6

  • MD5

    6d6ad00f81e4ec2b211da93ecf5e9896

  • SHA1

    4003fcfaeb381d4fae6c98d8dd1d9ccaff00ad87

  • SHA256

    483daef8397ad9f2a1cc9c16a4cbb4da01d26e3c126f7da6eeaec088462679f3

  • SHA512

    6bb794be588a5e2328287ba90f67894e112d2865178a934f8ef44ea0f82aa88471e7cde3330b15c8143aa5a56b38ecf11eb1556fc46a87cb5659f878dc0d54e6

Score
10/10
formbookxloaderuajqloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uajq

Decoy

pixeldoughnut.com

amadeushosting.com

sitecindustrial.com

orsaigroup.com

jmuse-dev.com

angelobreviario.com

storesafe.xyz

40veryoung.com

65228267.com

xmpanshi.com

luxorscbd.com

saoirsia.com

akwadcom.com

spreast.com

net-empresa12pcs.com

avlaoge1.com

projectmuellerllc.com

hvelv.com

a2bproject.com

myhome-huahin.com

Targets

    • Target

      vbc.exe

    • Size

      598KB

    • MD5

      6d6ad00f81e4ec2b211da93ecf5e9896

    • SHA1

      4003fcfaeb381d4fae6c98d8dd1d9ccaff00ad87

    • SHA256

      483daef8397ad9f2a1cc9c16a4cbb4da01d26e3c126f7da6eeaec088462679f3

    • SHA512

      6bb794be588a5e2328287ba90f67894e112d2865178a934f8ef44ea0f82aa88471e7cde3330b15c8143aa5a56b38ecf11eb1556fc46a87cb5659f878dc0d54e6

    Score
    10/10
    formbookxloaderuajqloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks