General
-
Target
vbc.exe
-
Size
598KB
-
Sample
220629-vegv5sdac6
-
MD5
6d6ad00f81e4ec2b211da93ecf5e9896
-
SHA1
4003fcfaeb381d4fae6c98d8dd1d9ccaff00ad87
-
SHA256
483daef8397ad9f2a1cc9c16a4cbb4da01d26e3c126f7da6eeaec088462679f3
-
SHA512
6bb794be588a5e2328287ba90f67894e112d2865178a934f8ef44ea0f82aa88471e7cde3330b15c8143aa5a56b38ecf11eb1556fc46a87cb5659f878dc0d54e6
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
uajq
pixeldoughnut.com
amadeushosting.com
sitecindustrial.com
orsaigroup.com
jmuse-dev.com
angelobreviario.com
storesafe.xyz
40veryoung.com
65228267.com
xmpanshi.com
luxorscbd.com
saoirsia.com
akwadcom.com
spreast.com
net-empresa12pcs.com
avlaoge1.com
projectmuellerllc.com
hvelv.com
a2bproject.com
myhome-huahin.com
beautzenvibes.com
tzssdaayaqa.top
corporatexxx.com
sc-server-meshing.info
breadandsaltmarket.com
dac-nh.com
middleeastsecuritywatch.com
fox-influ.com
mndhestro.biz
voipverse.xyz
enrollee-healthbenconstest.com
peteinson.com
genevapunkska.com
tjysdxx.com
7t4zllco.com
healthypostureclub.fitness
npto3jzh.com
hd0b3oke2q90gz.xyz
thepeachcommission.com
duniabidan.com
ffmembership-garera.com
landllumber.site
bangimpromptu.com
visionboysnft.com
smonique.com
woomart.store
bathholidayhome.com
oci.fyi
lfla.agency
buymms1.com
uurdrzk.xyz
taliamagee.com
melishe.com
worthmoth.com
hotelnamastenepal.com
talmagart.com
ruomot.com
bitcoinodyssey.com
ezzahfatima.com
massthetics.net
yearningearningwithyoussef.com
winhcatraining.com
baunfn.online
estress.online
researchwhiz.com
Targets
-
-
Target
vbc.exe
-
Size
598KB
-
MD5
6d6ad00f81e4ec2b211da93ecf5e9896
-
SHA1
4003fcfaeb381d4fae6c98d8dd1d9ccaff00ad87
-
SHA256
483daef8397ad9f2a1cc9c16a4cbb4da01d26e3c126f7da6eeaec088462679f3
-
SHA512
6bb794be588a5e2328287ba90f67894e112d2865178a934f8ef44ea0f82aa88471e7cde3330b15c8143aa5a56b38ecf11eb1556fc46a87cb5659f878dc0d54e6
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-