Overview

overview

10

Static

static

vbc.exe

windows7-x64

10

vbc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exe

  • Size

    245KB

  • Sample

    220823-ksf6nacccm

  • MD5

    ef533fcd6ac70ba2cfb2f01533d60c86

  • SHA1

    53dcca26866ec818f1026e1102cb29baa2176028

  • SHA256

    4b83d8290663d49dfe64fc7f3093f201141f0d88633afe73322b552f9d08e76c

  • SHA512

    85715a7f2d0338c07c3dd9ae4d0b3abca2f8594fb65f988afd8da8e2d53d19e681e39f90126a38c19a3b08f6ce6253a72a85ba601a5936047642b7bb86e0367c

  • SSDEEP

    6144:4ETJvWU8Wbvo/31KdxE62MwejkyhOLjMsi4W77:48vWUz81aE62ScvpW77

Score
10/10
xloaderzgtbloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Targets

    • Target

      vbc.exe

    • Size

      245KB

    • MD5

      ef533fcd6ac70ba2cfb2f01533d60c86

    • SHA1

      53dcca26866ec818f1026e1102cb29baa2176028

    • SHA256

      4b83d8290663d49dfe64fc7f3093f201141f0d88633afe73322b552f9d08e76c

    • SHA512

      85715a7f2d0338c07c3dd9ae4d0b3abca2f8594fb65f988afd8da8e2d53d19e681e39f90126a38c19a3b08f6ce6253a72a85ba601a5936047642b7bb86e0367c

    • SSDEEP

      6144:4ETJvWU8Wbvo/31KdxE62MwejkyhOLjMsi4W77:48vWUz81aE62ScvpW77

    Score
    10/10
    xloaderzgtbloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks