Overview

overview

10

Static

static

1

vbc.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exe

  • Size

    374KB

  • Sample

    221118-eg1g9sgf39

  • MD5

    d815c20f87e50b43e941bcdc45b158e5

  • SHA1

    65b9efbe3f2fba80a2c55c2f5f07aa0e852545d3

  • SHA256

    b757c82d494f1f23816a87fc609e8f5227fbe921aa80c5fcddd95fde653c8523

  • SHA512

    ab36841af3b36a10e702e0a5b6c71a0641ab0f92d155bb51977223e8885b3aed001ed17514f3f9c58f0135b12d4fbd4620841ca2a4ddbdc1908991c9fa5438b1

  • SSDEEP

    6144:MEa0N1T1wMMatrYfPJIGX8wNxVzZXDwUALxxYzwIIHChqzhFsrPDR591:Xp1GaCf7X8wNxFZXpAL/xEqzhwR5H

Score
10/10
formbookhenzratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

    • Target

      vbc.exe

    • Size

      374KB

    • MD5

      d815c20f87e50b43e941bcdc45b158e5

    • SHA1

      65b9efbe3f2fba80a2c55c2f5f07aa0e852545d3

    • SHA256

      b757c82d494f1f23816a87fc609e8f5227fbe921aa80c5fcddd95fde653c8523

    • SHA512

      ab36841af3b36a10e702e0a5b6c71a0641ab0f92d155bb51977223e8885b3aed001ed17514f3f9c58f0135b12d4fbd4620841ca2a4ddbdc1908991c9fa5438b1

    • SSDEEP

      6144:MEa0N1T1wMMatrYfPJIGX8wNxVzZXDwUALxxYzwIIHChqzhFsrPDR591:Xp1GaCf7X8wNxFZXpAL/xEqzhwR5H

    Score
    10/10
    formbookhenzratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks