Overview

overview

10

Static

static

1

vbc.exe

windows7-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2022 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbc.exe

  • Size

    374KB

  • MD5

    d815c20f87e50b43e941bcdc45b158e5

  • SHA1

    65b9efbe3f2fba80a2c55c2f5f07aa0e852545d3

  • SHA256

    b757c82d494f1f23816a87fc609e8f5227fbe921aa80c5fcddd95fde653c8523

  • SHA512

    ab36841af3b36a10e702e0a5b6c71a0641ab0f92d155bb51977223e8885b3aed001ed17514f3f9c58f0135b12d4fbd4620841ca2a4ddbdc1908991c9fa5438b1

  • SSDEEP

    6144:MEa0N1T1wMMatrYfPJIGX8wNxVzZXDwUALxxYzwIIHChqzhFsrPDR591:Xp1GaCf7X8wNxFZXpAL/xEqzhwR5H

Score
10/10
formbookhenzratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
        "C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
          "C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1268

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\folsh.i
      Filesize

      5KB

      MD5

      43a7a67769159dfc94cb0b76e6217c30

      SHA1

      9ecf39336f98c65d2c9a2e70c898a792e2087db5

      SHA256

      10f439fc166ac832b4d0b9feba224f12909747a59aff18f8af4d497e91965c44

      SHA512

      7b90ceaa78ee235da69665e51d641cdd06766bd83ed2ecd0d4acff3a20851b052f57e0c791a407bccf6c114ed59787efdea436cf81b4c21968efe247ef39be4b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
      Filesize

      343KB

      MD5

      b83839808ac32d997be852eea015506f

      SHA1

      b5f38fb9218474972f52f6fc17ae740b97809208

      SHA256

      fc08697924d8099e9e8445756cef39b2570a6c46c35bd72db1a03e585168d399

      SHA512

      d96e272c1df63cdfec5b56fdbcd3f3a8c7198a1f87795ca82269a5872ba058ac3860c8bc3c0b8aa09ee46ab353d41114949ea566330692a7bf6d35ccdc156fe4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
      Filesize

      343KB

      MD5

      b83839808ac32d997be852eea015506f

      SHA1

      b5f38fb9218474972f52f6fc17ae740b97809208

      SHA256

      fc08697924d8099e9e8445756cef39b2570a6c46c35bd72db1a03e585168d399

      SHA512

      d96e272c1df63cdfec5b56fdbcd3f3a8c7198a1f87795ca82269a5872ba058ac3860c8bc3c0b8aa09ee46ab353d41114949ea566330692a7bf6d35ccdc156fe4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
      Filesize

      343KB

      MD5

      b83839808ac32d997be852eea015506f

      SHA1

      b5f38fb9218474972f52f6fc17ae740b97809208

      SHA256

      fc08697924d8099e9e8445756cef39b2570a6c46c35bd72db1a03e585168d399

      SHA512

      d96e272c1df63cdfec5b56fdbcd3f3a8c7198a1f87795ca82269a5872ba058ac3860c8bc3c0b8aa09ee46ab353d41114949ea566330692a7bf6d35ccdc156fe4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\quocykgcgjy.ntm
      Filesize

      185KB

      MD5

      ee1994ef6c1d224addfb82ae1c220448

      SHA1

      562a844d411a7cce4b1376488a4e253598fcf4e4

      SHA256

      6f2a4748ff988c944daa4dc23baf2bc2ebadc170971cd536fc9df4c60488e9bc

      SHA512

      d130a49a28d97aa9be4e765c057316c9146f11a31aa5590ab30873bec634dcc6c69a1eb7be1203ee22e7947ffe5e268f31a77c8640c3bdd89a723f90df457dac

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
      Filesize

      343KB

      MD5

      b83839808ac32d997be852eea015506f

      SHA1

      b5f38fb9218474972f52f6fc17ae740b97809208

      SHA256

      fc08697924d8099e9e8445756cef39b2570a6c46c35bd72db1a03e585168d399

      SHA512

      d96e272c1df63cdfec5b56fdbcd3f3a8c7198a1f87795ca82269a5872ba058ac3860c8bc3c0b8aa09ee46ab353d41114949ea566330692a7bf6d35ccdc156fe4

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ifzaocyiid.exe
      Filesize

      343KB

      MD5

      b83839808ac32d997be852eea015506f

      SHA1

      b5f38fb9218474972f52f6fc17ae740b97809208

      SHA256

      fc08697924d8099e9e8445756cef39b2570a6c46c35bd72db1a03e585168d399

      SHA512

      d96e272c1df63cdfec5b56fdbcd3f3a8c7198a1f87795ca82269a5872ba058ac3860c8bc3c0b8aa09ee46ab353d41114949ea566330692a7bf6d35ccdc156fe4

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      832KB

      MD5

      07fb6d31f37fb1b4164bef301306c288

      SHA1

      4cb41af6d63a07324ef6b18b1a1f43ce94e25626

      SHA256

      06ddf0a370af00d994824605a8e1307ba138f89b2d864539f0d19e8804edac02

      SHA512

      cab4a7c5805b80851aba5f2c9b001fabc1416f6648d891f49eacc81fe79287c5baa01306a42298da722750b812a4ea85388ffae9200dcf656dd1d5b5b9323353

      Download Submit
    • memory/1368-69-0x00000000042C0000-0x000000000437C000-memory.dmp
      Filesize

      752KB

      Download
    • memory/1368-80-0x0000000004EB0000-0x0000000004F86000-memory.dmp
      Filesize

      856KB

      Download
    • memory/1368-78-0x0000000004EB0000-0x0000000004F86000-memory.dmp
      Filesize

      856KB

      Download
    • memory/1476-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1948-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-74-0x0000000000C20000-0x0000000000C3C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1984-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-75-0x00000000000C0000-0x00000000000ED000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1984-76-0x0000000002040000-0x0000000002343000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1984-77-0x00000000003D0000-0x000000000045F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1984-79-0x00000000000C0000-0x00000000000ED000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2032-68-0x0000000000130000-0x0000000000140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2032-71-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2032-72-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2032-67-0x0000000000B00000-0x0000000000E03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2032-66-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2032-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2032-63-0x00000000004012B0-mapping.dmp
      Download