General

  • Target

    vbc(1).exe

  • Size

    694KB

  • Sample

    221208-nv6e4shh39

  • MD5

    5113abb28878ff293661fc23685a48bf

  • SHA1

    175aa3169fe7112cead1a550dd702c552bbe832c

  • SHA256

    0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10

  • SHA512

    c4e447cba8dafa4f9744e09a2bbd39b1c59025f1d2f5cf879f0fbae121779a56e42174580cfbd760c48e55a5c997cdec96d1189a4724ff4a6f06d3632dda780f

  • SSDEEP

    12288:RIn+H+LD9IlljoZ9bQGhQwDZF4J40l+BrNGqWOl1u/OfzgYWvwddkydK4akFXRyy:RILOHjoDQGhHQ40loJGts42fz4YTkydp

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Extracted

Family

xloader

Version

3.�E

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Targets

    • Target

      vbc(1).exe

    • Size

      694KB

    • MD5

      5113abb28878ff293661fc23685a48bf

    • SHA1

      175aa3169fe7112cead1a550dd702c552bbe832c

    • SHA256

      0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10

    • SHA512

      c4e447cba8dafa4f9744e09a2bbd39b1c59025f1d2f5cf879f0fbae121779a56e42174580cfbd760c48e55a5c997cdec96d1189a4724ff4a6f06d3632dda780f

    • SSDEEP

      12288:RIn+H+LD9IlljoZ9bQGhQwDZF4J40l+BrNGqWOl1u/OfzgYWvwddkydK4akFXRyy:RILOHjoDQGhHQ40loJGts42fz4YTkydp

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks