Overview

overview

10

Static

static

vbc.exe

windows7-x64

10

vbc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vbc.exe

  • Size

    10.0MB

  • Sample

    230119-scv9msdc3x

  • MD5

    93a2d330d57689aea5146c1d7b767ff8

  • SHA1

    39b73da296c473b30d8ef5e4063288653500d3ef

  • SHA256

    50268da94205b374b7b1344a8ae09105e3732dd026350b7418d750a2d4dca7e9

  • SHA512

    b2ef5945d2599a98966ff0c58ad9917481ab27b238d6152fff32bd82313196353312ffd61cde07552d1e9bcba8cc7d2b4f47df360c427618f250217ef372fa3b

  • SSDEEP

    96:vKbBpyUc5+YdueYZkhgEMLUEM5i2RZjz+4KpfBu7uxVJGkFpNeFnUu:vyfyUOfuUk52T/pwu7UVJrlru

Score
10/10
formbookdcn0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      vbc.exe

    • Size

      10.0MB

    • MD5

      93a2d330d57689aea5146c1d7b767ff8

    • SHA1

      39b73da296c473b30d8ef5e4063288653500d3ef

    • SHA256

      50268da94205b374b7b1344a8ae09105e3732dd026350b7418d750a2d4dca7e9

    • SHA512

      b2ef5945d2599a98966ff0c58ad9917481ab27b238d6152fff32bd82313196353312ffd61cde07552d1e9bcba8cc7d2b4f47df360c427618f250217ef372fa3b

    • SSDEEP

      96:vKbBpyUc5+YdueYZkhgEMLUEM5i2RZjz+4KpfBu7uxVJGkFpNeFnUu:vyfyUOfuUk52T/pwu7UVJrlru

    Score
    10/10
    formbookdcn0ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks