Overview

overview

10

Static

static

vbc.exe

windows7-x64

10

vbc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    600s
  • max time network
    601s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2023 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbc.exe

  • Size

    10.0MB

  • MD5

    93a2d330d57689aea5146c1d7b767ff8

  • SHA1

    39b73da296c473b30d8ef5e4063288653500d3ef

  • SHA256

    50268da94205b374b7b1344a8ae09105e3732dd026350b7418d750a2d4dca7e9

  • SHA512

    b2ef5945d2599a98966ff0c58ad9917481ab27b238d6152fff32bd82313196353312ffd61cde07552d1e9bcba8cc7d2b4f47df360c427618f250217ef372fa3b

  • SSDEEP

    96:vKbBpyUc5+YdueYZkhgEMLUEM5i2RZjz+4KpfBu7uxVJGkFpNeFnUu:vyfyUOfuUk52T/pwu7UVJrlru

Score
10/10
formbookdcn0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4280
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1352

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      70748b71fd527338cfdbc657d24712ee

      SHA1

      3202ae3aa536e18e6b9865fe2c072fd3e89a9727

      SHA256

      7e252d7fe8e77ae03c4c91f29bdcc35e6a97943feb585d61f7d80ca4a39f2926

      SHA512

      6a56e75fb23feb5aa91abae28d549e878b6bf12cfbce64a3771cd1c798c619a49b87d7748511685e3560382be0c9b0e568c40c7cc4fe19888f7eb43eac4542d4

      Download Submit
    • memory/2260-158-0x0000000000D40000-0x0000000000D50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2260-157-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2260-156-0x00000000028E0000-0x0000000002C2A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2260-155-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2260-154-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2260-152-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2260-149-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2260-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3008-159-0x0000000007B70000-0x0000000007CA3000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3008-173-0x00000000083B0000-0x00000000084DA000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3008-175-0x00000000083B0000-0x00000000084DA000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3784-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4280-163-0x0000000007CF0000-0x0000000007CFA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4280-167-0x0000000007EC0000-0x0000000007EDA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4280-168-0x0000000007EA0000-0x0000000007EA8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4280-146-0x0000000000000000-mapping.dmp
      Download
    • memory/4280-165-0x00000000067D0000-0x00000000067DE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4280-164-0x0000000007F40000-0x0000000007FD6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4280-162-0x0000000006F20000-0x0000000006F3E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4280-161-0x0000000073370000-0x00000000733BC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4280-160-0x0000000006F40000-0x0000000006F72000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4428-132-0x0000000000D70000-0x0000000000D78000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4428-136-0x0000000007030000-0x0000000007052000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4428-135-0x0000000005740000-0x000000000574A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4428-133-0x0000000005CC0000-0x0000000006264000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4428-134-0x00000000057B0000-0x0000000005842000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4636-142-0x0000000006410000-0x000000000642E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4636-139-0x00000000055A0000-0x0000000005BC8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4636-141-0x0000000005DB0000-0x0000000005E16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4636-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4636-138-0x0000000004E40000-0x0000000004E76000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4636-143-0x0000000007A90000-0x000000000810A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4636-144-0x0000000006900000-0x000000000691A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4636-140-0x0000000005D40000-0x0000000005DA6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5068-169-0x0000000000730000-0x0000000000757000-memory.dmp
      Filesize

      156KB

      Download
    • memory/5068-170-0x0000000000F00000-0x0000000000F2D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5068-172-0x0000000002D60000-0x0000000002DEF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/5068-171-0x0000000002EC0000-0x000000000320A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5068-174-0x0000000000F00000-0x0000000000F2D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5068-166-0x0000000000000000-mapping.dmp
      Download