Overview

overview

10

Static

static

1

vbc.exe

windows7-x64

10

vbc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbc.exe

  • Size

    929KB

  • MD5

    a2b6815c9698017685973d659c6fa3ba

  • SHA1

    711825fd9865c9b1ca177df8301058a96bf7968d

  • SHA256

    bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

  • SHA512

    3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

  • SSDEEP

    12288:6cNpFJUGzl06/TgTU48e9NyCGTyIkNOmun7ZI/GYLS+bmtHq75JM/GQsqYn:Pzl06MFxyCGTRkNOpFI/fmEaqVJM/By

Score
10/10
formbookbk08ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bk08

Decoy

chloie.net

fastingersecure.monster

foundersterrace.online

ytorly.xyz

kiralayolla.com

corporacionalpi.com

planfortheworld.com

disciplinecoaching.co.uk

rubi33.com

digitlabmedia.com

ky20033.com

h4q7.com

91ye260.xyz

coconceptevents.com

ukusizas.africa

utainnovative.africa

ted-clean.co.uk

haus-huelsche.com

ca-refund.website

football.salon

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
          PID:4060
        • C:\Users\Admin\AppData\Local\Temp\vbc.exe
          "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
          3⤵
            PID:1980

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1712-143-0x0000000001080000-0x00000000013CA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1712-145-0x0000000001010000-0x0000000001025000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1712-144-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1712-140-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3220-158-0x0000000008EA0000-0x0000000009021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/3220-156-0x0000000008EA0000-0x0000000009021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/3220-155-0x0000000008EA0000-0x0000000009021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/3220-146-0x0000000008DB0000-0x0000000008E95000-memory.dmp
        Filesize

        916KB

        Download
      • memory/4052-138-0x0000000005AE0000-0x0000000005AF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4052-139-0x0000000008440000-0x00000000084DC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4052-133-0x0000000000DF0000-0x0000000000EDE000-memory.dmp
        Filesize

        952KB

        Download
      • memory/4052-137-0x0000000005AE0000-0x0000000005AF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4052-136-0x0000000005920000-0x000000000592A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4052-135-0x0000000005870000-0x0000000005902000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4052-134-0x0000000005F10000-0x00000000064B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4244-147-0x0000000000250000-0x0000000000267000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4244-149-0x0000000000250000-0x0000000000267000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4244-150-0x0000000000D20000-0x0000000000D4F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4244-151-0x0000000001740000-0x0000000001A8A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4244-152-0x0000000000D20000-0x0000000000D4F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4244-154-0x0000000001570000-0x0000000001604000-memory.dmp
        Filesize

        592KB

        Download