Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

vbc.exe

windows7-x64

10

vbc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbc.exe

  • Size

    575KB

  • MD5

    2986502fc991bed7cc87122bc481d5b4

  • SHA1

    45d8d4498052803984a49f880d874c659945fc0c

  • SHA256

    45de0a47d8bee8de67d818ea239f0f9c934c3299be3c3faefacb9e1e4800078c

  • SHA512

    54f3fc749923be12396af61b64bbeaf5b12e290159960517989b79d882d4a1ed2af6045a85987ac615b9da1d9232d63db5ceacbf4c907b5fd33735575c75a3d8

  • SSDEEP

    12288:zBqlwSPINx9zVGr5rg3xcnX5pPhdc2WjgDw:yDIxfErgAXc2WjgDw

Score
10/10
xloaderns87discoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ns87

Decoy

hcjn998.com

y963257.xyz

upcrunchnow.com

adornor.online

boyhunters.com

mchaskell.com

bayanescort.xyz

jovinodossantossite.com

hubhosted.com

evertownnycapartments.net

mgav40.xyz

lfykjx.com

asscheekspizzaboi.com

chinacxq.com

abovecover.net

listingswithalex.com

hhcreativeartsociety.com

aryanagasosa.xyz

caesarpro.com

junanbolsas.online

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1272-23-0x0000000007320000-0x0000000007497000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1272-19-0x0000000007320000-0x0000000007497000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1272-18-0x0000000003A60000-0x0000000003B60000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1576-13-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1576-1-0x00000000008B0000-0x0000000000944000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1576-2-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1576-3-0x00000000004F0000-0x00000000004FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1576-4-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1576-5-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1576-6-0x0000000002020000-0x0000000002088000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1576-0-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2832-7-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2832-14-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2832-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2832-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2832-17-0x0000000000190000-0x00000000001A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2832-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2832-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2928-21-0x0000000000FF0000-0x0000000001012000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2928-20-0x0000000000FF0000-0x0000000001012000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2928-22-0x0000000000070000-0x0000000000099000-memory.dmp

    Filesize

    164KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.