Skip to content

Hide Navigation Hide TOC

VB Flash (2815a353-cd56-4ed0-8581-812b94f7a326)

VB Flash was first observed being deployed alongside Agent ORM in September 2015. It is likely that this was developed as a replacement to Agent ORM and contained similar capabilities. The first observed instance of VB Flash included comments and was easy to analyze—later versions soon began to integrate multiple layers of obfuscation. Several versions of VB Flash were developed including ones that utilized Google Forms, Google Macros, and Google Spreadsheets together to make a command-and-control (C2) channel. This variant would POST victim data to a specified Google form, then make a request to a Google macro script, receiving an address for a Google Spreadsheet from which to request commands.

Cluster A Galaxy A Cluster B Galaxy B Level
VB Flash (2815a353-cd56-4ed0-8581-812b94f7a326) Tool Private Cluster (71ac10de-1103-40a7-b65b-f97dab9769bf) Unknown 1
HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware VB Flash (2815a353-cd56-4ed0-8581-812b94f7a326) Tool 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern HALFBAKED - S0151 (0ced8926-914e-4c78-bc93-356fb90dbd1f) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3