popup

Report - vbc.exe

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.09 11:41 Machine s1_win7_x6402
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
8.8
ZERO API file : malware
VT API (file) 36 detected (AIDetect, malware1, malicious, high confidence, GenericKDZ, Artemis, Unsafe, Save, confidence, Kryptik, Eldorado, Attribute, HighConfidence, HKII, DropperX, Noon, Auto, ai score=86, Wacatac, score, BScope, CLASSIC, Static AI, Malicious PE, HKID, ZexaF, xC1@aS4psLfG, QVM10)
md5 95b9de411f02303856d21e978004cecb
sha256 5bcba2a09d8758ca07490dfcd3859a64b3a0092ed7873a707e73346eefd4235e
ssdeep 6144:AxsTcyLIWYxn3QDQ+2uDTv7+xJx5Y7CFIMKqZxnGqaz:AxsTd0t3QDQpFPDY7CC2Gtz
imphash 9c90aa63bb435d1aab6db36d5bf4ee01
impfuzzy 48:qiFOLP8298TtWG6cjPMuD8cpNKd6ANZ7p61:qisL5ytWG6cjPF8cpNG64N0
  Network IP location

Signature (18cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 36 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (13cnts)

Level Name Description Collection
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info HasOverlay Overlay Check binaries (upload)
info IsWindowsGUI (no description) binaries (upload)
info win_files_operation Affect private profile binaries (upload)

Network (52cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.startrekepisode.com/qjnt/?GVIp=5+BnPckFTRrJGxaMVUv0BF1FKPa8eJDIfTmAxOSqxwEOI5f2tl64h5cJxkg2lQOsq3TBX7Br&uzu8=jjIxZ4g0M0EpUH
whois
US GOOGLE 34.102.136.180 clean
http://www.rivcodevelopment.com/qjnt/?GVIp=8NBAzZEp5T2EoF9wMDQ69YhjG3fhuSs/Y3qkwEtmFVQU29n+5biQRN67qVAa42W8gpsiaP+Q&uzu8=jjIxZ4g0M0EpUH
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.rivcodevelopment.com/qjnt/
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.californiaredstate.com/qjnt/
whois
US GOOGLE 34.102.136.180 clean
http://www.markokuzmanovicpreduzetnik.com/qjnt/?GVIp=i2EsCfZQS6UiXx+U6iTY56sS9p8CyNJUy4JXA/eLNLds3GOyQV3FqgBWYROgxZYT5pRPnhV7&uzu8=jjIxZ4g0M0EpUH
whois
DE Hetzner Online GmbH 138.201.32.82 clean
http://www.satgurucolorlabs.com/qjnt/
whois
GB Dreamscape Networks Limited 176.74.27.193 clean
http://www.markokuzmanovicpreduzetnik.com/qjnt/
whois
DE Hetzner Online GmbH 138.201.32.82 clean
http://www.sligogolfacademy.com/qjnt/?GVIp=jW8pZHGrNu+IDaEzBY5u1VpwwzeNUmqGp5ujPvgX8FP3RhC0Cv3sVN1JA0V0HBZXOpjzOmY1&uzu8=jjIxZ4g0M0EpUH
whois
US HENGTONG-IDC-LLC 104.232.64.103 clean
http://www.crochenista.com/qjnt/?GVIp=J6zJO2/PwCYDrPfd6ahXoqg8qe3TXVYRwNW46sX1F3TUCNiZ+HIDBehPRyNHfGKllpDSpMGn&uzu8=jjIxZ4g0M0EpUH
whois
US UNIFIEDLAYER-AS-1 162.241.216.98 clean
http://www.startrekepisode.com/qjnt/
whois
US GOOGLE 34.102.136.180 clean
http://www.crochenista.com/qjnt/
whois
US UNIFIEDLAYER-AS-1 162.241.216.98 clean
http://www.californiaredstate.com/qjnt/?GVIp=zQPqhV0zjwqOH7+4I463/IP/2KgA+kN0HIdOkui6XhPhedEq6pmyyx37MiuAH/2FJlIb70cd&uzu8=jjIxZ4g0M0EpUH
whois
US GOOGLE 34.102.136.180 clean
http://www.pursuetech.online/qjnt/
whois
US NAMECHEAP-NET 198.54.117.218 clean
http://www.satgurucolorlabs.com/qjnt/?GVIp=lFOs3seWHobXZFGYMkHCyCSKoxf9Fp1huCHl5VFj4NoBT+gyoDzqMjsS+A4Ws/tEOa8o/RQV&uzu8=jjIxZ4g0M0EpUH
whois
GB Dreamscape Networks Limited 176.74.27.193 clean
http://www.sligogolfacademy.com/qjnt/
whois
US HENGTONG-IDC-LLC 104.232.64.103 clean
http://www.gailrichardson.com/qjnt/?GVIp=cQpYuVHVGObCoOy3oJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKGAusTd/rcUBeGIQZ61D&uzu8=jjIxZ4g0M0EpUH
whois
DE AMAZON-02 52.58.78.16 clean
http://www.gritchiecharcoal.com/qjnt/
whois
GB Host Europe GmbH 94.136.40.51 clean
http://www.pursuetech.online/qjnt/?GVIp=UJn/7NokSL2FPuNNwv4FdJrbdlnW4eRV1Lxvc4zBF7oEPJhjtmbCbY73fNr4REBZHryZKKL0&uzu8=jjIxZ4g0M0EpUH
whois
US NAMECHEAP-NET 198.54.117.218 clean
http://www.tekirdagvethelp.com/qjnt/
whois
US Host Europe GmbH 160.153.137.210 clean
http://www.warriornotesgolbalprayer.com/qjnt/
whois
US GOOGLE 34.102.136.180 clean
http://www.warriornotesgolbalprayer.com/qjnt/?GVIp=NZEjDeTbQWI4t+jLVj6ckcPfHkTvqBwW1gJjjcociDWZiHYNHkrr42q5Qu5MGWq/DbzHTKzP&uzu8=jjIxZ4g0M0EpUH
whois
US GOOGLE 34.102.136.180 clean
http://www.afribus-sarl.com/qjnt/?GVIp=6zsJ3I6fnvnvPqNUuHAovJSNRJHpn5EvvBYNRoEL7J7xd/JGdiWMrLKdjv+wu5Vp5UHXoriB&uzu8=jjIxZ4g0M0EpUH
whois
CY Hostinger International Limited 156.67.222.15 clean
http://www.afribus-sarl.com/qjnt/
whois
CY Hostinger International Limited 156.67.222.15 clean
http://www.tekirdagvethelp.com/qjnt/?GVIp=v0dvXvCpAze/PSRLgi5c7IjcC6T7N6slsP66HWsXdGdDDJOBVUv/yIdiTd0J1EHztdsWavry&uzu8=jjIxZ4g0M0EpUH
whois
US Host Europe GmbH 160.153.137.210 clean
http://www.gailrichardson.com/qjnt/
whois
DE AMAZON-02 52.58.78.16 clean
http://www.gritchiecharcoal.com/qjnt/?GVIp=dVs14fUu2Ven2658hBFx9jliZTLZEVHuVQGBY3ziSv8BPTKHH6vE10KIv0y/hbAn0E72jEmA&uzu8=jjIxZ4g0M0EpUH
whois
GB Host Europe GmbH 94.136.40.51 clean
www.afribus-sarl.com
whois
CY Hostinger International Limited 156.67.222.15 clean
www.tekirdagvethelp.com
whois
US Host Europe GmbH 160.153.137.210 clean
www.crochenista.com
whois
US UNIFIEDLAYER-AS-1 162.241.216.98 clean
www.pursuetech.online
whois
US NAMECHEAP-NET 198.54.117.212 clean
www.startrekepisode.com
whois
US GOOGLE 34.102.136.180 clean
www.slots-drift-casino.com
whois
Unknown clean
www.gritchiecharcoal.com
whois
GB Host Europe GmbH 94.136.40.51 clean
www.satgurucolorlabs.com
whois
GB Dreamscape Networks Limited 176.74.27.193 clean
www.californiaredstate.com
whois
US GOOGLE 34.102.136.180 clean
www.bandinella.com
whois
Unknown clean
www.sligogolfacademy.com
whois
US HENGTONG-IDC-LLC 104.232.64.103 clean
www.rivcodevelopment.com
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
www.markokuzmanovicpreduzetnik.com
whois
DE Hetzner Online GmbH 138.201.32.82 clean
www.gailrichardson.com
whois
DE AMAZON-02 52.58.78.16 clean
www.warriornotesgolbalprayer.com
whois
US GOOGLE 34.102.136.180 clean
138.201.32.82
whois
DE Hetzner Online GmbH 138.201.32.82 clean
162.241.216.98
whois
US UNIFIEDLAYER-AS-1 162.241.216.98 mailcious
94.136.40.51
whois
GB Host Europe GmbH 94.136.40.51 mailcious
52.58.78.16
whois
DE AMAZON-02 52.58.78.16 mailcious
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
176.74.27.193
whois
GB Dreamscape Networks Limited 176.74.27.193 clean
198.54.117.216
whois
US NAMECHEAP-NET 198.54.117.216 phishing
104.232.64.103
whois
US HENGTONG-IDC-LLC 104.232.64.103 clean
156.67.222.15
whois
CY Hostinger International Limited 156.67.222.15 clean
182.50.132.242
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 mailcious
160.153.137.210
whois
US Host Europe GmbH 160.153.137.210 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x3dad000 HeapReAlloc
 0x3dad004 RemoveVectoredExceptionHandler
 0x3dad008 EnumDateFormatsExW
 0x3dad00c FindResourceExW
 0x3dad010 WriteConsoleOutputCharacterA
 0x3dad014 LoadResource
 0x3dad018 SetWaitableTimer
 0x3dad01c GetCurrentProcess
 0x3dad020 HeapFree
 0x3dad024 GetModuleHandleExW
 0x3dad028 GlobalLock
 0x3dad02c CancelWaitableTimer
 0x3dad030 LockFile
 0x3dad034 SetTapeParameters
 0x3dad038 GetModuleHandleW
 0x3dad03c EnumCalendarInfoExW
 0x3dad040 TzSpecificLocalTimeToSystemTime
 0x3dad044 GetLocaleInfoW
 0x3dad048 GetSystemTimeAdjustment
 0x3dad04c InterlockedPopEntrySList
 0x3dad050 GetFileAttributesA
 0x3dad054 GetCompressedFileSizeA
 0x3dad058 GetTimeZoneInformation
 0x3dad05c GetEnvironmentVariableA
 0x3dad060 DisconnectNamedPipe
 0x3dad064 VirtualUnlock
 0x3dad068 GetConsoleAliasesW
 0x3dad06c GetProcAddress
 0x3dad070 GetAtomNameA
 0x3dad074 LocalAlloc
 0x3dad078 AddAtomA
 0x3dad07c GlobalFindAtomW
 0x3dad080 GlobalUnWire
 0x3dad084 lstrcatW
 0x3dad088 FatalExit
 0x3dad08c GetFileTime
 0x3dad090 GetConsoleCursorInfo
 0x3dad094 LocalFree
 0x3dad098 LCMapStringW
 0x3dad09c SetEnvironmentVariableA
 0x3dad0a0 CompareStringW
 0x3dad0a4 TerminateProcess
 0x3dad0a8 UnhandledExceptionFilter
 0x3dad0ac SetUnhandledExceptionFilter
 0x3dad0b0 IsDebuggerPresent
 0x3dad0b4 GetStartupInfoW
 0x3dad0b8 RaiseException
 0x3dad0bc RtlUnwind
 0x3dad0c0 HeapAlloc
 0x3dad0c4 GetLastError
 0x3dad0c8 EnterCriticalSection
 0x3dad0cc LeaveCriticalSection
 0x3dad0d0 TlsGetValue
 0x3dad0d4 TlsAlloc
 0x3dad0d8 TlsSetValue
 0x3dad0dc TlsFree
 0x3dad0e0 InterlockedIncrement
 0x3dad0e4 SetLastError
 0x3dad0e8 GetCurrentThreadId
 0x3dad0ec InterlockedDecrement
 0x3dad0f0 GetCurrentThread
 0x3dad0f4 Sleep
 0x3dad0f8 ExitProcess
 0x3dad0fc WriteFile
 0x3dad100 GetStdHandle
 0x3dad104 GetModuleFileNameA
 0x3dad108 GetModuleFileNameW
 0x3dad10c FreeEnvironmentStringsW
 0x3dad110 GetEnvironmentStringsW
 0x3dad114 GetCommandLineW
 0x3dad118 SetHandleCount
 0x3dad11c GetFileType
 0x3dad120 GetStartupInfoA
 0x3dad124 DeleteCriticalSection
 0x3dad128 HeapCreate
 0x3dad12c HeapDestroy
 0x3dad130 VirtualFree
 0x3dad134 QueryPerformanceCounter
 0x3dad138 GetTickCount
 0x3dad13c GetCurrentProcessId
 0x3dad140 GetSystemTimeAsFileTime
 0x3dad144 SetFilePointer
 0x3dad148 WideCharToMultiByte
 0x3dad14c GetConsoleCP
 0x3dad150 GetConsoleMode
 0x3dad154 GetCPInfo
 0x3dad158 GetACP
 0x3dad15c GetOEMCP
 0x3dad160 IsValidCodePage
 0x3dad164 FatalAppExitA
 0x3dad168 VirtualAlloc
 0x3dad16c MultiByteToWideChar
 0x3dad170 CloseHandle
 0x3dad174 CreateFileA
 0x3dad178 InitializeCriticalSectionAndSpinCount
 0x3dad17c HeapSize
 0x3dad180 SetConsoleCtrlHandler
 0x3dad184 FreeLibrary
 0x3dad188 InterlockedExchange
 0x3dad18c LoadLibraryA
 0x3dad190 SetStdHandle
 0x3dad194 WriteConsoleA
 0x3dad198 GetConsoleOutputCP
 0x3dad19c WriteConsoleW
 0x3dad1a0 LCMapStringA
 0x3dad1a4 GetStringTypeA
 0x3dad1a8 GetStringTypeW
 0x3dad1ac GetTimeFormatA
 0x3dad1b0 GetDateFormatA
 0x3dad1b4 GetUserDefaultLCID
 0x3dad1b8 GetLocaleInfoA
 0x3dad1bc EnumSystemLocalesA
 0x3dad1c0 IsValidLocale
 0x3dad1c4 FlushFileBuffers
 0x3dad1c8 ReadFile
 0x3dad1cc SetEndOfFile
 0x3dad1d0 GetProcessHeap
 0x3dad1d4 CompareStringA
 0x3dad1d8 GetModuleHandleA
USER32.dll
 0x3dad1e0 GetProcessDefaultLayout

EAT(Export Address Table) Library

0x444970 Lolipops
0x444950 NoMore
0x444960 Robin

Similarity measure (PE file only) - Checking for service failure