popup

Report - vbc.exe

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.13 10:21 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
8.8
ZERO API file : malware
VT API (file) 29 detected (AIDetect, malware1, malicious, high confidence, Artemis, Unsafe, Save, confidence, ZexaF, wCX@aywMDYiG, Attribute, HighConfidence, Kryptik, HKJF, Noon, Auto, Lockbit, Caynamer, score, MalPE, R415606, Outbreak, ET#76%, RDMK, cmRtazqGl6iiSTNh7eT6wN8rJqLx, Static AI, Malicious PE, GenKryptik, FDXJ, QVM10)
md5 ad93fd487510d127e039ca04ceea6181
sha256 a93612df3a5b159429eb5a2851df1bd34397e0ce76c443dac996ecc8500c0d24
ssdeep 6144:kByAPECLr4dK/eNvPXunHkyP6IGYtvVvneW:kByAf1eNvmEw6hYtle
imphash 1c198acdc88e6433341d82c12cfad0a9
impfuzzy 48:Y201OdzbaZLeG1tMcvXuyD9CKdpnNZ7p6xE:Y20cVaZ6G1tMcvpD9CGpHNr
  Network IP location

Signature (18cnts)

Level Description
danger Executed a process and injected code into it
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (14cnts)

Level Name Description Collection
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info HasOverlay Overlay Check binaries (upload)
info IsPacked Entropy Check binaries (upload)
info IsWindowsGUI (no description) binaries (upload)
info win_files_operation Affect private profile binaries (upload)

Network (50cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.forrealmodels.com/qjnt/
whois
NL Signet B.V. 188.93.150.60 clean
http://www.buckhead-meat.com/qjnt/
whois
US GOOGLE 34.102.136.180 clean
http://www.funeralinsurancetoppro.info/qjnt/
whois
US AMAZON-02 18.218.104.7 clean
http://www.investiose.info/qjnt/?mlvx=ZxcvZy8ZLczqtvfEla7uZ1L3KAM6BWVTFYDKbjT+DQ7ivFAcZk5kBU1oTK1xQfOK60beZP/V&NjBDlv=8p4plXBx
whois
US GOOGLE 34.102.136.180 clean
http://www.laayoune4seasons.com/qjnt/
whois
US Host Europe GmbH 160.153.133.214 clean
http://www.markokuzmanovicpreduzetnik.com/qjnt/
whois
DE Hetzner Online GmbH 138.201.32.82 793 mailcious
http://www.warriormovers.com/qjnt/
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.houstonwingate.com/qjnt/?mlvx=CzEu8ZxrHnRoIa1yxDkB+HouEa3BiY3cm4vRhwDecVIGXXoKItZ0uSpGs804ymz2gjLlGyUN&NjBDlv=8p4plXBx
whois
US GOOGLE 34.102.136.180 clean
http://www.relaxxation.com/qjnt/
whois
DE AMAZON-02 52.58.78.16 clean
http://www.funeralinsurancetoppro.info/qjnt/?mlvx=LPK6/ZZmecylnPQHmmc0+oSuT0+zz+F74Xw+uImePqFt3mHqU1FOQjOO/4KEthU7c6djewSp&NjBDlv=8p4plXBx
whois
US AMAZON-02 18.218.104.7 clean
http://www.forrealmodels.com/qjnt/?mlvx=/8UA4kKoPYWid4Wy4SiZil89tJjdT7ic7hTrtZ5fAe41kMJ49sOOTLg7IOgO80aghp25g4RJ&NjBDlv=8p4plXBx
whois
NL Signet B.V. 188.93.150.60 clean
http://www.ndsplan.com/qjnt/?mlvx=409VEscmxhGhn2kjsNBSYZ81rwPnbusvlCtuGf7QRivOwkGAR0eK2ipEcznp67DdWqS8MJrG&NjBDlv=8p4plXBx
whois
US FASTLY 151.101.65.195 clean
http://www.graniteinaminute.com/qjnt/
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.graniteinaminute.com/qjnt/?mlvx=Kc40ChrvGMsz5sDUgJdI1Tm80ndRwqOobrZe5CnH/KVtq0OHhWuXcnL+C6x+hGBLT8rXGqGg&NjBDlv=8p4plXBx
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.houstonwingate.com/qjnt/
whois
US GOOGLE 34.102.136.180 clean
http://www.ndsplan.com/qjnt/
whois
US FASTLY 151.101.65.195 clean
http://www.buckhead-meat.com/qjnt/?mlvx=/eERDYDYg8Pjpk/w148+Jv3JxRRGqAllXY9DrwYjMBHW71fIc6WywKuPNHthuS6BfUUI+/zo&NjBDlv=8p4plXBx
whois
US GOOGLE 34.102.136.180 clean
http://www.frotaconceitos.com/qjnt/?mlvx=SklQbBNIGDp60jmvc81YaO0+TakJjqFF7kfS9N7pp+kjm4De+jDioVGollGezL8QEhW81teu&NjBDlv=8p4plXBx
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.gailrichardson.com/qjnt/?mlvx=cQpYuVHVGObCoOy3oJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKGAusTd/rcUBeGIQZ61D&NjBDlv=8p4plXBx
whois
DE AMAZON-02 52.58.78.16 797 mailcious
http://www.gailrichardson.com/qjnt/
whois
DE AMAZON-02 52.58.78.16 797 mailcious
http://www.frotaconceitos.com/qjnt/
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.markokuzmanovicpreduzetnik.com/qjnt/?mlvx=i2EsCfZQS6UiXx+U6iTY56sS9p8CyNJUy4JXA/eLNLds3GOyQV3FqgBWYROgxZYT5pRPnhV7&NjBDlv=8p4plXBx
whois
DE Hetzner Online GmbH 138.201.32.82 793 mailcious
http://www.laayoune4seasons.com/qjnt/?mlvx=XxCNNDdE0nnMoZJegK9IRWJB/iuqF7H0guvnuK5beGVYhhifxg4lqMNy7rY6vl9fOe+xyR5I&NjBDlv=8p4plXBx
whois
US Host Europe GmbH 160.153.133.214 clean
http://www.relaxxation.com/qjnt/?mlvx=mxaFhsYpdbWAcRjreClqDIL9OHFKPqnw/WaD4R8v0Y7MiHTOLhCg3x68N9MAlpNWynvCyQkZ&NjBDlv=8p4plXBx
whois
DE AMAZON-02 52.58.78.16 clean
http://www.warriormovers.com/qjnt/?mlvx=ZloBTpog1XpNf+wk1FYIj/PbKl44EdMQG0QlJcdkzx7vf5IbO8Fhxe+U6jjqYB73pzbLmZvg&NjBDlv=8p4plXBx
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.investiose.info/qjnt/
whois
US GOOGLE 34.102.136.180 clean
www.forrealmodels.com
whois
NL Signet B.V. 188.93.150.60 clean
www.frotaconceitos.com
whois
CA CLOUDFLARENET 23.227.38.74 clean
www.querofalardesaude.com
whois
Unknown clean
www.graniteinaminute.com
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
www.markokuzmanovicpreduzetnik.com
whois
DE Hetzner Online GmbH 138.201.32.82 clean
www.classicshopin.com
whois
Unknown clean
www.warriormovers.com
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
www.buckhead-meat.com
whois
US GOOGLE 34.102.136.180 clean
www.relaxxation.com
whois
DE AMAZON-02 52.58.78.16 clean
www.investiose.info
whois
US GOOGLE 34.102.136.180 clean
www.funeralinsurancetoppro.info
whois
US AMAZON-02 18.219.49.238 clean
www.laayoune4seasons.com
whois
US Host Europe GmbH 160.153.133.214 clean
www.ndsplan.com
whois
US FASTLY 151.101.1.195 clean
www.gailrichardson.com
whois
DE AMAZON-02 52.58.78.16 clean
www.houstonwingate.com
whois
US GOOGLE 34.102.136.180 clean
188.93.150.60
whois
NL Signet B.V. 188.93.150.60 clean
138.201.32.82
whois
DE Hetzner Online GmbH 138.201.32.82 mailcious
52.58.78.16
whois
DE AMAZON-02 52.58.78.16 mailcious
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
151.101.1.195
whois
US FASTLY 151.101.1.195 malware
160.153.133.214
whois
US Host Europe GmbH 160.153.133.214 malware
182.50.132.242
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 mailcious
18.219.49.238
whois
US AMAZON-02 18.219.49.238 mailcious
23.227.38.74
whois
CA CLOUDFLARENET 23.227.38.74 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x3dad000 ExitProcess
 0x3dad004 RemoveVectoredExceptionHandler
 0x3dad008 FindResourceA
 0x3dad00c WriteConsoleOutputCharacterA
 0x3dad010 SystemTimeToTzSpecificLocalTime
 0x3dad014 HeapAlloc
 0x3dad018 SetWaitableTimer
 0x3dad01c HeapFree
 0x3dad020 GetModuleHandleExW
 0x3dad024 LockFile
 0x3dad028 SetTapeParameters
 0x3dad02c GetCompressedFileSizeW
 0x3dad030 FindResourceExA
 0x3dad034 GlobalAlloc
 0x3dad038 GetLocaleInfoW
 0x3dad03c SizeofResource
 0x3dad040 SetSystemTimeAdjustment
 0x3dad044 GetFileAttributesA
 0x3dad048 GetExitCodeProcess
 0x3dad04c GetAtomNameW
 0x3dad050 GetTimeZoneInformation
 0x3dad054 GetEnvironmentVariableA
 0x3dad058 GlobalUnlock
 0x3dad05c DisconnectNamedPipe
 0x3dad060 VirtualUnlock
 0x3dad064 GetConsoleAliasesW
 0x3dad068 SetLastError
 0x3dad06c OpenWaitableTimerW
 0x3dad070 SetConsoleCtrlHandler
 0x3dad074 SetConsoleOutputCP
 0x3dad078 AddAtomA
 0x3dad07c GlobalFindAtomW
 0x3dad080 GlobalUnWire
 0x3dad084 lstrcatW
 0x3dad088 VirtualProtect
 0x3dad08c GetFileTime
 0x3dad090 GetCurrentProcessId
 0x3dad094 LocalFree
 0x3dad098 SetFileAttributesW
 0x3dad09c LocalFileTimeToFileTime
 0x3dad0a0 SetEnvironmentVariableA
 0x3dad0a4 CompareStringW
 0x3dad0a8 GetStartupInfoW
 0x3dad0ac RaiseException
 0x3dad0b0 RtlUnwind
 0x3dad0b4 TerminateProcess
 0x3dad0b8 GetCurrentProcess
 0x3dad0bc UnhandledExceptionFilter
 0x3dad0c0 SetUnhandledExceptionFilter
 0x3dad0c4 IsDebuggerPresent
 0x3dad0c8 GetLastError
 0x3dad0cc DeleteCriticalSection
 0x3dad0d0 LeaveCriticalSection
 0x3dad0d4 FatalAppExitA
 0x3dad0d8 EnterCriticalSection
 0x3dad0dc VirtualFree
 0x3dad0e0 VirtualAlloc
 0x3dad0e4 HeapReAlloc
 0x3dad0e8 HeapCreate
 0x3dad0ec HeapDestroy
 0x3dad0f0 GetModuleHandleW
 0x3dad0f4 Sleep
 0x3dad0f8 GetProcAddress
 0x3dad0fc WriteFile
 0x3dad100 GetStdHandle
 0x3dad104 GetModuleFileNameA
 0x3dad108 GetModuleFileNameW
 0x3dad10c FreeEnvironmentStringsW
 0x3dad110 GetEnvironmentStringsW
 0x3dad114 GetCommandLineW
 0x3dad118 SetHandleCount
 0x3dad11c GetFileType
 0x3dad120 GetStartupInfoA
 0x3dad124 TlsGetValue
 0x3dad128 TlsAlloc
 0x3dad12c TlsSetValue
 0x3dad130 TlsFree
 0x3dad134 InterlockedIncrement
 0x3dad138 GetCurrentThreadId
 0x3dad13c InterlockedDecrement
 0x3dad140 GetCurrentThread
 0x3dad144 QueryPerformanceCounter
 0x3dad148 GetTickCount
 0x3dad14c GetSystemTimeAsFileTime
 0x3dad150 SetFilePointer
 0x3dad154 WideCharToMultiByte
 0x3dad158 GetConsoleCP
 0x3dad15c GetConsoleMode
 0x3dad160 GetCPInfo
 0x3dad164 GetACP
 0x3dad168 GetOEMCP
 0x3dad16c IsValidCodePage
 0x3dad170 InitializeCriticalSectionAndSpinCount
 0x3dad174 FreeLibrary
 0x3dad178 InterlockedExchange
 0x3dad17c LoadLibraryA
 0x3dad180 MultiByteToWideChar
 0x3dad184 CloseHandle
 0x3dad188 CreateFileA
 0x3dad18c HeapSize
 0x3dad190 SetStdHandle
 0x3dad194 WriteConsoleA
 0x3dad198 GetConsoleOutputCP
 0x3dad19c WriteConsoleW
 0x3dad1a0 LCMapStringA
 0x3dad1a4 LCMapStringW
 0x3dad1a8 GetStringTypeA
 0x3dad1ac GetStringTypeW
 0x3dad1b0 GetTimeFormatA
 0x3dad1b4 GetDateFormatA
 0x3dad1b8 GetUserDefaultLCID
 0x3dad1bc GetLocaleInfoA
 0x3dad1c0 EnumSystemLocalesA
 0x3dad1c4 IsValidLocale
 0x3dad1c8 FlushFileBuffers
 0x3dad1cc ReadFile
 0x3dad1d0 SetEndOfFile
 0x3dad1d4 GetProcessHeap
 0x3dad1d8 CompareStringA
 0x3dad1dc GetModuleHandleA
USER32.dll
 0x3dad1e4 GetMonitorInfoA

EAT(Export Address Table) Library

0x443630 Cruso
0x443640 Gorgeous
0x443620 SeeYou

Similarity measure (PE file only) - Checking for service failure