popup

Report - vbc.exe

Malicious Packer
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.13 11:35 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
11.0
ZERO API file : malware
VT API (file) 50 detected (AIDetect, malware1, malicious, high confidence, Siggen13, GenericKD, Unsafe, Save, Glupteba, ZexaF, xC1@aWfbpggG, Kryptik, Eldorado, Attribute, HighConfidence, HKIW, DropperX, Generickdz, Noon, CLOUD, Malware@#q38m3zrllukf, Static AI, Malicious PE, Mokes, kcloud, score, MalPE, R415312, BScope, Wacatac, Auto, ai score=100, GenKryptik, FDVZ, GdSda, confidence, 100%, HwoCcnIA)
md5 29e8627d7b80c21fc98c82314f3df5e2
sha256 98bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
ssdeep 6144:1wpTcyLItYxn3QDQN/rismCZyxB7HZ7g+xsoyEnGYgGI:1wpTd063QDQNSCZQB757txnG5l
imphash 9c90aa63bb435d1aab6db36d5bf4ee01
impfuzzy 48:qiFOLP8298TtWG6cjPMuD8cpNKd6ANZ7p61:qisL5ytWG6cjPF8cpNG64N0
  Network IP location

Signature (22cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (21cnts)

Level Name Description Collection
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (download)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info HasOverlay Overlay Check binaries (download)
info HasOverlay Overlay Check binaries (upload)
info IsWindowsGUI (no description) binaries (download)
info IsWindowsGUI (no description) binaries (upload)
info win_files_operation Affect private profile binaries (download)
info win_files_operation Affect private profile binaries (upload)

Network (44cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.scott-re.online/nnmd/?GFQL=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&Rl=VtX4M
whois
US GOOGLE 34.102.136.180 630 mailcious
http://www.verochfotografa.com/nnmd/
whois
US LEASEWEB-USA-SFO-12 172.255.24.80 clean
http://www.vinegret.com/nnmd/?GFQL=vSTcV67Wsym0gjaMHw+BLsLDF404VwtlM2ZL2+kS2oryP3sG0sNRMddYy5XCOzyR+w1r1rN4&Rl=VtX4M
whois
US CLOUDFLARENET 104.21.89.165 clean
http://www.yetbor.com/nnmd/
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.22.196 clean
http://www.valid8.network/nnmd/?GFQL=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&Rl=VtX4M
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.samanthataylordesigns.com/nnmd/
whois
US SQUARESPACE 198.185.159.145 632 mailcious
http://www.valid8.network/nnmd/
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.israeldigitalblog.net/nnmd/
whois
US GOOGLE 34.102.136.180 781 mailcious
http://www.vinegret.com/nnmd/
whois
US CLOUDFLARENET 104.21.89.165 clean
http://www.nevertraveled.com/nnmd/?GFQL=SYHpgW1+yTc6qOKF4v10dIdNZgCXdFrWPz9etZYqQDofpKwnSaEEWXbh+jQacXfWTKEwdu6J&Rl=VtX4M
whois
US AMAZON-AES 52.0.217.44 777 mailcious
http://www.verochfotografa.com/nnmd/?GFQL=5OXGp+Ye6mLmJS8fiP7moOjeBKd2VER7UUKnbPVzr25Ffc+7XnMrSBGyQLkDJ090wwdXjBMo&Rl=VtX4M
whois
US LEASEWEB-USA-SFO-12 172.255.24.80 clean
http://www.samanthataylordesigns.com/nnmd/?GFQL=sVCsP3nYsNXlW4I2EqS3kB52HqjY7ZxXgFnkWYmWMO+p6LFBhhCa6Vg5Ah+KszLMV8i2Kccl&Rl=VtX4M
whois
US SQUARESPACE 198.185.159.145 632 mailcious
http://www.yetbor.com/nnmd/?GFQL=yFTKtd1luZIo7wvqEcSXbkRM0Fu9DXTErvPZ/33h4h9ltL5T5vX0h6V8ouFS6Gain5PLz56o&Rl=VtX4M
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.22.196 clean
http://www.israeldigitalblog.net/nnmd/?GFQL=RhKwvNZRq71Tr7FYOMJQyYr9uwiqQ6gfx1wpRXHKZy0OdMvbN5VELlZYmhSRX7q9d8bqmLsF&Rl=VtX4M
whois
US GOOGLE 34.102.136.180 781 mailcious
http://www.acernoxsas.com/nnmd/?GFQL=RIRhBHcBnpQFpzVEdm9Qn3YrBBK1OZbcUKpQDD4XzYml+x0kk9G8REWbCSESFdmiGdYULLFI&Rl=VtX4M
whois
US CLOUDFLARENET 172.67.171.149 clean
http://www.scott-re.online/nnmd/
whois
US GOOGLE 34.102.136.180 630 mailcious
http://www.regalparkllc.com/nnmd/?GFQL=tTl8v8g2q+7FzdYz1UQNVvYPTgelaUE7gW7tW0qfdn51WjA1prpQnhugYZXHkQH8F1WTaXCY&Rl=VtX4M
whois
US AUTOMATTIC 192.0.78.24 clean
http://www.acernoxsas.com/nnmd/
whois
US CLOUDFLARENET 172.67.171.149 clean
http://www.nevertraveled.com/nnmd/
whois
US AMAZON-AES 52.0.217.44 777 mailcious
http://www.regalparkllc.com/nnmd/
whois
US AUTOMATTIC 192.0.78.24 clean
www.israeldigitalblog.net
whois
US GOOGLE 34.102.136.180 clean
www.samanthataylordesigns.com
whois
US SQUARESPACE 198.185.159.145 clean
www.scott-re.online
whois
US GOOGLE 34.102.136.180 clean
www.verochfotografa.com
whois
US LEASEWEB-USA-SFO-12 172.255.24.80 clean
www.my-weight-loss-blog.net
whois
DE Hetzner Online GmbH 213.239.211.36 clean
www.hcr.services
whois
Unknown clean
www.valid8.network
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
www.xpddwrfj.icu
whois
Unknown mailcious
www.vinegret.com
whois
US CLOUDFLARENET 172.67.189.247 clean
www.nevertraveled.com
whois
US AMAZON-AES 52.0.217.44 clean
www.yetbor.com
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.22.196 clean
www.regalparkllc.com
whois
US AUTOMATTIC 192.0.78.24 clean
www.acernoxsas.com
whois
US CLOUDFLARENET 104.21.63.177 clean
www.ranguanglian.club
whois
Unknown clean
172.67.171.149
whois
US CLOUDFLARENET 172.67.171.149 clean
172.255.24.80
whois
US LEASEWEB-USA-SFO-12 172.255.24.80 clean
213.239.211.36
whois
DE Hetzner Online GmbH 213.239.211.36 clean
52.0.217.44
whois
US AMAZON-AES 52.0.217.44 mailcious
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
182.50.132.242
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 mailcious
172.67.189.247
whois
US CLOUDFLARENET 172.67.189.247 clean
192.0.78.24
whois
US AUTOMATTIC 192.0.78.24 mailcious
8.210.22.196
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.22.196 clean
198.185.159.144
whois
US SQUARESPACE 198.185.159.144 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x3dad000 HeapReAlloc
 0x3dad004 RemoveVectoredExceptionHandler
 0x3dad008 EnumDateFormatsExW
 0x3dad00c FindResourceExW
 0x3dad010 WriteConsoleOutputCharacterA
 0x3dad014 LoadResource
 0x3dad018 SetWaitableTimer
 0x3dad01c GetCurrentProcess
 0x3dad020 HeapFree
 0x3dad024 GetModuleHandleExW
 0x3dad028 GlobalLock
 0x3dad02c CancelWaitableTimer
 0x3dad030 LockFile
 0x3dad034 SetTapeParameters
 0x3dad038 GetModuleHandleW
 0x3dad03c EnumCalendarInfoExW
 0x3dad040 TzSpecificLocalTimeToSystemTime
 0x3dad044 GetLocaleInfoW
 0x3dad048 GetSystemTimeAdjustment
 0x3dad04c InterlockedPopEntrySList
 0x3dad050 GetFileAttributesA
 0x3dad054 GetCompressedFileSizeA
 0x3dad058 GetTimeZoneInformation
 0x3dad05c GetEnvironmentVariableA
 0x3dad060 DisconnectNamedPipe
 0x3dad064 VirtualUnlock
 0x3dad068 GetConsoleAliasesW
 0x3dad06c GetProcAddress
 0x3dad070 GetAtomNameA
 0x3dad074 LocalAlloc
 0x3dad078 AddAtomA
 0x3dad07c GlobalFindAtomW
 0x3dad080 GlobalUnWire
 0x3dad084 lstrcatW
 0x3dad088 FatalExit
 0x3dad08c GetFileTime
 0x3dad090 GetConsoleCursorInfo
 0x3dad094 LocalFree
 0x3dad098 LCMapStringW
 0x3dad09c SetEnvironmentVariableA
 0x3dad0a0 CompareStringW
 0x3dad0a4 TerminateProcess
 0x3dad0a8 UnhandledExceptionFilter
 0x3dad0ac SetUnhandledExceptionFilter
 0x3dad0b0 IsDebuggerPresent
 0x3dad0b4 GetStartupInfoW
 0x3dad0b8 RaiseException
 0x3dad0bc RtlUnwind
 0x3dad0c0 HeapAlloc
 0x3dad0c4 GetLastError
 0x3dad0c8 EnterCriticalSection
 0x3dad0cc LeaveCriticalSection
 0x3dad0d0 TlsGetValue
 0x3dad0d4 TlsAlloc
 0x3dad0d8 TlsSetValue
 0x3dad0dc TlsFree
 0x3dad0e0 InterlockedIncrement
 0x3dad0e4 SetLastError
 0x3dad0e8 GetCurrentThreadId
 0x3dad0ec InterlockedDecrement
 0x3dad0f0 GetCurrentThread
 0x3dad0f4 Sleep
 0x3dad0f8 ExitProcess
 0x3dad0fc WriteFile
 0x3dad100 GetStdHandle
 0x3dad104 GetModuleFileNameA
 0x3dad108 GetModuleFileNameW
 0x3dad10c FreeEnvironmentStringsW
 0x3dad110 GetEnvironmentStringsW
 0x3dad114 GetCommandLineW
 0x3dad118 SetHandleCount
 0x3dad11c GetFileType
 0x3dad120 GetStartupInfoA
 0x3dad124 DeleteCriticalSection
 0x3dad128 HeapCreate
 0x3dad12c HeapDestroy
 0x3dad130 VirtualFree
 0x3dad134 QueryPerformanceCounter
 0x3dad138 GetTickCount
 0x3dad13c GetCurrentProcessId
 0x3dad140 GetSystemTimeAsFileTime
 0x3dad144 SetFilePointer
 0x3dad148 WideCharToMultiByte
 0x3dad14c GetConsoleCP
 0x3dad150 GetConsoleMode
 0x3dad154 GetCPInfo
 0x3dad158 GetACP
 0x3dad15c GetOEMCP
 0x3dad160 IsValidCodePage
 0x3dad164 FatalAppExitA
 0x3dad168 VirtualAlloc
 0x3dad16c MultiByteToWideChar
 0x3dad170 CloseHandle
 0x3dad174 CreateFileA
 0x3dad178 InitializeCriticalSectionAndSpinCount
 0x3dad17c HeapSize
 0x3dad180 SetConsoleCtrlHandler
 0x3dad184 FreeLibrary
 0x3dad188 InterlockedExchange
 0x3dad18c LoadLibraryA
 0x3dad190 SetStdHandle
 0x3dad194 WriteConsoleA
 0x3dad198 GetConsoleOutputCP
 0x3dad19c WriteConsoleW
 0x3dad1a0 LCMapStringA
 0x3dad1a4 GetStringTypeA
 0x3dad1a8 GetStringTypeW
 0x3dad1ac GetTimeFormatA
 0x3dad1b0 GetDateFormatA
 0x3dad1b4 GetUserDefaultLCID
 0x3dad1b8 GetLocaleInfoA
 0x3dad1bc EnumSystemLocalesA
 0x3dad1c0 IsValidLocale
 0x3dad1c4 FlushFileBuffers
 0x3dad1c8 ReadFile
 0x3dad1cc SetEndOfFile
 0x3dad1d0 GetProcessHeap
 0x3dad1d4 CompareStringA
 0x3dad1d8 GetModuleHandleA
USER32.dll
 0x3dad1e0 GetProcessDefaultLayout

EAT(Export Address Table) Library

0x4449c0 Lolipops
0x4449a0 NoMore
0x4449b0 Robin

Similarity measure (PE file only) - Checking for service failure