ScreenShot
Created | 2021.04.14 08:01 | Machine | s1_win7_x6401 |
Filename | vbc.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 28 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, ZexaF, wCX@amS1cOpG, Kryptik, Eldorado, Attribute, HighConfidence, HKJF, Noon, ET#81%, RDMK, cmRtazr9p0+3Wm1C5UjDuMeyISeT, Kredoor, Wacatac, score, MalPE, R415606, Artemis, Auto, Static AI, Malicious PE, GenKryptik, FDXJ, confidence, QVM10) | ||
md5 | 6cf0200d66b943e0c41ce00807ffe6c8 | ||
sha256 | 9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4 | ||
ssdeep | 6144:43yAPECLO4dK/eNvPosSj3nBXDoA35F/hH6NCSfUEne2:43yAf8eNvrSTnVDoA35F/hYVe | ||
imphash | 1c198acdc88e6433341d82c12cfad0a9 | ||
impfuzzy | 48:Y201OdzbaZLeG1tMcvXuyD9CKdpnNZ7p6xE:Y20cVaZ6G1tMcvpD9CGpHNr |
Network IP location
Signature (18cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Checks if process is being debugged by a debugger |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (14cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | HasOverlay | Overlay Check | binaries (upload) |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | win_files_operation | Affect private profile | binaries (upload) |
Network (42cnts) ?
Suricata ids
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP POST Request to Suspicious *.icu domain
ET INFO DNS Query for Suspicious .icu Domain
ET INFO HTTP POST Request to Suspicious *.icu domain
ET INFO DNS Query for Suspicious .icu Domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x3dad000 ExitProcess
0x3dad004 RemoveVectoredExceptionHandler
0x3dad008 FindResourceA
0x3dad00c WriteConsoleOutputCharacterA
0x3dad010 SystemTimeToTzSpecificLocalTime
0x3dad014 HeapAlloc
0x3dad018 SetWaitableTimer
0x3dad01c HeapFree
0x3dad020 GetModuleHandleExW
0x3dad024 LockFile
0x3dad028 SetTapeParameters
0x3dad02c GetCompressedFileSizeW
0x3dad030 FindResourceExA
0x3dad034 GlobalAlloc
0x3dad038 GetLocaleInfoW
0x3dad03c SizeofResource
0x3dad040 SetSystemTimeAdjustment
0x3dad044 GetFileAttributesA
0x3dad048 GetExitCodeProcess
0x3dad04c GetAtomNameW
0x3dad050 GetTimeZoneInformation
0x3dad054 GetEnvironmentVariableA
0x3dad058 GlobalUnlock
0x3dad05c DisconnectNamedPipe
0x3dad060 VirtualUnlock
0x3dad064 GetConsoleAliasesW
0x3dad068 SetLastError
0x3dad06c OpenWaitableTimerW
0x3dad070 SetConsoleCtrlHandler
0x3dad074 SetConsoleOutputCP
0x3dad078 AddAtomA
0x3dad07c GlobalFindAtomW
0x3dad080 GlobalUnWire
0x3dad084 lstrcatW
0x3dad088 VirtualProtect
0x3dad08c GetFileTime
0x3dad090 GetCurrentProcessId
0x3dad094 LocalFree
0x3dad098 SetFileAttributesW
0x3dad09c LocalFileTimeToFileTime
0x3dad0a0 SetEnvironmentVariableA
0x3dad0a4 CompareStringW
0x3dad0a8 GetStartupInfoW
0x3dad0ac RaiseException
0x3dad0b0 RtlUnwind
0x3dad0b4 TerminateProcess
0x3dad0b8 GetCurrentProcess
0x3dad0bc UnhandledExceptionFilter
0x3dad0c0 SetUnhandledExceptionFilter
0x3dad0c4 IsDebuggerPresent
0x3dad0c8 GetLastError
0x3dad0cc DeleteCriticalSection
0x3dad0d0 LeaveCriticalSection
0x3dad0d4 FatalAppExitA
0x3dad0d8 EnterCriticalSection
0x3dad0dc VirtualFree
0x3dad0e0 VirtualAlloc
0x3dad0e4 HeapReAlloc
0x3dad0e8 HeapCreate
0x3dad0ec HeapDestroy
0x3dad0f0 GetModuleHandleW
0x3dad0f4 Sleep
0x3dad0f8 GetProcAddress
0x3dad0fc WriteFile
0x3dad100 GetStdHandle
0x3dad104 GetModuleFileNameA
0x3dad108 GetModuleFileNameW
0x3dad10c FreeEnvironmentStringsW
0x3dad110 GetEnvironmentStringsW
0x3dad114 GetCommandLineW
0x3dad118 SetHandleCount
0x3dad11c GetFileType
0x3dad120 GetStartupInfoA
0x3dad124 TlsGetValue
0x3dad128 TlsAlloc
0x3dad12c TlsSetValue
0x3dad130 TlsFree
0x3dad134 InterlockedIncrement
0x3dad138 GetCurrentThreadId
0x3dad13c InterlockedDecrement
0x3dad140 GetCurrentThread
0x3dad144 QueryPerformanceCounter
0x3dad148 GetTickCount
0x3dad14c GetSystemTimeAsFileTime
0x3dad150 SetFilePointer
0x3dad154 WideCharToMultiByte
0x3dad158 GetConsoleCP
0x3dad15c GetConsoleMode
0x3dad160 GetCPInfo
0x3dad164 GetACP
0x3dad168 GetOEMCP
0x3dad16c IsValidCodePage
0x3dad170 InitializeCriticalSectionAndSpinCount
0x3dad174 FreeLibrary
0x3dad178 InterlockedExchange
0x3dad17c LoadLibraryA
0x3dad180 MultiByteToWideChar
0x3dad184 CloseHandle
0x3dad188 CreateFileA
0x3dad18c HeapSize
0x3dad190 SetStdHandle
0x3dad194 WriteConsoleA
0x3dad198 GetConsoleOutputCP
0x3dad19c WriteConsoleW
0x3dad1a0 LCMapStringA
0x3dad1a4 LCMapStringW
0x3dad1a8 GetStringTypeA
0x3dad1ac GetStringTypeW
0x3dad1b0 GetTimeFormatA
0x3dad1b4 GetDateFormatA
0x3dad1b8 GetUserDefaultLCID
0x3dad1bc GetLocaleInfoA
0x3dad1c0 EnumSystemLocalesA
0x3dad1c4 IsValidLocale
0x3dad1c8 FlushFileBuffers
0x3dad1cc ReadFile
0x3dad1d0 SetEndOfFile
0x3dad1d4 GetProcessHeap
0x3dad1d8 CompareStringA
0x3dad1dc GetModuleHandleA
USER32.dll
0x3dad1e4 GetMonitorInfoA
EAT(Export Address Table) Library
0x4434d0 Cruso
0x4434e0 Gorgeous
0x4434c0 SeeYou
KERNEL32.dll
0x3dad000 ExitProcess
0x3dad004 RemoveVectoredExceptionHandler
0x3dad008 FindResourceA
0x3dad00c WriteConsoleOutputCharacterA
0x3dad010 SystemTimeToTzSpecificLocalTime
0x3dad014 HeapAlloc
0x3dad018 SetWaitableTimer
0x3dad01c HeapFree
0x3dad020 GetModuleHandleExW
0x3dad024 LockFile
0x3dad028 SetTapeParameters
0x3dad02c GetCompressedFileSizeW
0x3dad030 FindResourceExA
0x3dad034 GlobalAlloc
0x3dad038 GetLocaleInfoW
0x3dad03c SizeofResource
0x3dad040 SetSystemTimeAdjustment
0x3dad044 GetFileAttributesA
0x3dad048 GetExitCodeProcess
0x3dad04c GetAtomNameW
0x3dad050 GetTimeZoneInformation
0x3dad054 GetEnvironmentVariableA
0x3dad058 GlobalUnlock
0x3dad05c DisconnectNamedPipe
0x3dad060 VirtualUnlock
0x3dad064 GetConsoleAliasesW
0x3dad068 SetLastError
0x3dad06c OpenWaitableTimerW
0x3dad070 SetConsoleCtrlHandler
0x3dad074 SetConsoleOutputCP
0x3dad078 AddAtomA
0x3dad07c GlobalFindAtomW
0x3dad080 GlobalUnWire
0x3dad084 lstrcatW
0x3dad088 VirtualProtect
0x3dad08c GetFileTime
0x3dad090 GetCurrentProcessId
0x3dad094 LocalFree
0x3dad098 SetFileAttributesW
0x3dad09c LocalFileTimeToFileTime
0x3dad0a0 SetEnvironmentVariableA
0x3dad0a4 CompareStringW
0x3dad0a8 GetStartupInfoW
0x3dad0ac RaiseException
0x3dad0b0 RtlUnwind
0x3dad0b4 TerminateProcess
0x3dad0b8 GetCurrentProcess
0x3dad0bc UnhandledExceptionFilter
0x3dad0c0 SetUnhandledExceptionFilter
0x3dad0c4 IsDebuggerPresent
0x3dad0c8 GetLastError
0x3dad0cc DeleteCriticalSection
0x3dad0d0 LeaveCriticalSection
0x3dad0d4 FatalAppExitA
0x3dad0d8 EnterCriticalSection
0x3dad0dc VirtualFree
0x3dad0e0 VirtualAlloc
0x3dad0e4 HeapReAlloc
0x3dad0e8 HeapCreate
0x3dad0ec HeapDestroy
0x3dad0f0 GetModuleHandleW
0x3dad0f4 Sleep
0x3dad0f8 GetProcAddress
0x3dad0fc WriteFile
0x3dad100 GetStdHandle
0x3dad104 GetModuleFileNameA
0x3dad108 GetModuleFileNameW
0x3dad10c FreeEnvironmentStringsW
0x3dad110 GetEnvironmentStringsW
0x3dad114 GetCommandLineW
0x3dad118 SetHandleCount
0x3dad11c GetFileType
0x3dad120 GetStartupInfoA
0x3dad124 TlsGetValue
0x3dad128 TlsAlloc
0x3dad12c TlsSetValue
0x3dad130 TlsFree
0x3dad134 InterlockedIncrement
0x3dad138 GetCurrentThreadId
0x3dad13c InterlockedDecrement
0x3dad140 GetCurrentThread
0x3dad144 QueryPerformanceCounter
0x3dad148 GetTickCount
0x3dad14c GetSystemTimeAsFileTime
0x3dad150 SetFilePointer
0x3dad154 WideCharToMultiByte
0x3dad158 GetConsoleCP
0x3dad15c GetConsoleMode
0x3dad160 GetCPInfo
0x3dad164 GetACP
0x3dad168 GetOEMCP
0x3dad16c IsValidCodePage
0x3dad170 InitializeCriticalSectionAndSpinCount
0x3dad174 FreeLibrary
0x3dad178 InterlockedExchange
0x3dad17c LoadLibraryA
0x3dad180 MultiByteToWideChar
0x3dad184 CloseHandle
0x3dad188 CreateFileA
0x3dad18c HeapSize
0x3dad190 SetStdHandle
0x3dad194 WriteConsoleA
0x3dad198 GetConsoleOutputCP
0x3dad19c WriteConsoleW
0x3dad1a0 LCMapStringA
0x3dad1a4 LCMapStringW
0x3dad1a8 GetStringTypeA
0x3dad1ac GetStringTypeW
0x3dad1b0 GetTimeFormatA
0x3dad1b4 GetDateFormatA
0x3dad1b8 GetUserDefaultLCID
0x3dad1bc GetLocaleInfoA
0x3dad1c0 EnumSystemLocalesA
0x3dad1c4 IsValidLocale
0x3dad1c8 FlushFileBuffers
0x3dad1cc ReadFile
0x3dad1d0 SetEndOfFile
0x3dad1d4 GetProcessHeap
0x3dad1d8 CompareStringA
0x3dad1dc GetModuleHandleA
USER32.dll
0x3dad1e4 GetMonitorInfoA
EAT(Export Address Table) Library
0x4434d0 Cruso
0x4434e0 Gorgeous
0x4434c0 SeeYou