ScreenShot
Created | 2021.04.16 10:14 | Machine | s1_win7_x6402 |
Filename | vbc.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 42 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Unsafe, Kryptik, Save, runner, ali1000123, Eldorado, Attribute, HighConfidence, HKKV, DropperX, Noon, Auto, R + Troj, Outbreak, ai score=100, Ranumbot, FormBook, 1KSJRB, score, Generic PWS, R06CC0DDF21, CLOUD, Static AI, Malicious PE, HKKO, ZexaF, vCX@a8uVUqpG, confidence, 100%, HwoCmkQA) | ||
md5 | fb861097be51a4c1f963c83f6d6053fb | ||
sha256 | 7834211343251375fd593b99c6d64a9c9cd90acb68d0f3970a9c964ad193c1b3 | ||
ssdeep | 6144:CHpP/LXH8RjIHp9bIYFUqQPMq9VmUDsxggqqOQhvpNcJ:CHpnjcxc/bInqpYmUDsqgeep | ||
imphash | d8e510e75f08ae7ad94173898ac39289 | ||
impfuzzy | 48:c4MwMLwcweG3tpMuDIK6c8Kd1+nNZLKp6xE:c4MLLwkG3tpFIK6c8G1+HIr |
Network IP location
Signature (18cnts)
Level | Description |
---|---|
danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Communicates with host for which no DNS query was performed |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Checks if process is being debugged by a debugger |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (14cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | HasOverlay | Overlay Check | binaries (upload) |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | win_files_operation | Affect private profile | binaries (upload) |
Network (51cnts) ?
Suricata ids
ET MALWARE FormBook CnC Checkin (GET)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xa20000 GetEnvironmentVariableW
0xa20004 RemoveVectoredExceptionHandler
0xa20008 WriteConsoleOutputCharacterW
0xa2000c GetModuleHandleExA
0xa20010 GetLocaleInfoA
0xa20014 FindResourceExW
0xa20018 FindResourceW
0xa2001c LoadResource
0xa20020 SystemTimeToTzSpecificLocalTime
0xa20024 InterlockedIncrement
0xa20028 SetConsoleTextAttribute
0xa2002c CancelWaitableTimer
0xa20030 ConnectNamedPipe
0xa20034 GetConsoleAliasesA
0xa20038 SetFileTime
0xa2003c GetCompressedFileSizeW
0xa20040 GlobalFindAtomA
0xa20044 SetSystemTimeAdjustment
0xa20048 GetFileAttributesA
0xa2004c SetTimeZoneInformation
0xa20050 TerminateProcess
0xa20054 FileTimeToSystemTime
0xa20058 ReadFile
0xa2005c GlobalUnlock
0xa20060 GetConsoleOutputCP
0xa20064 SetLastError
0xa20068 GetAtomNameA
0xa2006c OpenWaitableTimerW
0xa20070 LocalAlloc
0xa20074 AddAtomA
0xa20078 GetTapeParameters
0xa2007c GlobalUnWire
0xa20080 VirtualProtect
0xa20084 GetCurrentProcessId
0xa20088 LocalFree
0xa2008c lstrcpyW
0xa20090 SetFileAttributesW
0xa20094 SetEnvironmentVariableA
0xa20098 CompareStringW
0xa2009c GetStartupInfoW
0xa200a0 RaiseException
0xa200a4 RtlUnwind
0xa200a8 GetCurrentProcess
0xa200ac UnhandledExceptionFilter
0xa200b0 SetUnhandledExceptionFilter
0xa200b4 IsDebuggerPresent
0xa200b8 HeapAlloc
0xa200bc GetLastError
0xa200c0 HeapFree
0xa200c4 GetModuleHandleW
0xa200c8 Sleep
0xa200cc GetProcAddress
0xa200d0 ExitProcess
0xa200d4 WriteFile
0xa200d8 GetStdHandle
0xa200dc GetModuleFileNameA
0xa200e0 GetModuleFileNameW
0xa200e4 FreeEnvironmentStringsW
0xa200e8 GetEnvironmentStringsW
0xa200ec GetCommandLineW
0xa200f0 SetHandleCount
0xa200f4 GetFileType
0xa200f8 GetStartupInfoA
0xa200fc DeleteCriticalSection
0xa20100 TlsGetValue
0xa20104 TlsAlloc
0xa20108 TlsSetValue
0xa2010c TlsFree
0xa20110 GetCurrentThreadId
0xa20114 InterlockedDecrement
0xa20118 GetCurrentThread
0xa2011c HeapCreate
0xa20120 HeapDestroy
0xa20124 VirtualFree
0xa20128 QueryPerformanceCounter
0xa2012c GetTickCount
0xa20130 GetSystemTimeAsFileTime
0xa20134 SetFilePointer
0xa20138 WideCharToMultiByte
0xa2013c GetConsoleCP
0xa20140 GetConsoleMode
0xa20144 EnterCriticalSection
0xa20148 LeaveCriticalSection
0xa2014c GetCPInfo
0xa20150 GetACP
0xa20154 GetOEMCP
0xa20158 IsValidCodePage
0xa2015c FatalAppExitA
0xa20160 VirtualAlloc
0xa20164 HeapReAlloc
0xa20168 HeapSize
0xa2016c SetConsoleCtrlHandler
0xa20170 FreeLibrary
0xa20174 InterlockedExchange
0xa20178 LoadLibraryA
0xa2017c InitializeCriticalSectionAndSpinCount
0xa20180 SetStdHandle
0xa20184 WriteConsoleA
0xa20188 WriteConsoleW
0xa2018c MultiByteToWideChar
0xa20190 LCMapStringA
0xa20194 LCMapStringW
0xa20198 GetStringTypeA
0xa2019c GetStringTypeW
0xa201a0 GetTimeFormatA
0xa201a4 GetDateFormatA
0xa201a8 GetUserDefaultLCID
0xa201ac EnumSystemLocalesA
0xa201b0 IsValidLocale
0xa201b4 GetLocaleInfoW
0xa201b8 CreateFileA
0xa201bc CloseHandle
0xa201c0 FlushFileBuffers
0xa201c4 GetTimeZoneInformation
0xa201c8 CompareStringA
0xa201cc GetModuleHandleA
USER32.dll
0xa201d4 GetMonitorInfoA
EAT(Export Address Table) Library
0x43f0a0 Gorgeous
0x43f090 Probka
KERNEL32.dll
0xa20000 GetEnvironmentVariableW
0xa20004 RemoveVectoredExceptionHandler
0xa20008 WriteConsoleOutputCharacterW
0xa2000c GetModuleHandleExA
0xa20010 GetLocaleInfoA
0xa20014 FindResourceExW
0xa20018 FindResourceW
0xa2001c LoadResource
0xa20020 SystemTimeToTzSpecificLocalTime
0xa20024 InterlockedIncrement
0xa20028 SetConsoleTextAttribute
0xa2002c CancelWaitableTimer
0xa20030 ConnectNamedPipe
0xa20034 GetConsoleAliasesA
0xa20038 SetFileTime
0xa2003c GetCompressedFileSizeW
0xa20040 GlobalFindAtomA
0xa20044 SetSystemTimeAdjustment
0xa20048 GetFileAttributesA
0xa2004c SetTimeZoneInformation
0xa20050 TerminateProcess
0xa20054 FileTimeToSystemTime
0xa20058 ReadFile
0xa2005c GlobalUnlock
0xa20060 GetConsoleOutputCP
0xa20064 SetLastError
0xa20068 GetAtomNameA
0xa2006c OpenWaitableTimerW
0xa20070 LocalAlloc
0xa20074 AddAtomA
0xa20078 GetTapeParameters
0xa2007c GlobalUnWire
0xa20080 VirtualProtect
0xa20084 GetCurrentProcessId
0xa20088 LocalFree
0xa2008c lstrcpyW
0xa20090 SetFileAttributesW
0xa20094 SetEnvironmentVariableA
0xa20098 CompareStringW
0xa2009c GetStartupInfoW
0xa200a0 RaiseException
0xa200a4 RtlUnwind
0xa200a8 GetCurrentProcess
0xa200ac UnhandledExceptionFilter
0xa200b0 SetUnhandledExceptionFilter
0xa200b4 IsDebuggerPresent
0xa200b8 HeapAlloc
0xa200bc GetLastError
0xa200c0 HeapFree
0xa200c4 GetModuleHandleW
0xa200c8 Sleep
0xa200cc GetProcAddress
0xa200d0 ExitProcess
0xa200d4 WriteFile
0xa200d8 GetStdHandle
0xa200dc GetModuleFileNameA
0xa200e0 GetModuleFileNameW
0xa200e4 FreeEnvironmentStringsW
0xa200e8 GetEnvironmentStringsW
0xa200ec GetCommandLineW
0xa200f0 SetHandleCount
0xa200f4 GetFileType
0xa200f8 GetStartupInfoA
0xa200fc DeleteCriticalSection
0xa20100 TlsGetValue
0xa20104 TlsAlloc
0xa20108 TlsSetValue
0xa2010c TlsFree
0xa20110 GetCurrentThreadId
0xa20114 InterlockedDecrement
0xa20118 GetCurrentThread
0xa2011c HeapCreate
0xa20120 HeapDestroy
0xa20124 VirtualFree
0xa20128 QueryPerformanceCounter
0xa2012c GetTickCount
0xa20130 GetSystemTimeAsFileTime
0xa20134 SetFilePointer
0xa20138 WideCharToMultiByte
0xa2013c GetConsoleCP
0xa20140 GetConsoleMode
0xa20144 EnterCriticalSection
0xa20148 LeaveCriticalSection
0xa2014c GetCPInfo
0xa20150 GetACP
0xa20154 GetOEMCP
0xa20158 IsValidCodePage
0xa2015c FatalAppExitA
0xa20160 VirtualAlloc
0xa20164 HeapReAlloc
0xa20168 HeapSize
0xa2016c SetConsoleCtrlHandler
0xa20170 FreeLibrary
0xa20174 InterlockedExchange
0xa20178 LoadLibraryA
0xa2017c InitializeCriticalSectionAndSpinCount
0xa20180 SetStdHandle
0xa20184 WriteConsoleA
0xa20188 WriteConsoleW
0xa2018c MultiByteToWideChar
0xa20190 LCMapStringA
0xa20194 LCMapStringW
0xa20198 GetStringTypeA
0xa2019c GetStringTypeW
0xa201a0 GetTimeFormatA
0xa201a4 GetDateFormatA
0xa201a8 GetUserDefaultLCID
0xa201ac EnumSystemLocalesA
0xa201b0 IsValidLocale
0xa201b4 GetLocaleInfoW
0xa201b8 CreateFileA
0xa201bc CloseHandle
0xa201c0 FlushFileBuffers
0xa201c4 GetTimeZoneInformation
0xa201c8 CompareStringA
0xa201cc GetModuleHandleA
USER32.dll
0xa201d4 GetMonitorInfoA
EAT(Export Address Table) Library
0x43f0a0 Gorgeous
0x43f090 Probka