ScreenShot
| Created | 2021.07.14 17:02 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 59 detected (NeshtaB, malicious, high confidence, score, Neshta, HLLP, Unsafe, Neshuta, confidence, 100%, OBIX, Winlock, fmobyw, Apanas, CLASSIC, A + W32, A@3ypg, Static AI, Malicious PE, ASVirus, FileInfector, ai score=81, GenAsa, Mo0tdcmmg3o) | ||
| md5 | 7cb96438c874f4727c226553d9ca8a18 | ||
| sha256 | 7d101535e807718e3f9063db9c70d19b102f262a8ed7b07e15846cb29b755d9a | ||
| ssdeep | 3072:sr85CoPRFbdcoAgQagrV50xRdXjbHxBkfJpRXATwMdFCcGbzP:k9aTaYpgrVudXXHxqjIKb | ||
| imphash | 9f4693fc0c511135129493f2161d1e86 | ||
| impfuzzy | 48:8cfpH9rngO0Mw+4Qk90pvn3O4Ga5tQ4w6T3:8cfpHZgO0MJ430pv3l | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Putty Files |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (32cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | memory |
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | NSIS_Installer | Null Soft Installer | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Network_DNS | Communications use DNS | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4150dc DeleteCriticalSection
0x4150e0 LeaveCriticalSection
0x4150e4 EnterCriticalSection
0x4150e8 InitializeCriticalSection
0x4150ec VirtualFree
0x4150f0 VirtualAlloc
0x4150f4 LocalFree
0x4150f8 LocalAlloc
0x4150fc GetVersion
0x415100 GetCurrentThreadId
0x415104 GetThreadLocale
0x415108 GetStartupInfoA
0x41510c GetLocaleInfoA
0x415110 GetCommandLineA
0x415114 FreeLibrary
0x415118 ExitProcess
0x41511c WriteFile
0x415120 UnhandledExceptionFilter
0x415124 RtlUnwind
0x415128 RaiseException
0x41512c GetStdHandle
user32.dll
0x415134 GetKeyboardType
0x415138 MessageBoxA
advapi32.dll
0x415140 RegQueryValueExA
0x415144 RegOpenKeyExA
0x415148 RegCloseKey
oleaut32.dll
0x415150 SysFreeString
0x415154 SysReAllocStringLen
kernel32.dll
0x41515c TlsSetValue
0x415160 TlsGetValue
0x415164 LocalAlloc
0x415168 GetModuleHandleA
advapi32.dll
0x415170 RegSetValueExA
0x415174 RegOpenKeyExA
0x415178 RegCloseKey
kernel32.dll
0x415180 WriteFile
0x415184 WinExec
0x415188 SetFilePointer
0x41518c SetFileAttributesA
0x415190 SetEndOfFile
0x415194 SetCurrentDirectoryA
0x415198 ReleaseMutex
0x41519c ReadFile
0x4151a0 GetWindowsDirectoryA
0x4151a4 GetTempPathA
0x4151a8 GetShortPathNameA
0x4151ac GetModuleFileNameA
0x4151b0 GetLogicalDriveStringsA
0x4151b4 GetLocalTime
0x4151b8 GetLastError
0x4151bc GetFileSize
0x4151c0 GetFileAttributesA
0x4151c4 GetDriveTypeA
0x4151c8 GetCommandLineA
0x4151cc FreeLibrary
0x4151d0 FindNextFileA
0x4151d4 FindFirstFileA
0x4151d8 FindClose
0x4151dc DeleteFileA
0x4151e0 CreateMutexA
0x4151e4 CreateFileA
0x4151e8 CreateDirectoryA
0x4151ec CloseHandle
gdi32.dll
0x4151f4 StretchDIBits
0x4151f8 SetDIBits
0x4151fc SelectObject
0x415200 GetObjectA
0x415204 GetDIBits
0x415208 DeleteObject
0x41520c DeleteDC
0x415210 CreateSolidBrush
0x415214 CreateDIBSection
0x415218 CreateCompatibleDC
0x41521c CreateCompatibleBitmap
0x415220 BitBlt
user32.dll
0x415228 ReleaseDC
0x41522c GetSysColor
0x415230 GetIconInfo
0x415234 GetDC
0x415238 FillRect
0x41523c DestroyIcon
0x415240 CopyImage
0x415244 CharLowerBuffA
shell32.dll
0x41524c ShellExecuteA
0x415250 ExtractIconA
EAT(Export Address Table) is none
kernel32.dll
0x4150dc DeleteCriticalSection
0x4150e0 LeaveCriticalSection
0x4150e4 EnterCriticalSection
0x4150e8 InitializeCriticalSection
0x4150ec VirtualFree
0x4150f0 VirtualAlloc
0x4150f4 LocalFree
0x4150f8 LocalAlloc
0x4150fc GetVersion
0x415100 GetCurrentThreadId
0x415104 GetThreadLocale
0x415108 GetStartupInfoA
0x41510c GetLocaleInfoA
0x415110 GetCommandLineA
0x415114 FreeLibrary
0x415118 ExitProcess
0x41511c WriteFile
0x415120 UnhandledExceptionFilter
0x415124 RtlUnwind
0x415128 RaiseException
0x41512c GetStdHandle
user32.dll
0x415134 GetKeyboardType
0x415138 MessageBoxA
advapi32.dll
0x415140 RegQueryValueExA
0x415144 RegOpenKeyExA
0x415148 RegCloseKey
oleaut32.dll
0x415150 SysFreeString
0x415154 SysReAllocStringLen
kernel32.dll
0x41515c TlsSetValue
0x415160 TlsGetValue
0x415164 LocalAlloc
0x415168 GetModuleHandleA
advapi32.dll
0x415170 RegSetValueExA
0x415174 RegOpenKeyExA
0x415178 RegCloseKey
kernel32.dll
0x415180 WriteFile
0x415184 WinExec
0x415188 SetFilePointer
0x41518c SetFileAttributesA
0x415190 SetEndOfFile
0x415194 SetCurrentDirectoryA
0x415198 ReleaseMutex
0x41519c ReadFile
0x4151a0 GetWindowsDirectoryA
0x4151a4 GetTempPathA
0x4151a8 GetShortPathNameA
0x4151ac GetModuleFileNameA
0x4151b0 GetLogicalDriveStringsA
0x4151b4 GetLocalTime
0x4151b8 GetLastError
0x4151bc GetFileSize
0x4151c0 GetFileAttributesA
0x4151c4 GetDriveTypeA
0x4151c8 GetCommandLineA
0x4151cc FreeLibrary
0x4151d0 FindNextFileA
0x4151d4 FindFirstFileA
0x4151d8 FindClose
0x4151dc DeleteFileA
0x4151e0 CreateMutexA
0x4151e4 CreateFileA
0x4151e8 CreateDirectoryA
0x4151ec CloseHandle
gdi32.dll
0x4151f4 StretchDIBits
0x4151f8 SetDIBits
0x4151fc SelectObject
0x415200 GetObjectA
0x415204 GetDIBits
0x415208 DeleteObject
0x41520c DeleteDC
0x415210 CreateSolidBrush
0x415214 CreateDIBSection
0x415218 CreateCompatibleDC
0x41521c CreateCompatibleBitmap
0x415220 BitBlt
user32.dll
0x415228 ReleaseDC
0x41522c GetSysColor
0x415230 GetIconInfo
0x415234 GetDC
0x415238 FillRect
0x41523c DestroyIcon
0x415240 CopyImage
0x415244 CharLowerBuffA
shell32.dll
0x41524c ShellExecuteA
0x415250 ExtractIconA
EAT(Export Address Table) is none