ScreenShot
| Created | 2021.07.23 09:49 | Machine | s1_win7_x6401 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 28 detected (AIDetect, malware1, malicious, high confidence, Zusy, Ulise, Unsafe, Save, confidence, 100%, Eldorado, Attribute, HighConfidence, Zbot, Generic ML PUA, ZPACK, ai score=80, VirRansom, score, BScope, Generic@ML, RDML, PNLQcA7FiKlrFB1i4pXUrQ, Static AI, Suspicious PE, ZexaF, hiZ@aGytgdk, QVM20) | ||
| md5 | 422e50c25edd184233d2b19609cb1e05 | ||
| sha256 | 7e0c5eb5f18d5313c39c806aeb2ee42b3ca22661c6c1aa2eb0fbead3948f6e26 | ||
| ssdeep | 3072:lchVVVkt2oxTPENDu7RcCUlHfEjXnrs28eDxn4:lc7VGtJTPENqFcCUfEjXrJ5Dx4 | ||
| imphash | ad7593902351b94d30c5d42690419916 | ||
| impfuzzy | 12:8LmkdAH8YHzqN3PPSbo3IpiXzNXWGLNTXnUTXt1RpeXlzeXWqDeXW8+F1VOI/SE6:Knk8bNnSbAI6ZDNbStHpIl8XIc76E7e | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Moves the original executable to a new location |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
GDI32.dll
0x40300c CreateCompatibleDC
0x403010 SelectObject
0x403014 SetBoundsRect
0x403018 GetTextMetricsW
0x40301c GdiArtificialDecrementDriver
0x403020 AddFontResourceExA
0x403024 GetWorldTransform
SHLWAPI.dll
0x403040 PathCombineW
0x403044 SHRegOpenUSKeyW
0x403048 PathIsSystemFolderA
0x40304c StrNCatW
0x403050 StrCmpW
0x403054 PathFindExtensionW
0x403058 UrlUnescapeA
0x40305c UrlEscapeW
WINSPOOL.DRV
0x403064 None
0x403068 DeviceCapabilitiesA
0x40306c GetPrinterDataExW
0x403070 ConfigurePortA
0x403074 ConnectToPrinterDlg
0x403078 DevQueryPrint
0x40307c DeletePrinterDriverA
MSVFW32.dll
0x40302c None
0x403030 DrawDibBegin
0x403034 ICClose
0x403038 MCIWndCreate
AVIFIL32.dll
0x403000 AVIStreamOpenFromFileA
0x403004 AVIMakeStreamFromClipboard
EAT(Export Address Table) is none
GDI32.dll
0x40300c CreateCompatibleDC
0x403010 SelectObject
0x403014 SetBoundsRect
0x403018 GetTextMetricsW
0x40301c GdiArtificialDecrementDriver
0x403020 AddFontResourceExA
0x403024 GetWorldTransform
SHLWAPI.dll
0x403040 PathCombineW
0x403044 SHRegOpenUSKeyW
0x403048 PathIsSystemFolderA
0x40304c StrNCatW
0x403050 StrCmpW
0x403054 PathFindExtensionW
0x403058 UrlUnescapeA
0x40305c UrlEscapeW
WINSPOOL.DRV
0x403064 None
0x403068 DeviceCapabilitiesA
0x40306c GetPrinterDataExW
0x403070 ConfigurePortA
0x403074 ConnectToPrinterDlg
0x403078 DevQueryPrint
0x40307c DeletePrinterDriverA
MSVFW32.dll
0x40302c None
0x403030 DrawDibBegin
0x403034 ICClose
0x403038 MCIWndCreate
AVIFIL32.dll
0x403000 AVIStreamOpenFromFileA
0x403004 AVIMakeStreamFromClipboard
EAT(Export Address Table) is none