ScreenShot
| Created | 2021.07.29 10:00 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 38 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Artemis, Unsafe, Save, confidence, runner, ali1000123, GameHack, Eldorado, Attribute, HighConfidence, GenKryptik, FIBP, MalwareX, Inject4, Score, AGEN, ai score=99, kcloud, Tnega, FormBook, DNEOHJ, ZexaF, zuZ@aWZsVdde, BScope, MachineLearning, Anomalous, 100%, Generic@ML, RDML, NDYJWqSCQMsgdF2nPeOFug, Static AI, Suspicious PE, susgen, FIBB, Noon, HgIASZQA) | ||
| md5 | a584c1efdc2d5911278ab43d1fc671af | ||
| sha256 | 8c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771 | ||
| ssdeep | 6144:3I9XKqGvBcQqh3SB5o4AOnBplAIeqnG/sLYGKYWRkynp9x:3QvGvOk5Ky0T6G4YGKrHLx | ||
| imphash | 4eb4fa387aa9e72a2c5a5335b8957253 | ||
| impfuzzy | 48:EEd0S1jtu5c+ppXHB/KAnBlX/EoLECuESC4QJGFqQEmSY0WwACS5EXRvlyP:ES1jtu5c+ppXHhHTxS | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Created a process named as a common system process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (11cnts) ?
Suricata ids
ET MALWARE FormBook CnC Checkin (GET)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x416010 WriteConsoleW
0x416014 CreateFileW
0x416018 CloseHandle
0x41601c DecodePointer
0x416020 GetConsoleMode
0x416024 GetConsoleOutputCP
0x416028 FlushFileBuffers
0x41602c HeapReAlloc
0x416030 HeapSize
0x416034 SetFilePointerEx
0x416038 VirtualProtect
0x41603c LCMapStringW
0x416040 GetStringTypeW
0x416044 SetStdHandle
0x416048 FreeEnvironmentStringsW
0x41604c GetEnvironmentStringsW
0x416050 WideCharToMultiByte
0x416054 MultiByteToWideChar
0x416058 GetCommandLineW
0x41605c CreateThread
0x416060 Sleep
0x416064 GetProcessHeap
0x416068 TerminateThread
0x41606c GetCommandLineA
0x416070 GetCPInfo
0x416074 GetOEMCP
0x416078 GetACP
0x41607c IsValidCodePage
0x416080 FindNextFileW
0x416084 FindFirstFileExW
0x416088 FindClose
0x41608c GetFileType
0x416090 QueryPerformanceCounter
0x416094 GetCurrentProcessId
0x416098 GetCurrentThreadId
0x41609c GetSystemTimeAsFileTime
0x4160a0 InitializeSListHead
0x4160a4 IsDebuggerPresent
0x4160a8 UnhandledExceptionFilter
0x4160ac SetUnhandledExceptionFilter
0x4160b0 GetStartupInfoW
0x4160b4 IsProcessorFeaturePresent
0x4160b8 GetModuleHandleW
0x4160bc GetCurrentProcess
0x4160c0 TerminateProcess
0x4160c4 RtlUnwind
0x4160c8 GetLastError
0x4160cc SetLastError
0x4160d0 EnterCriticalSection
0x4160d4 LeaveCriticalSection
0x4160d8 DeleteCriticalSection
0x4160dc InitializeCriticalSectionAndSpinCount
0x4160e0 TlsAlloc
0x4160e4 TlsGetValue
0x4160e8 TlsSetValue
0x4160ec TlsFree
0x4160f0 FreeLibrary
0x4160f4 GetProcAddress
0x4160f8 LoadLibraryExW
0x4160fc GetStdHandle
0x416100 WriteFile
0x416104 GetModuleFileNameW
0x416108 ExitProcess
0x41610c GetModuleHandleExW
0x416110 HeapFree
0x416114 HeapAlloc
0x416118 RaiseException
USER32.dll
0x416120 DefWindowProcW
0x416124 PostQuitMessage
0x416128 CreateWindowExA
0x41612c CreateWindowExW
0x416130 DestroyWindow
0x416134 EnableWindow
0x416138 SetForegroundWindow
0x41613c GetWindowRect
0x416140 GetWindowTextA
0x416144 MessageBoxA
0x416148 GetWindowTextLengthA
0x41614c UpdateWindow
0x416150 GetDC
0x416154 GrayStringA
0x416158 DispatchMessageW
0x41615c TranslateMessage
0x416160 GetMessageW
0x416164 AppendMenuW
0x416168 CreateMenu
0x41616c SetMenu
0x416170 LoadIconW
0x416174 RegisterClassW
0x416178 FillRect
0x41617c SetWindowTextA
0x416180 EndPaint
0x416184 BeginPaint
0x416188 SendMessageA
0x41618c GetWindow
0x416190 SetActiveWindow
0x416194 SendMessageW
0x416198 MessageBoxW
GDI32.dll
0x416000 SetDCPenColor
0x416004 GetStockObject
0x416008 SetBkMode
WS2_32.dll
0x4161a0 send
0x4161a4 closesocket
0x4161a8 connect
0x4161ac htons
0x4161b0 recv
0x4161b4 socket
0x4161b8 gethostbyname
0x4161bc WSAStartup
0x4161c0 WSACleanup
EAT(Export Address Table) is none
KERNEL32.dll
0x416010 WriteConsoleW
0x416014 CreateFileW
0x416018 CloseHandle
0x41601c DecodePointer
0x416020 GetConsoleMode
0x416024 GetConsoleOutputCP
0x416028 FlushFileBuffers
0x41602c HeapReAlloc
0x416030 HeapSize
0x416034 SetFilePointerEx
0x416038 VirtualProtect
0x41603c LCMapStringW
0x416040 GetStringTypeW
0x416044 SetStdHandle
0x416048 FreeEnvironmentStringsW
0x41604c GetEnvironmentStringsW
0x416050 WideCharToMultiByte
0x416054 MultiByteToWideChar
0x416058 GetCommandLineW
0x41605c CreateThread
0x416060 Sleep
0x416064 GetProcessHeap
0x416068 TerminateThread
0x41606c GetCommandLineA
0x416070 GetCPInfo
0x416074 GetOEMCP
0x416078 GetACP
0x41607c IsValidCodePage
0x416080 FindNextFileW
0x416084 FindFirstFileExW
0x416088 FindClose
0x41608c GetFileType
0x416090 QueryPerformanceCounter
0x416094 GetCurrentProcessId
0x416098 GetCurrentThreadId
0x41609c GetSystemTimeAsFileTime
0x4160a0 InitializeSListHead
0x4160a4 IsDebuggerPresent
0x4160a8 UnhandledExceptionFilter
0x4160ac SetUnhandledExceptionFilter
0x4160b0 GetStartupInfoW
0x4160b4 IsProcessorFeaturePresent
0x4160b8 GetModuleHandleW
0x4160bc GetCurrentProcess
0x4160c0 TerminateProcess
0x4160c4 RtlUnwind
0x4160c8 GetLastError
0x4160cc SetLastError
0x4160d0 EnterCriticalSection
0x4160d4 LeaveCriticalSection
0x4160d8 DeleteCriticalSection
0x4160dc InitializeCriticalSectionAndSpinCount
0x4160e0 TlsAlloc
0x4160e4 TlsGetValue
0x4160e8 TlsSetValue
0x4160ec TlsFree
0x4160f0 FreeLibrary
0x4160f4 GetProcAddress
0x4160f8 LoadLibraryExW
0x4160fc GetStdHandle
0x416100 WriteFile
0x416104 GetModuleFileNameW
0x416108 ExitProcess
0x41610c GetModuleHandleExW
0x416110 HeapFree
0x416114 HeapAlloc
0x416118 RaiseException
USER32.dll
0x416120 DefWindowProcW
0x416124 PostQuitMessage
0x416128 CreateWindowExA
0x41612c CreateWindowExW
0x416130 DestroyWindow
0x416134 EnableWindow
0x416138 SetForegroundWindow
0x41613c GetWindowRect
0x416140 GetWindowTextA
0x416144 MessageBoxA
0x416148 GetWindowTextLengthA
0x41614c UpdateWindow
0x416150 GetDC
0x416154 GrayStringA
0x416158 DispatchMessageW
0x41615c TranslateMessage
0x416160 GetMessageW
0x416164 AppendMenuW
0x416168 CreateMenu
0x41616c SetMenu
0x416170 LoadIconW
0x416174 RegisterClassW
0x416178 FillRect
0x41617c SetWindowTextA
0x416180 EndPaint
0x416184 BeginPaint
0x416188 SendMessageA
0x41618c GetWindow
0x416190 SetActiveWindow
0x416194 SendMessageW
0x416198 MessageBoxW
GDI32.dll
0x416000 SetDCPenColor
0x416004 GetStockObject
0x416008 SetBkMode
WS2_32.dll
0x4161a0 send
0x4161a4 closesocket
0x4161a8 connect
0x4161ac htons
0x4161b0 recv
0x4161b4 socket
0x4161b8 gethostbyname
0x4161bc WSAStartup
0x4161c0 WSACleanup
EAT(Export Address Table) is none