popup

Report - vbc.exe

UPX Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.04 09:30 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
9.4
ZERO API file : clean
VT API (file) 27 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Remcos, Delf, Eldorado, Attribute, HighConfidence, RATX, Inject4, kcloud, score, Artemis, F0D1C00H321, Outbreak, susgen, GenKryptik, FHZQ, ZelphiCO, QKW@aKexQghi)
md5 811ea41e60760a97b5f28973618728fe
sha256 e6bd5f8475731bcca5f6b74327a68ee4b7fa5b0662521feff1d92424da149151
ssdeep 12288:CHuv6TaXda6yswPypNz+w5cUsCPFExCUaMliTE5pPYrfFyA:466ga6ys0Kz+wHpzUEoRYrt
imphash 1379487e213e9660a192f7f9b27f1132
impfuzzy 192:o13MDbuu0DSUvK9Dso1XE+o7JGNQG1Q+POQnk:C3m0I9vN1vPOQk
  Network IP location

Signature (21cnts)

Level Description
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
watch Installs itself for autorun at Windows startup
watch Manipulates memory of a non-child process indicative of process injection
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer

Rules (38cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pxqklq.sn.files.1drv.com/y4mg89f-6gcTFt9nUg_sEWMZaxANJtZ7KMjeZ0uFle33_KPtwBN9B0K_qoN_QPW8-byP6qrtoBYRbmXkpxTfUEwpZw0wySpJMYbHpVDFh2dOM7ne3-MhDZuyyuEwohpk8dvJeVWBT5AKYXBF-NbNEZsYXHQNDDBsuQsiryuQGYcsAfYHYZN-weN5jSSBfsDTCFTZZm_cNa_kvhnRO1TegqIKQ/Fdhl
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21114&authkey=AMU_VwbYanb_5vQ
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 clean
https://pxqklq.sn.files.1drv.com/y4mlEcSPiQ-xLrMA-uh5-6zES3qzdkrPd7A5sYKVbpPegFaYO84OWiK8q0VzRB27zPc8qeNTbVrZt4hFA0ar9IFBGmPjFZnMRcioeM52jkL2S4YC9Dq0PgHm29CPXplS79VoZe87r8wmy0DOvZBoR7VAYdgeMTyyH2LEkzqpCHM9TcUnaHZgslTFHWnAvibAiQUKUAknvMUxEjV5lSOE0XPhw/Fdhl
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
pxqklq.sn.files.1drv.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 clean
onedrive.live.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 mailcious
13.107.42.13
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.13 mailcious
103.200.22.212
whois
VN The Corporation for Financing & Promoting Technology 103.200.22.212 clean
13.107.42.12
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 13.107.42.12 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

oleaut32.dll
 0x467770 SysFreeString
 0x467774 SysReAllocStringLen
 0x467778 SysAllocStringLen
advapi32.dll
 0x467780 RegQueryValueExA
 0x467784 RegOpenKeyExA
 0x467788 RegCloseKey
user32.dll
 0x467790 GetKeyboardType
 0x467794 DestroyWindow
 0x467798 LoadStringA
 0x46779c MessageBoxA
 0x4677a0 CharNextA
kernel32.dll
 0x4677a8 GetACP
 0x4677ac Sleep
 0x4677b0 VirtualFree
 0x4677b4 VirtualAlloc
 0x4677b8 GetCurrentThreadId
 0x4677bc InterlockedDecrement
 0x4677c0 InterlockedIncrement
 0x4677c4 VirtualQuery
 0x4677c8 WideCharToMultiByte
 0x4677cc MultiByteToWideChar
 0x4677d0 lstrlenA
 0x4677d4 lstrcpynA
 0x4677d8 LoadLibraryExA
 0x4677dc GetThreadLocale
 0x4677e0 GetStartupInfoA
 0x4677e4 GetProcAddress
 0x4677e8 GetModuleHandleA
 0x4677ec GetModuleFileNameA
 0x4677f0 GetLocaleInfoA
 0x4677f4 GetCommandLineA
 0x4677f8 FreeLibrary
 0x4677fc FindFirstFileA
 0x467800 FindClose
 0x467804 ExitProcess
 0x467808 CompareStringA
 0x46780c WriteFile
 0x467810 UnhandledExceptionFilter
 0x467814 RtlUnwind
 0x467818 RaiseException
 0x46781c GetStdHandle
kernel32.dll
 0x467824 TlsSetValue
 0x467828 TlsGetValue
 0x46782c LocalAlloc
 0x467830 GetModuleHandleA
user32.dll
 0x467838 CreateWindowExA
 0x46783c WindowFromPoint
 0x467840 WaitMessage
 0x467844 UpdateWindow
 0x467848 UnregisterClassA
 0x46784c UnhookWindowsHookEx
 0x467850 TranslateMessage
 0x467854 TranslateMDISysAccel
 0x467858 TrackPopupMenu
 0x46785c SystemParametersInfoA
 0x467860 ShowWindow
 0x467864 ShowScrollBar
 0x467868 ShowOwnedPopups
 0x46786c SetWindowsHookExA
 0x467870 SetWindowPos
 0x467874 SetWindowPlacement
 0x467878 SetWindowLongW
 0x46787c SetWindowLongA
 0x467880 SetTimer
 0x467884 SetScrollRange
 0x467888 SetScrollPos
 0x46788c SetScrollInfo
 0x467890 SetRect
 0x467894 SetPropA
 0x467898 SetParent
 0x46789c SetMenuItemInfoA
 0x4678a0 SetMenu
 0x4678a4 SetForegroundWindow
 0x4678a8 SetFocus
 0x4678ac SetCursor
 0x4678b0 SetClipboardData
 0x4678b4 SetClassLongA
 0x4678b8 SetCapture
 0x4678bc SetActiveWindow
 0x4678c0 SendMessageW
 0x4678c4 SendMessageA
 0x4678c8 ScrollWindow
 0x4678cc ScreenToClient
 0x4678d0 RemovePropA
 0x4678d4 RemoveMenu
 0x4678d8 ReleaseDC
 0x4678dc ReleaseCapture
 0x4678e0 RegisterWindowMessageA
 0x4678e4 RegisterClipboardFormatA
 0x4678e8 RegisterClassA
 0x4678ec RedrawWindow
 0x4678f0 PtInRect
 0x4678f4 PostQuitMessage
 0x4678f8 PostMessageA
 0x4678fc PeekMessageW
 0x467900 PeekMessageA
 0x467904 OpenClipboard
 0x467908 OffsetRect
 0x46790c OemToCharA
 0x467910 MessageBoxA
 0x467914 MessageBeep
 0x467918 MapWindowPoints
 0x46791c MapVirtualKeyA
 0x467920 LoadStringA
 0x467924 LoadKeyboardLayoutA
 0x467928 LoadIconA
 0x46792c LoadCursorA
 0x467930 LoadBitmapA
 0x467934 KillTimer
 0x467938 IsZoomed
 0x46793c IsWindowVisible
 0x467940 IsWindowUnicode
 0x467944 IsWindowEnabled
 0x467948 IsWindow
 0x46794c IsRectEmpty
 0x467950 IsIconic
 0x467954 IsDialogMessageW
 0x467958 IsDialogMessageA
 0x46795c IsChild
 0x467960 InvalidateRect
 0x467964 IntersectRect
 0x467968 InsertMenuItemA
 0x46796c InsertMenuA
 0x467970 InflateRect
 0x467974 GetWindowThreadProcessId
 0x467978 GetWindowTextA
 0x46797c GetWindowRect
 0x467980 GetWindowPlacement
 0x467984 GetWindowLongW
 0x467988 GetWindowLongA
 0x46798c GetWindowDC
 0x467990 GetTopWindow
 0x467994 GetSystemMetrics
 0x467998 GetSystemMenu
 0x46799c GetSysColorBrush
 0x4679a0 GetSysColor
 0x4679a4 GetSubMenu
 0x4679a8 GetScrollRange
 0x4679ac GetScrollPos
 0x4679b0 GetScrollInfo
 0x4679b4 GetPropA
 0x4679b8 GetParent
 0x4679bc GetWindow
 0x4679c0 GetMessagePos
 0x4679c4 GetMenuStringA
 0x4679c8 GetMenuState
 0x4679cc GetMenuItemInfoA
 0x4679d0 GetMenuItemID
 0x4679d4 GetMenuItemCount
 0x4679d8 GetMenu
 0x4679dc GetLastActivePopup
 0x4679e0 GetKeyboardState
 0x4679e4 GetKeyboardLayoutNameA
 0x4679e8 GetKeyboardLayoutList
 0x4679ec GetKeyboardLayout
 0x4679f0 GetKeyState
 0x4679f4 GetKeyNameTextA
 0x4679f8 GetIconInfo
 0x4679fc GetForegroundWindow
 0x467a00 GetFocus
 0x467a04 GetDesktopWindow
 0x467a08 GetDCEx
 0x467a0c GetDC
 0x467a10 GetCursorPos
 0x467a14 GetCursor
 0x467a18 GetClipboardData
 0x467a1c GetClientRect
 0x467a20 GetClassLongA
 0x467a24 GetClassInfoA
 0x467a28 GetCapture
 0x467a2c GetActiveWindow
 0x467a30 FrameRect
 0x467a34 FindWindowA
 0x467a38 FillRect
 0x467a3c EqualRect
 0x467a40 EnumWindows
 0x467a44 EnumThreadWindows
 0x467a48 EnumChildWindows
 0x467a4c EndPaint
 0x467a50 EnableWindow
 0x467a54 EnableScrollBar
 0x467a58 EnableMenuItem
 0x467a5c EmptyClipboard
 0x467a60 DrawTextA
 0x467a64 DrawMenuBar
 0x467a68 DrawIconEx
 0x467a6c DrawIcon
 0x467a70 DrawFrameControl
 0x467a74 DrawEdge
 0x467a78 DispatchMessageW
 0x467a7c DispatchMessageA
 0x467a80 DestroyWindow
 0x467a84 DestroyMenu
 0x467a88 DestroyIcon
 0x467a8c DestroyCursor
 0x467a90 DeleteMenu
 0x467a94 DefWindowProcA
 0x467a98 DefMDIChildProcA
 0x467a9c DefFrameProcA
 0x467aa0 CreatePopupMenu
 0x467aa4 CreateMenu
 0x467aa8 CreateIcon
 0x467aac CloseClipboard
 0x467ab0 ClientToScreen
 0x467ab4 CheckMenuItem
 0x467ab8 CallWindowProcA
 0x467abc CallNextHookEx
 0x467ac0 BeginPaint
 0x467ac4 CharNextA
 0x467ac8 CharLowerBuffA
 0x467acc CharLowerA
 0x467ad0 CharUpperBuffA
 0x467ad4 CharToOemA
 0x467ad8 AdjustWindowRectEx
 0x467adc ActivateKeyboardLayout
gdi32.dll
 0x467ae4 UnrealizeObject
 0x467ae8 StretchBlt
 0x467aec SetWindowOrgEx
 0x467af0 SetWinMetaFileBits
 0x467af4 SetViewportOrgEx
 0x467af8 SetTextColor
 0x467afc SetStretchBltMode
 0x467b00 SetROP2
 0x467b04 SetPixel
 0x467b08 SetEnhMetaFileBits
 0x467b0c SetDIBColorTable
 0x467b10 SetBrushOrgEx
 0x467b14 SetBkMode
 0x467b18 SetBkColor
 0x467b1c SelectPalette
 0x467b20 SelectObject
 0x467b24 SelectClipRgn
 0x467b28 SaveDC
 0x467b2c RestoreDC
 0x467b30 Rectangle
 0x467b34 RectVisible
 0x467b38 RealizePalette
 0x467b3c PlayEnhMetaFile
 0x467b40 PatBlt
 0x467b44 MoveToEx
 0x467b48 MaskBlt
 0x467b4c LineTo
 0x467b50 IntersectClipRect
 0x467b54 GetWindowOrgEx
 0x467b58 GetWinMetaFileBits
 0x467b5c GetTextMetricsA
 0x467b60 GetTextExtentPointA
 0x467b64 GetTextExtentPoint32A
 0x467b68 GetSystemPaletteEntries
 0x467b6c GetStockObject
 0x467b70 GetRgnBox
 0x467b74 GetPixel
 0x467b78 GetPaletteEntries
 0x467b7c GetObjectA
 0x467b80 GetEnhMetaFilePaletteEntries
 0x467b84 GetEnhMetaFileHeader
 0x467b88 GetEnhMetaFileBits
 0x467b8c GetDeviceCaps
 0x467b90 GetDIBits
 0x467b94 GetDIBColorTable
 0x467b98 GetDCOrgEx
 0x467b9c GetCurrentPositionEx
 0x467ba0 GetClipBox
 0x467ba4 GetBrushOrgEx
 0x467ba8 GetBitmapBits
 0x467bac ExtTextOutA
 0x467bb0 ExcludeClipRect
 0x467bb4 DeleteObject
 0x467bb8 DeleteEnhMetaFile
 0x467bbc DeleteDC
 0x467bc0 CreateSolidBrush
 0x467bc4 CreateRectRgn
 0x467bc8 CreatePenIndirect
 0x467bcc CreatePalette
 0x467bd0 CreateHalftonePalette
 0x467bd4 CreateFontIndirectA
 0x467bd8 CreateDIBitmap
 0x467bdc CreateDIBSection
 0x467be0 CreateCompatibleDC
 0x467be4 CreateCompatibleBitmap
 0x467be8 CreateBrushIndirect
 0x467bec CreateBitmap
 0x467bf0 CopyEnhMetaFileA
 0x467bf4 BitBlt
version.dll
 0x467bfc VerQueryValueA
 0x467c00 GetFileVersionInfoSizeA
 0x467c04 GetFileVersionInfoA
kernel32.dll
 0x467c0c lstrcpyA
 0x467c10 lstrcmpiA
 0x467c14 WriteFile
 0x467c18 WaitForSingleObject
 0x467c1c VirtualQuery
 0x467c20 VirtualProtect
 0x467c24 VirtualAlloc
 0x467c28 SizeofResource
 0x467c2c SetThreadLocale
 0x467c30 SetFilePointer
 0x467c34 SetEvent
 0x467c38 SetErrorMode
 0x467c3c SetEndOfFile
 0x467c40 ResetEvent
 0x467c44 ReadFile
 0x467c48 MulDiv
 0x467c4c LockResource
 0x467c50 LoadResource
 0x467c54 LoadLibraryA
 0x467c58 LeaveCriticalSection
 0x467c5c InitializeCriticalSection
 0x467c60 GlobalUnlock
 0x467c64 GlobalLock
 0x467c68 GlobalFree
 0x467c6c GlobalFindAtomA
 0x467c70 GlobalDeleteAtom
 0x467c74 GlobalAlloc
 0x467c78 GlobalAddAtomA
 0x467c7c GetVersionExA
 0x467c80 GetVersion
 0x467c84 GetTickCount
 0x467c88 GetThreadLocale
 0x467c8c GetStdHandle
 0x467c90 GetProcAddress
 0x467c94 GetModuleHandleA
 0x467c98 GetModuleFileNameA
 0x467c9c GetLocaleInfoA
 0x467ca0 GetLocalTime
 0x467ca4 GetLastError
 0x467ca8 GetFullPathNameA
 0x467cac GetDiskFreeSpaceA
 0x467cb0 GetDateFormatA
 0x467cb4 GetCurrentThreadId
 0x467cb8 GetCurrentProcessId
 0x467cbc GetCPInfo
 0x467cc0 FreeResource
 0x467cc4 InterlockedExchange
 0x467cc8 FreeLibrary
 0x467ccc FormatMessageA
 0x467cd0 FindResourceA
 0x467cd4 EnumCalendarInfoA
 0x467cd8 EnterCriticalSection
 0x467cdc DeleteCriticalSection
 0x467ce0 CreateThread
 0x467ce4 CreateFileA
 0x467ce8 CreateEventA
 0x467cec CompareStringA
 0x467cf0 CloseHandle
advapi32.dll
 0x467cf8 RegQueryValueExA
 0x467cfc RegOpenKeyExA
 0x467d00 RegFlushKey
 0x467d04 RegCloseKey
kernel32.dll
 0x467d0c Sleep
oleaut32.dll
 0x467d14 SafeArrayPtrOfIndex
 0x467d18 SafeArrayGetUBound
 0x467d1c SafeArrayGetLBound
 0x467d20 SafeArrayCreate
 0x467d24 VariantChangeType
 0x467d28 VariantCopy
 0x467d2c VariantClear
 0x467d30 VariantInit
comctl32.dll
 0x467d38 _TrackMouseEvent
 0x467d3c ImageList_SetIconSize
 0x467d40 ImageList_GetIconSize
 0x467d44 ImageList_Write
 0x467d48 ImageList_Read
 0x467d4c ImageList_DragShowNolock
 0x467d50 ImageList_DragMove
 0x467d54 ImageList_DragLeave
 0x467d58 ImageList_DragEnter
 0x467d5c ImageList_EndDrag
 0x467d60 ImageList_BeginDrag
 0x467d64 ImageList_Remove
 0x467d68 ImageList_DrawEx
 0x467d6c ImageList_Draw
 0x467d70 ImageList_GetBkColor
 0x467d74 ImageList_SetBkColor
 0x467d78 ImageList_Add
 0x467d7c ImageList_GetImageCount
 0x467d80 ImageList_Destroy
 0x467d84 ImageList_Create
 0x467d88 InitCommonControls
winmm.dll
 0x467d90 mixerSetControlDetails
 0x467d94 mixerOpen
 0x467d98 mixerGetNumDevs
 0x467d9c mixerGetLineInfoA
 0x467da0 mixerGetLineControlsA
 0x467da4 mixerGetDevCapsA
 0x467da8 mixerGetControlDetailsA
 0x467dac mixerClose

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure