ScreenShot
| Created | 2021.08.04 09:44 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (malicious, high confidence, score, Artemis, Unsafe, Save, Eldorado, Attribute, HighConfidence, GenKryptik, FIJA, PWSX, Generic ML PUA, Wacatac, ZexaF, suZ@aCqRgcei, ai score=82, BScope, Kryptik, CLASSIC, Static AI, Malicious PE, FIIH, confidence, QVM10) | ||
| md5 | a4e87c684a48d0b140509540dd333232 | ||
| sha256 | e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d | ||
| ssdeep | 6144:Z3CWs6VpP25tNZSCV+PJD2wyQH4KrenMNR9ShadU5EtW:ZyWs825tNB+920DqMb9xc | ||
| imphash | 47132e7294d9df76f8ee6d6805dd5e2d | ||
| impfuzzy | 48:LtMS175c+ppXr3A7BSY+S5E4CQzsSv6UyK/X09nB/KAJGFz:LtMS175c+ppXO05h6 | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40d008 DecodePointer
0x40d00c WriteConsoleW
0x40d010 CloseHandle
0x40d014 CreateFileW
0x40d018 SetFilePointerEx
0x40d01c GetConsoleMode
0x40d020 FlushFileBuffers
0x40d024 HeapReAlloc
0x40d028 HeapSize
0x40d02c GetProcessHeap
0x40d030 LCMapStringW
0x40d034 GetConsoleOutputCP
0x40d038 VirtualProtect
0x40d03c UnhandledExceptionFilter
0x40d040 SetUnhandledExceptionFilter
0x40d044 GetCurrentProcess
0x40d048 TerminateProcess
0x40d04c IsProcessorFeaturePresent
0x40d050 QueryPerformanceCounter
0x40d054 GetCurrentProcessId
0x40d058 GetCurrentThreadId
0x40d05c GetSystemTimeAsFileTime
0x40d060 InitializeSListHead
0x40d064 IsDebuggerPresent
0x40d068 GetStartupInfoW
0x40d06c GetModuleHandleW
0x40d070 RtlUnwind
0x40d074 GetLastError
0x40d078 SetLastError
0x40d07c EnterCriticalSection
0x40d080 LeaveCriticalSection
0x40d084 DeleteCriticalSection
0x40d088 InitializeCriticalSectionAndSpinCount
0x40d08c TlsAlloc
0x40d090 TlsGetValue
0x40d094 TlsSetValue
0x40d098 TlsFree
0x40d09c FreeLibrary
0x40d0a0 GetProcAddress
0x40d0a4 LoadLibraryExW
0x40d0a8 GetStdHandle
0x40d0ac WriteFile
0x40d0b0 GetModuleFileNameW
0x40d0b4 ExitProcess
0x40d0b8 GetModuleHandleExW
0x40d0bc HeapFree
0x40d0c0 HeapAlloc
0x40d0c4 FindClose
0x40d0c8 FindFirstFileExW
0x40d0cc FindNextFileW
0x40d0d0 IsValidCodePage
0x40d0d4 GetACP
0x40d0d8 GetOEMCP
0x40d0dc GetCPInfo
0x40d0e0 GetCommandLineA
0x40d0e4 GetCommandLineW
0x40d0e8 MultiByteToWideChar
0x40d0ec WideCharToMultiByte
0x40d0f0 GetEnvironmentStringsW
0x40d0f4 FreeEnvironmentStringsW
0x40d0f8 SetStdHandle
0x40d0fc GetFileType
0x40d100 GetStringTypeW
0x40d104 RaiseException
USER32.dll
0x40d10c LoadIconW
0x40d110 LoadCursorW
0x40d114 EndPaint
0x40d118 BeginPaint
0x40d11c GetDC
0x40d120 UpdateWindow
0x40d124 GrayStringA
0x40d128 TranslateAcceleratorW
0x40d12c LoadAcceleratorsW
0x40d130 EndDialog
0x40d134 DialogBoxParamW
0x40d138 ShowWindow
0x40d13c DestroyWindow
0x40d140 CreateWindowExW
0x40d144 RegisterClassExW
0x40d148 PostQuitMessage
0x40d14c DefWindowProcW
0x40d150 DispatchMessageW
0x40d154 TranslateMessage
0x40d158 GetMessageW
0x40d15c LoadStringW
GDI32.dll
0x40d000 CreateSolidBrush
EAT(Export Address Table) is none
KERNEL32.dll
0x40d008 DecodePointer
0x40d00c WriteConsoleW
0x40d010 CloseHandle
0x40d014 CreateFileW
0x40d018 SetFilePointerEx
0x40d01c GetConsoleMode
0x40d020 FlushFileBuffers
0x40d024 HeapReAlloc
0x40d028 HeapSize
0x40d02c GetProcessHeap
0x40d030 LCMapStringW
0x40d034 GetConsoleOutputCP
0x40d038 VirtualProtect
0x40d03c UnhandledExceptionFilter
0x40d040 SetUnhandledExceptionFilter
0x40d044 GetCurrentProcess
0x40d048 TerminateProcess
0x40d04c IsProcessorFeaturePresent
0x40d050 QueryPerformanceCounter
0x40d054 GetCurrentProcessId
0x40d058 GetCurrentThreadId
0x40d05c GetSystemTimeAsFileTime
0x40d060 InitializeSListHead
0x40d064 IsDebuggerPresent
0x40d068 GetStartupInfoW
0x40d06c GetModuleHandleW
0x40d070 RtlUnwind
0x40d074 GetLastError
0x40d078 SetLastError
0x40d07c EnterCriticalSection
0x40d080 LeaveCriticalSection
0x40d084 DeleteCriticalSection
0x40d088 InitializeCriticalSectionAndSpinCount
0x40d08c TlsAlloc
0x40d090 TlsGetValue
0x40d094 TlsSetValue
0x40d098 TlsFree
0x40d09c FreeLibrary
0x40d0a0 GetProcAddress
0x40d0a4 LoadLibraryExW
0x40d0a8 GetStdHandle
0x40d0ac WriteFile
0x40d0b0 GetModuleFileNameW
0x40d0b4 ExitProcess
0x40d0b8 GetModuleHandleExW
0x40d0bc HeapFree
0x40d0c0 HeapAlloc
0x40d0c4 FindClose
0x40d0c8 FindFirstFileExW
0x40d0cc FindNextFileW
0x40d0d0 IsValidCodePage
0x40d0d4 GetACP
0x40d0d8 GetOEMCP
0x40d0dc GetCPInfo
0x40d0e0 GetCommandLineA
0x40d0e4 GetCommandLineW
0x40d0e8 MultiByteToWideChar
0x40d0ec WideCharToMultiByte
0x40d0f0 GetEnvironmentStringsW
0x40d0f4 FreeEnvironmentStringsW
0x40d0f8 SetStdHandle
0x40d0fc GetFileType
0x40d100 GetStringTypeW
0x40d104 RaiseException
USER32.dll
0x40d10c LoadIconW
0x40d110 LoadCursorW
0x40d114 EndPaint
0x40d118 BeginPaint
0x40d11c GetDC
0x40d120 UpdateWindow
0x40d124 GrayStringA
0x40d128 TranslateAcceleratorW
0x40d12c LoadAcceleratorsW
0x40d130 EndDialog
0x40d134 DialogBoxParamW
0x40d138 ShowWindow
0x40d13c DestroyWindow
0x40d140 CreateWindowExW
0x40d144 RegisterClassExW
0x40d148 PostQuitMessage
0x40d14c DefWindowProcW
0x40d150 DispatchMessageW
0x40d154 TranslateMessage
0x40d158 GetMessageW
0x40d15c LoadStringW
GDI32.dll
0x40d000 CreateSolidBrush
EAT(Export Address Table) is none