ScreenShot
| Created | 2021.08.04 17:10 | Machine | s1_win7_x6401 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 21 detected (Unsafe, ZexaE, HyZ@aa2Bxsli, Malicious, Androm, Static AI, Suspicious PE, ai score=88, Wacatac, BScope, Kryptik, CLASSIC, GenKryptik, FIIH, susgen, QVM10) | ||
| md5 | c2bd160e08dec3da08a4af740f3c6d15 | ||
| sha256 | b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16 | ||
| ssdeep | 12288:mhQVh9a17gNm5YnXDdx2OjKhNHySntn/j987vWrIneDH6any:mhQVh9FDdx2GKzSStrKWrIneDHtny | ||
| imphash | 97750a00050e37c7b56da7bc3864f0f1 | ||
| impfuzzy | 48:nUhvVZYBHnXjtWGzdc+ppWqASY+ka/gEkAkS5E4CQzspfRSv6UyK/X09nB/KAlJ1:nUdvOXjtWGJc+ppWEO5h17 | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
PE API
IAT(Import Address Table) Library
dbghelp.dll
0x4421dc MiniDumpWriteDump
KERNEL32.dll
0x442008 CreateFileW
0x44200c GetFileSize
0x442010 ReadFile
0x442014 SetFilePointer
0x442018 WriteFile
0x44201c CloseHandle
0x442020 GetCurrentProcess
0x442024 GetCurrentProcessId
0x442028 VirtualProtect
0x44202c SetFilePointerEx
0x442030 GetConsoleMode
0x442034 GetConsoleCP
0x442038 FlushFileBuffers
0x44203c HeapReAlloc
0x442040 HeapSize
0x442044 SetConsoleCtrlHandler
0x442048 GetProcessHeap
0x44204c LCMapStringW
0x442050 DecodePointer
0x442054 GetTimeFormatW
0x442058 GetDateFormatW
0x44205c OutputDebugStringW
0x442060 OutputDebugStringA
0x442064 EnumSystemLocalesW
0x442068 GetUserDefaultLCID
0x44206c IsValidLocale
0x442070 GetLocaleInfoW
0x442074 GetStringTypeW
0x442078 SetStdHandle
0x44207c SetEnvironmentVariableW
0x442080 SetEnvironmentVariableA
0x442084 FreeEnvironmentStringsW
0x442088 GetEnvironmentStringsW
0x44208c GetCommandLineW
0x442090 GetCommandLineA
0x442094 GetCPInfo
0x442098 GetOEMCP
0x44209c IsValidCodePage
0x4420a0 FindNextFileW
0x4420a4 CompareStringW
0x4420a8 SetLastError
0x4420ac QueryPerformanceCounter
0x4420b0 GetCurrentThreadId
0x4420b4 GetSystemTimeAsFileTime
0x4420b8 InitializeSListHead
0x4420bc IsDebuggerPresent
0x4420c0 UnhandledExceptionFilter
0x4420c4 SetUnhandledExceptionFilter
0x4420c8 GetStartupInfoW
0x4420cc IsProcessorFeaturePresent
0x4420d0 GetModuleHandleW
0x4420d4 TerminateProcess
0x4420d8 RaiseException
0x4420dc RtlUnwind
0x4420e0 InterlockedPushEntrySList
0x4420e4 InterlockedFlushSList
0x4420e8 GetLastError
0x4420ec WriteConsoleW
0x4420f0 EncodePointer
0x4420f4 EnterCriticalSection
0x4420f8 LeaveCriticalSection
0x4420fc DeleteCriticalSection
0x442100 InitializeCriticalSectionAndSpinCount
0x442104 TlsAlloc
0x442108 TlsGetValue
0x44210c TlsSetValue
0x442110 TlsFree
0x442114 FreeLibrary
0x442118 GetProcAddress
0x44211c LoadLibraryExW
0x442120 GetStdHandle
0x442124 GetModuleFileNameW
0x442128 GetModuleFileNameA
0x44212c MultiByteToWideChar
0x442130 WideCharToMultiByte
0x442134 ExitProcess
0x442138 GetModuleHandleExW
0x44213c GetACP
0x442140 HeapFree
0x442144 HeapAlloc
0x442148 GetCurrentThread
0x44214c GetFileType
0x442150 FindClose
0x442154 FindFirstFileExA
0x442158 FindFirstFileExW
0x44215c FindNextFileA
USER32.dll
0x442164 LoadIconW
0x442168 LoadCursorW
0x44216c GetWindowLongW
0x442170 MessageBeep
0x442174 MessageBoxW
0x442178 GetWindowTextW
0x44217c SetWindowTextW
0x442180 EndPaint
0x442184 BeginPaint
0x442188 GetDC
0x44218c UpdateWindow
0x442190 GrayStringA
0x442194 TranslateAcceleratorW
0x442198 LoadAcceleratorsW
0x44219c SendDlgItemMessageW
0x4421a0 GetDlgItem
0x4421a4 EndDialog
0x4421a8 DialogBoxParamW
0x4421ac ShowWindow
0x4421b0 DestroyWindow
0x4421b4 CreateWindowExW
0x4421b8 RegisterClassExW
0x4421bc PostQuitMessage
0x4421c0 DefWindowProcW
0x4421c4 SendMessageW
0x4421c8 DispatchMessageW
0x4421cc TranslateMessage
0x4421d0 GetMessageW
0x4421d4 LoadStringW
COMDLG32.dll
0x442000 GetOpenFileNameW
EAT(Export Address Table) is none
dbghelp.dll
0x4421dc MiniDumpWriteDump
KERNEL32.dll
0x442008 CreateFileW
0x44200c GetFileSize
0x442010 ReadFile
0x442014 SetFilePointer
0x442018 WriteFile
0x44201c CloseHandle
0x442020 GetCurrentProcess
0x442024 GetCurrentProcessId
0x442028 VirtualProtect
0x44202c SetFilePointerEx
0x442030 GetConsoleMode
0x442034 GetConsoleCP
0x442038 FlushFileBuffers
0x44203c HeapReAlloc
0x442040 HeapSize
0x442044 SetConsoleCtrlHandler
0x442048 GetProcessHeap
0x44204c LCMapStringW
0x442050 DecodePointer
0x442054 GetTimeFormatW
0x442058 GetDateFormatW
0x44205c OutputDebugStringW
0x442060 OutputDebugStringA
0x442064 EnumSystemLocalesW
0x442068 GetUserDefaultLCID
0x44206c IsValidLocale
0x442070 GetLocaleInfoW
0x442074 GetStringTypeW
0x442078 SetStdHandle
0x44207c SetEnvironmentVariableW
0x442080 SetEnvironmentVariableA
0x442084 FreeEnvironmentStringsW
0x442088 GetEnvironmentStringsW
0x44208c GetCommandLineW
0x442090 GetCommandLineA
0x442094 GetCPInfo
0x442098 GetOEMCP
0x44209c IsValidCodePage
0x4420a0 FindNextFileW
0x4420a4 CompareStringW
0x4420a8 SetLastError
0x4420ac QueryPerformanceCounter
0x4420b0 GetCurrentThreadId
0x4420b4 GetSystemTimeAsFileTime
0x4420b8 InitializeSListHead
0x4420bc IsDebuggerPresent
0x4420c0 UnhandledExceptionFilter
0x4420c4 SetUnhandledExceptionFilter
0x4420c8 GetStartupInfoW
0x4420cc IsProcessorFeaturePresent
0x4420d0 GetModuleHandleW
0x4420d4 TerminateProcess
0x4420d8 RaiseException
0x4420dc RtlUnwind
0x4420e0 InterlockedPushEntrySList
0x4420e4 InterlockedFlushSList
0x4420e8 GetLastError
0x4420ec WriteConsoleW
0x4420f0 EncodePointer
0x4420f4 EnterCriticalSection
0x4420f8 LeaveCriticalSection
0x4420fc DeleteCriticalSection
0x442100 InitializeCriticalSectionAndSpinCount
0x442104 TlsAlloc
0x442108 TlsGetValue
0x44210c TlsSetValue
0x442110 TlsFree
0x442114 FreeLibrary
0x442118 GetProcAddress
0x44211c LoadLibraryExW
0x442120 GetStdHandle
0x442124 GetModuleFileNameW
0x442128 GetModuleFileNameA
0x44212c MultiByteToWideChar
0x442130 WideCharToMultiByte
0x442134 ExitProcess
0x442138 GetModuleHandleExW
0x44213c GetACP
0x442140 HeapFree
0x442144 HeapAlloc
0x442148 GetCurrentThread
0x44214c GetFileType
0x442150 FindClose
0x442154 FindFirstFileExA
0x442158 FindFirstFileExW
0x44215c FindNextFileA
USER32.dll
0x442164 LoadIconW
0x442168 LoadCursorW
0x44216c GetWindowLongW
0x442170 MessageBeep
0x442174 MessageBoxW
0x442178 GetWindowTextW
0x44217c SetWindowTextW
0x442180 EndPaint
0x442184 BeginPaint
0x442188 GetDC
0x44218c UpdateWindow
0x442190 GrayStringA
0x442194 TranslateAcceleratorW
0x442198 LoadAcceleratorsW
0x44219c SendDlgItemMessageW
0x4421a0 GetDlgItem
0x4421a4 EndDialog
0x4421a8 DialogBoxParamW
0x4421ac ShowWindow
0x4421b0 DestroyWindow
0x4421b4 CreateWindowExW
0x4421b8 RegisterClassExW
0x4421bc PostQuitMessage
0x4421c0 DefWindowProcW
0x4421c4 SendMessageW
0x4421c8 DispatchMessageW
0x4421cc TranslateMessage
0x4421d0 GetMessageW
0x4421d4 LoadStringW
COMDLG32.dll
0x442000 GetOpenFileNameW
EAT(Export Address Table) is none