ScreenShot
| Created | 2021.08.06 09:20 | Machine | s1_win7_x6401 |
| Filename | vutomecj.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 28 detected (AIDetect, malware2, Unsafe, Save, ZexaF, UqZ@ay2QrPji, Attribute, HighConfidence, Kryptik, HLYU, AveMaria, RATX, Auto, Siggen14, Emotet, Malicious, Wacatac, score, R435861, Artemis, BScope, CLASSIC, Static AI, Suspicious PE, GenKryptik, FILN, susgen, confidence, QVM20) | ||
| md5 | 7598c86263182dca909e4b70a6e5f2bb | ||
| sha256 | 52d267bd1cea3a3f5e4a248397341c2534169af3b29632eb923620108b1b42a6 | ||
| ssdeep | 12288:Krf0P3HD5YEoMXwE9FeJEEaMpyZwXLPVxFDd1mG:hP3H1YEoMXLEaMpyZwBbDGG | ||
| imphash | 7f3a4a0e96d9bcc5b3425ad3dca611da | ||
| impfuzzy | 48:yBuS1jtYGOc+pp+DXA+ka/gEkAkS5E4CWzsSYRSv6UyK/X09nB/KAlJGFjpM7:vS1jtYGOc+pp+7C5hR7 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x414008 WriteFile
0x41400c CloseHandle
0x414010 VirtualProtect
0x414014 DecodePointer
0x414018 GetConsoleMode
0x41401c GetConsoleOutputCP
0x414020 FlushFileBuffers
0x414024 HeapReAlloc
0x414028 HeapSize
0x41402c SetFilePointerEx
0x414030 GetProcessHeap
0x414034 LCMapStringW
0x414038 ReadFile
0x41403c GetStringTypeW
0x414040 SetStdHandle
0x414044 FreeEnvironmentStringsW
0x414048 GetEnvironmentStringsW
0x41404c WideCharToMultiByte
0x414050 MultiByteToWideChar
0x414054 GetCommandLineW
0x414058 GetCommandLineA
0x41405c GetCPInfo
0x414060 GetOEMCP
0x414064 GetACP
0x414068 CreateFileW
0x41406c QueryPerformanceCounter
0x414070 GetCurrentProcessId
0x414074 GetCurrentThreadId
0x414078 GetSystemTimeAsFileTime
0x41407c InitializeSListHead
0x414080 IsDebuggerPresent
0x414084 UnhandledExceptionFilter
0x414088 SetUnhandledExceptionFilter
0x41408c GetStartupInfoW
0x414090 IsProcessorFeaturePresent
0x414094 GetModuleHandleW
0x414098 GetCurrentProcess
0x41409c TerminateProcess
0x4140a0 RaiseException
0x4140a4 RtlUnwind
0x4140a8 GetLastError
0x4140ac SetLastError
0x4140b0 EncodePointer
0x4140b4 EnterCriticalSection
0x4140b8 LeaveCriticalSection
0x4140bc DeleteCriticalSection
0x4140c0 InitializeCriticalSectionAndSpinCount
0x4140c4 TlsAlloc
0x4140c8 TlsGetValue
0x4140cc TlsSetValue
0x4140d0 TlsFree
0x4140d4 FreeLibrary
0x4140d8 GetProcAddress
0x4140dc LoadLibraryExW
0x4140e0 GetStdHandle
0x4140e4 GetModuleFileNameW
0x4140e8 ExitProcess
0x4140ec GetModuleHandleExW
0x4140f0 HeapFree
0x4140f4 HeapAlloc
0x4140f8 GetFileType
0x4140fc FindClose
0x414100 FindFirstFileExW
0x414104 FindNextFileW
0x414108 IsValidCodePage
0x41410c WriteConsoleW
USER32.dll
0x414114 LoadCursorW
0x414118 GetWindowLongW
0x41411c MessageBeep
0x414120 MessageBoxW
0x414124 GetWindowTextW
0x414128 SetWindowTextW
0x41412c EndPaint
0x414130 BeginPaint
0x414134 GetDC
0x414138 UpdateWindow
0x41413c GrayStringW
0x414140 TranslateAcceleratorW
0x414144 LoadAcceleratorsW
0x414148 LoadIconW
0x41414c GetDlgItem
0x414150 EndDialog
0x414154 DialogBoxParamW
0x414158 ShowWindow
0x41415c DestroyWindow
0x414160 CreateWindowExW
0x414164 RegisterClassExW
0x414168 PostQuitMessage
0x41416c DefWindowProcW
0x414170 SendMessageW
0x414174 DispatchMessageW
0x414178 TranslateMessage
0x41417c GetMessageW
0x414180 LoadStringW
0x414184 SendDlgItemMessageW
COMDLG32.dll
0x414000 GetOpenFileNameW
EAT(Export Address Table) is none
KERNEL32.dll
0x414008 WriteFile
0x41400c CloseHandle
0x414010 VirtualProtect
0x414014 DecodePointer
0x414018 GetConsoleMode
0x41401c GetConsoleOutputCP
0x414020 FlushFileBuffers
0x414024 HeapReAlloc
0x414028 HeapSize
0x41402c SetFilePointerEx
0x414030 GetProcessHeap
0x414034 LCMapStringW
0x414038 ReadFile
0x41403c GetStringTypeW
0x414040 SetStdHandle
0x414044 FreeEnvironmentStringsW
0x414048 GetEnvironmentStringsW
0x41404c WideCharToMultiByte
0x414050 MultiByteToWideChar
0x414054 GetCommandLineW
0x414058 GetCommandLineA
0x41405c GetCPInfo
0x414060 GetOEMCP
0x414064 GetACP
0x414068 CreateFileW
0x41406c QueryPerformanceCounter
0x414070 GetCurrentProcessId
0x414074 GetCurrentThreadId
0x414078 GetSystemTimeAsFileTime
0x41407c InitializeSListHead
0x414080 IsDebuggerPresent
0x414084 UnhandledExceptionFilter
0x414088 SetUnhandledExceptionFilter
0x41408c GetStartupInfoW
0x414090 IsProcessorFeaturePresent
0x414094 GetModuleHandleW
0x414098 GetCurrentProcess
0x41409c TerminateProcess
0x4140a0 RaiseException
0x4140a4 RtlUnwind
0x4140a8 GetLastError
0x4140ac SetLastError
0x4140b0 EncodePointer
0x4140b4 EnterCriticalSection
0x4140b8 LeaveCriticalSection
0x4140bc DeleteCriticalSection
0x4140c0 InitializeCriticalSectionAndSpinCount
0x4140c4 TlsAlloc
0x4140c8 TlsGetValue
0x4140cc TlsSetValue
0x4140d0 TlsFree
0x4140d4 FreeLibrary
0x4140d8 GetProcAddress
0x4140dc LoadLibraryExW
0x4140e0 GetStdHandle
0x4140e4 GetModuleFileNameW
0x4140e8 ExitProcess
0x4140ec GetModuleHandleExW
0x4140f0 HeapFree
0x4140f4 HeapAlloc
0x4140f8 GetFileType
0x4140fc FindClose
0x414100 FindFirstFileExW
0x414104 FindNextFileW
0x414108 IsValidCodePage
0x41410c WriteConsoleW
USER32.dll
0x414114 LoadCursorW
0x414118 GetWindowLongW
0x41411c MessageBeep
0x414120 MessageBoxW
0x414124 GetWindowTextW
0x414128 SetWindowTextW
0x41412c EndPaint
0x414130 BeginPaint
0x414134 GetDC
0x414138 UpdateWindow
0x41413c GrayStringW
0x414140 TranslateAcceleratorW
0x414144 LoadAcceleratorsW
0x414148 LoadIconW
0x41414c GetDlgItem
0x414150 EndDialog
0x414154 DialogBoxParamW
0x414158 ShowWindow
0x41415c DestroyWindow
0x414160 CreateWindowExW
0x414164 RegisterClassExW
0x414168 PostQuitMessage
0x41416c DefWindowProcW
0x414170 SendMessageW
0x414174 DispatchMessageW
0x414178 TranslateMessage
0x41417c GetMessageW
0x414180 LoadStringW
0x414184 SendDlgItemMessageW
COMDLG32.dll
0x414000 GetOpenFileNameW
EAT(Export Address Table) is none