popup

Report - vbc.exe

UPX Malicious Library AntiDebug AntiVM PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.06 09:42 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
8.4
ZERO API file : malware
VT API (file) 49 detected (AIDetect, malware1, Injects, malicious, high confidence, Siggen14, GenericKD, Unsafe, Save, runner, ali1000123, Kryptik, Eldorado, HLYT, PWSX, CLASSIC, wnhqn@0, pjuvk, Static AI, Malicious PE, ai score=100, StopCrypt, score, MalPE, R435772, BScope, Bingoml, Auto, UrSnif, HLYQ, confidence, 100%, HwoCueAA)
md5 ccedd914fbe08e1b2812df96dc74278e
sha256 0655ee712ee939add7c23e011eb887fe70f085e1fea6df1dbeb07bc8df7ffdb7
ssdeep 6144:p6W2Lqr88kcKh6skSJwTxUl2IcseaMV7m:QTt8LSJwTxlIcQS7
imphash 2a9c1ca66125aeff7a1c36242be63d54
impfuzzy 48:XGzhYZuZCa3d3p2SIZS+fjtVM+cSjG2ccwAMf:XGeWCat5FJ+fjtVM+cSrccA
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (11cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (12cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.sergrtr.com/otcl/?uVjH=mBDnt/Gh8erpdJmR5LUsgS6AYomiYv6KKx4Ciy1VWZ+lm+O2aYdlFCHe7BXtcsumDYUDE2bt&R2Mxt=MjOp3dr0kBhPCb6P
whois
CA CLOUDFLARENET 23.227.38.74 clean
http://www.vidacocktails.com/otcl/?uVjH=rypAyBghX+oRSAWiWZi6HXfSOOQXpfwEtRIEbFlRCYHxrojr5D9YoFHDjuuw3w1SPlmQfBvX&R2Mxt=MjOp3dr0kBhPCb6P
whois
US GOOGLE 34.102.136.180 clean
http://www.lenatwo.com/otcl/?uVjH=jjpdYGPxaq0GEExKffhLJbVQdJjKexSz1KEBGQRYOyI7/Bdn/luiGJqh0JO76VQxmlxEikAe&R2Mxt=MjOp3dr0kBhPCb6P
whois
DE Hetzner Online GmbH 46.4.153.33 clean
http://www.fussionpromos.com/otcl/?uVjH=R6pBimEX126Y/7jz26NSIB+pAf+iSCkbIcynLs+ia55rI8fnMgFdof6zFKq4BsG3kSXOUZFo&R2Mxt=MjOp3dr0kBhPCb6P
whois
US UNIFIEDLAYER-AS-1 192.254.185.89 clean
www.sergrtr.com
whois
CA CLOUDFLARENET 23.227.38.74 clean
www.vidacocktails.com
whois
US GOOGLE 34.102.136.180 clean
www.lenatwo.com
whois
DE Hetzner Online GmbH 46.4.153.33 clean
www.fussionpromos.com
whois
US UNIFIEDLAYER-AS-1 192.254.185.89 clean
23.227.38.74
whois
CA CLOUDFLARENET 23.227.38.74 mailcious
46.4.153.33
whois
DE Hetzner Online GmbH 46.4.153.33 clean
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
192.254.185.89
whois
US UNIFIEDLAYER-AS-1 192.254.185.89 clean

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x401000 GetComputerNameA
 0x401004 CreateFileA
 0x401008 SetCriticalSectionSpinCount
 0x40100c WriteConsoleInputW
 0x401010 WriteConsoleOutputCharacterW
 0x401014 lstrlenA
 0x401018 GetConsoleAliasesLengthW
 0x40101c EndUpdateResourceW
 0x401020 ReadConsoleA
 0x401024 GetCurrentProcess
 0x401028 ZombifyActCtx
 0x40102c WritePrivateProfileSectionA
 0x401030 InitializeSListHead
 0x401034 GetUserDefaultLCID
 0x401038 WaitForSingleObject
 0x40103c SetEvent
 0x401040 GetSystemDefaultLCID
 0x401044 GetFileAttributesExA
 0x401048 GetModuleHandleW
 0x40104c VirtualFree
 0x401050 ReadConsoleOutputA
 0x401054 GetConsoleCP
 0x401058 GlobalFindAtomA
 0x40105c LoadLibraryW
 0x401060 ReadConsoleInputA
 0x401064 GetSystemWindowsDirectoryA
 0x401068 SetConsoleCP
 0x40106c LeaveCriticalSection
 0x401070 DnsHostnameToComputerNameW
 0x401074 GetConsoleAliasW
 0x401078 SetConsoleCursorPosition
 0x40107c GetGeoInfoA
 0x401080 ReadFile
 0x401084 CreateActCtxA
 0x401088 GetConsoleOutputCP
 0x40108c VerifyVersionInfoW
 0x401090 SetLastError
 0x401094 GetProcAddress
 0x401098 VerLanguageNameA
 0x40109c EnumDateFormatsExA
 0x4010a0 HeapUnlock
 0x4010a4 CopyFileA
 0x4010a8 GetConsoleDisplayMode
 0x4010ac WriteConsoleA
 0x4010b0 InterlockedExchangeAdd
 0x4010b4 DeleteTimerQueue
 0x4010b8 BuildCommDCBAndTimeoutsW
 0x4010bc SetConsoleDisplayMode
 0x4010c0 GetExitCodeThread
 0x4010c4 SetFileApisToANSI
 0x4010c8 GetDiskFreeSpaceA
 0x4010cc SetConsoleTitleW
 0x4010d0 LoadLibraryExA
 0x4010d4 UpdateResourceW
 0x4010d8 EraseTape
 0x4010dc GetProcessAffinityMask
 0x4010e0 BuildCommDCBA
 0x4010e4 VirtualProtect
 0x4010e8 GetFileTime
 0x4010ec GetCPInfoExA
 0x4010f0 FindFirstVolumeA
 0x4010f4 GetVersionExA
 0x4010f8 GetPrivateProfileSectionW
 0x4010fc GetSystemTime
 0x401100 CreateThread
 0x401104 CloseHandle
 0x401108 InterlockedIncrement
 0x40110c InterlockedDecrement
 0x401110 Sleep
 0x401114 InitializeCriticalSection
 0x401118 DeleteCriticalSection
 0x40111c EnterCriticalSection
 0x401120 UnhandledExceptionFilter
 0x401124 SetUnhandledExceptionFilter
 0x401128 GetLastError
 0x40112c HeapFree
 0x401130 TerminateProcess
 0x401134 IsDebuggerPresent
 0x401138 HeapReAlloc
 0x40113c HeapAlloc
 0x401140 GetStartupInfoW
 0x401144 RtlUnwind
 0x401148 RaiseException
 0x40114c LCMapStringA
 0x401150 WideCharToMultiByte
 0x401154 MultiByteToWideChar
 0x401158 LCMapStringW
 0x40115c GetCPInfo
 0x401160 ExitProcess
 0x401164 WriteFile
 0x401168 GetStdHandle
 0x40116c GetModuleFileNameA
 0x401170 HeapCreate
 0x401174 VirtualAlloc
 0x401178 TlsGetValue
 0x40117c TlsAlloc
 0x401180 TlsSetValue
 0x401184 TlsFree
 0x401188 GetCurrentThreadId
 0x40118c SetHandleCount
 0x401190 GetFileType
 0x401194 GetStartupInfoA
 0x401198 SetFilePointer
 0x40119c GetModuleFileNameW
 0x4011a0 FreeEnvironmentStringsW
 0x4011a4 GetEnvironmentStringsW
 0x4011a8 GetCommandLineW
 0x4011ac QueryPerformanceCounter
 0x4011b0 GetTickCount
 0x4011b4 GetCurrentProcessId
 0x4011b8 GetSystemTimeAsFileTime
 0x4011bc HeapSize
 0x4011c0 GetACP
 0x4011c4 GetOEMCP
 0x4011c8 IsValidCodePage
 0x4011cc GetLocaleInfoA
 0x4011d0 EnumSystemLocalesA
 0x4011d4 IsValidLocale
 0x4011d8 GetStringTypeA
 0x4011dc GetStringTypeW
 0x4011e0 LoadLibraryA
 0x4011e4 InitializeCriticalSectionAndSpinCount
 0x4011e8 SetStdHandle
 0x4011ec GetConsoleMode
 0x4011f0 FlushFileBuffers
 0x4011f4 GetLocaleInfoW
 0x4011f8 WriteConsoleW
USER32.dll
 0x401200 GetAltTabInfoW
 0x401204 RealChildWindowFromPoint

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure