popup

Report - vbc.exe

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.12 13:52 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
8.0
ZERO API file : malware
VT API (file) 18 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, Attribute, HighConfidence, Noon, Kryptik, CLASSIC, Generic ML PUA, Score, Sabsik, BScope, HLWI, ZexaF, pqZ@aCBwAwci, QVM07)
md5 da8a93ada0a33e6df7f52f8a7c1726b1
sha256 324d549fb7b9999aa0e6fb8a6824f7a05fe5f1f21d76fb2d360cb34c56eb1995
ssdeep 6144:4Bs7vgkXyKtiNclZqZbqCFAmk6j7v10X2YPxHdD1QsW+z3f:4BtUyKMDqaHj7N0ZPH1QsW+b
imphash 48cf05311e4a3e8be7b754cbebbc2209
impfuzzy 48:dD9IDQACAkECEkEUoLu/g7+ZXUGAcJ+k5+SYNfnVxk7nB/KAn6gl4JGF0X3j4099:d92oVhHONLU6DClUxp3+RGNUG
  Network IP location

Signature (19cnts)

Level Description
watch Communicates with host for which no DNS query was performed
watch File has been identified by 18 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Putty Files
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Moves the original executable to a new location
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer
info Tries to locate where the browsers are installed

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.227.139.5/sxisodifntose.php/B0MWbknI2Z7T2
whois
US Turunc Smart Bilgisayar Ve Teknoloji Ve Dis Tecaret Limited 185.227.139.5 3949 mailcious
185.227.139.5
whois
US Turunc Smart Bilgisayar Ve Teknoloji Ve Dis Tecaret Limited 185.227.139.5 mailcious

Suricata ids

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2

PE API

IAT(Import Address Table) Library

COMCTL32.dll
 0x406000 InitCommonControlsEx
 0x406004 CreateToolbarEx
 0x406008 CreateStatusWindowW
 0x40600c PropertySheetW
KERNEL32.dll
 0x406040 GetLocalTime
 0x406044 VirtualProtect
 0x406048 GetModuleHandleW
 0x40604c LoadLibraryW
 0x406050 HeapFree
 0x406054 lstrcmpW
 0x406058 lstrcmpiW
 0x40605c lstrcpynW
 0x406060 lstrcpyW
 0x406064 lstrcatW
 0x406068 lstrlenW
 0x40606c GetDateFormatW
 0x406070 GetTimeFormatW
 0x406074 GetModuleHandleA
 0x406078 HeapReAlloc
 0x40607c HeapAlloc
 0x406080 GetLastError
 0x406084 CloseHandle
 0x406088 WriteFile
 0x40608c SetFilePointer
 0x406090 GetProcessHeap
 0x406094 ReadFile
 0x406098 CreateFileW
 0x40609c GetCommandLineW
 0x4060a0 MulDiv
 0x4060a4 GetStartupInfoA
USER32.dll
 0x40611c InvalidateRect
 0x406120 SetWindowTextA
 0x406124 SetWindowTextW
 0x406128 GetWindowTextA
 0x40612c GetWindowTextW
 0x406130 GetWindowTextLengthW
 0x406134 GetClientRect
 0x406138 GetWindowRect
 0x40613c MessageBoxA
 0x406140 MessageBoxW
 0x406144 MessageBoxIndirectW
 0x406148 ClientToScreen
 0x40614c MapWindowPoints
 0x406150 GetSysColorBrush
 0x406154 IntersectRect
 0x406158 IsRectEmpty
 0x40615c GetWindowLongW
 0x406160 ReleaseDC
 0x406164 LoadCursorW
 0x406168 LoadIconW
 0x40616c LoadImageW
 0x406170 IsDialogMessageW
 0x406174 MonitorFromRect
 0x406178 GetMonitorInfoW
 0x40617c TrackPopupMenu
 0x406180 PostQuitMessage
 0x406184 DefWindowProcW
 0x406188 PostMessageW
 0x40618c SendMessageW
 0x406190 PeekMessageW
 0x406194 DispatchMessageW
 0x406198 TranslateMessage
 0x40619c GetMessageW
 0x4061a0 RegisterWindowMessageW
 0x4061a4 wsprintfW
 0x4061a8 LoadStringW
 0x4061ac GetDC
 0x4061b0 RegisterClassExW
 0x4061b4 GrayStringW
 0x4061b8 SetMenuItemInfoW
 0x4061bc TrackPopupMenuEx
 0x4061c0 GetSubMenu
 0x4061c4 EnableMenuItem
 0x4061c8 CheckMenuItem
 0x4061cc SetMenu
 0x4061d0 GetMenu
 0x4061d4 LoadMenuW
 0x4061d8 GetSystemMetrics
 0x4061dc TranslateAcceleratorW
 0x4061e0 LoadAcceleratorsW
 0x4061e4 EnableWindow
 0x4061e8 SetFocus
 0x4061ec IsDlgButtonChecked
 0x4061f0 CheckRadioButton
 0x4061f4 CheckDlgButton
 0x4061f8 GetDlgItem
 0x4061fc EndDialog
 0x406200 DialogBoxParamW
 0x406204 IsWindowVisible
 0x406208 MoveWindow
 0x40620c GetMenuItemInfoW
 0x406210 ShowWindow
 0x406214 SetWindowLongW
 0x406218 CreateWindowExW
 0x40621c SetActiveWindow
GDI32.dll
 0x40602c GetDeviceCaps
 0x406030 SelectObject
 0x406034 GetTextExtentPointW
 0x406038 EnumFontFamiliesExW
COMDLG32.dll
 0x406014 ChooseFontW
 0x406018 ReplaceTextW
 0x40601c GetSaveFileNameW
 0x406020 GetOpenFileNameW
 0x406024 FindTextW
SHELL32.dll
 0x406108 DragAcceptFiles
 0x40610c DragFinish
 0x406110 DragQueryFileW
 0x406114 ShellAboutW
MSVCRT.dll
 0x4060ac _controlfp
 0x4060b0 _except_handler3
 0x4060b4 __set_app_type
 0x4060b8 __p__fmode
 0x4060bc __p__commode
 0x4060c0 _adjust_fdiv
 0x4060c4 __setusermatherr
 0x4060c8 _initterm
 0x4060cc __getmainargs
 0x4060d0 _acmdln
 0x4060d4 exit
 0x4060d8 _XcptFilter
 0x4060dc _exit
 0x4060e0 memset
 0x4060e4 memcpy
 0x4060e8 isspace
 0x4060ec atoi
 0x4060f0 wcstod
 0x4060f4 qsort
 0x4060f8 _errno
 0x4060fc _onexit
 0x406100 __dllonexit

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure