popup

Report - vbc.exe

UPX Malicious Library PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.16 17:10 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
7.4
ZERO API file : malware
VT API (file) 29 detected (malicious, high confidence, Artemis, Unsafe, Save, runner, ali1000123, confidence, Kryptik, Eldorado, Attribute, HighConfidence, GenKryptik, FJAJ, score, MalwareX, URSNIF, SMKA0, AGEN, Sabsik, LokiBot, 8VACMT, ZexaF, IuZ@a8sEVLfi, BScope, HwoCTCsA)
md5 e62d40e9bd1eeab66cb3c781d543b64f
sha256 18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567
ssdeep 12288:c3LWHX34JgXZrXhcepr1klgTszv1P9V594uFsNuEjdVIP9hefKUomLn/PUkvau2D:c3LQcepp9TsTh9VHyd99L/5iu2D
imphash 82004e82653b7bafbfcf73a18d8cef95
impfuzzy 24:kglOX9kDxLS1jtW6bJnc+pl39/CYoAOovbOthv4/MLlzZHu9dZSudT8Q4wDtuKmF:7S9QS1jtW6lc+ppQYQ3r+ZSuWQ4nKo/f
  Network IP location

Signature (17cnts)

Level Description
warning File has been identified by 29 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Putty Files
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Moves the original executable to a new location
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://everydaywegrind.ml/BN11/fre.php
whois
US CLOUDFLARENET 172.67.147.113 clean
everydaywegrind.ml
whois
US CLOUDFLARENET 104.21.71.169 clean
104.21.71.169
whois
US CLOUDFLARENET 104.21.71.169 clean

Suricata ids

ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO HTTP Request to a *.ml domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x449030 lstrlenW
 0x449034 MultiByteToWideChar
 0x449038 WideCharToMultiByte
 0x44903c GetConsoleOutputCP
 0x449040 lstrcpyW
 0x449044 SetEndOfFile
 0x449048 HeapReAlloc
 0x44904c HeapSize
 0x449050 GetConsoleCP
 0x449054 FlushFileBuffers
 0x449058 lstrcmpiW
 0x44905c lstrcmpW
 0x449060 FormatMessageW
 0x449064 LocalFree
 0x449068 GetProcAddress
 0x44906c GetModuleHandleW
 0x449070 GetLastError
 0x449074 CloseHandle
 0x449078 WriteFile
 0x44907c CreateFileW
 0x449080 WriteConsoleW
 0x449084 GetStdHandle
 0x449088 QueryPerformanceCounter
 0x44908c GetCurrentProcessId
 0x449090 GetCurrentThreadId
 0x449094 GetSystemTimeAsFileTime
 0x449098 InitializeSListHead
 0x44909c IsDebuggerPresent
 0x4490a0 UnhandledExceptionFilter
 0x4490a4 SetUnhandledExceptionFilter
 0x4490a8 GetStartupInfoW
 0x4490ac IsProcessorFeaturePresent
 0x4490b0 GetCurrentProcess
 0x4490b4 TerminateProcess
 0x4490b8 InterlockedPushEntrySList
 0x4490bc InterlockedFlushSList
 0x4490c0 RtlUnwind
 0x4490c4 SetLastError
 0x4490c8 EnterCriticalSection
 0x4490cc LeaveCriticalSection
 0x4490d0 DeleteCriticalSection
 0x4490d4 InitializeCriticalSectionAndSpinCount
 0x4490d8 TlsAlloc
 0x4490dc TlsGetValue
 0x4490e0 TlsSetValue
 0x4490e4 TlsFree
 0x4490e8 FreeLibrary
 0x4490ec LoadLibraryExW
 0x4490f0 EncodePointer
 0x4490f4 RaiseException
 0x4490f8 ExitProcess
 0x4490fc GetModuleHandleExW
 0x449100 GetModuleFileNameW
 0x449104 GetCommandLineA
 0x449108 GetCommandLineW
 0x44910c GetCurrentThread
 0x449110 GetStringTypeW
 0x449114 HeapFree
 0x449118 HeapAlloc
 0x44911c GetFileType
 0x449120 ReadFile
 0x449124 GetConsoleMode
 0x449128 ReadConsoleW
 0x44912c OutputDebugStringW
 0x449130 FindClose
 0x449134 FindFirstFileExW
 0x449138 FindNextFileW
 0x44913c IsValidCodePage
 0x449140 GetACP
 0x449144 GetOEMCP
 0x449148 GetCPInfo
 0x44914c GetEnvironmentStringsW
 0x449150 FreeEnvironmentStringsW
 0x449154 SetEnvironmentVariableW
 0x449158 SetStdHandle
 0x44915c GetLocaleInfoW
 0x449160 IsValidLocale
 0x449164 GetUserDefaultLCID
 0x449168 EnumSystemLocalesW
 0x44916c GetDateFormatW
 0x449170 GetTimeFormatW
 0x449174 CompareStringW
 0x449178 LCMapStringW
 0x44917c GetProcessHeap
 0x449180 SetConsoleCtrlHandler
 0x449184 GetFileSizeEx
 0x449188 SetFilePointerEx
 0x44918c DecodePointer
USER32.dll
 0x449194 GrayStringA
 0x449198 GetDC
 0x44919c MessageBoxA
ADVAPI32.dll
 0x449000 RegDeleteTreeW
 0x449004 RegSetValueExW
 0x449008 RegQueryValueExW
 0x44900c RegOpenKeyExW
 0x449010 RegOpenKeyW
 0x449014 RegEnumValueW
 0x449018 RegEnumKeyExW
 0x44901c RegDeleteValueW
 0x449020 RegCreateKeyExW
 0x449024 RegCreateKeyW
 0x449028 RegCloseKey

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure