ScreenShot
| Created | 2021.08.17 10:05 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (AIDetect, malware2, malicious, high confidence, GenericKD, GenericRXPS, Unsafe, Save, MalwareX, confidence, 100%, ZexaF, IuZ@aCi2e4ii, Kryptik, Eldorado, Attribute, HighConfidence, HMCI, Noon, URSNIF, SMKA0, Krypt, AGEN, ai score=100, kcloud, FormBook, LokiBot, EZRH4T, score, BScope, TelegramBot, GenKryptik, FJAJ, HwoCTcoA) | ||
| md5 | 61521d238c7c60ca7e91881ffda4a5fa | ||
| sha256 | ebdee756cd475a65df67185291c3fffad83b91d8c59f8248160f6b0ff15fb279 | ||
| ssdeep | 12288:tmKF7mX3Ulh3pP+BcepL1k7tTsRc3EQVwmBuFsCyqMRYZu6mG1dSNWKnmR:tmKRscepJuTsy0QVXO9+NWKnmR | ||
| imphash | 82004e82653b7bafbfcf73a18d8cef95 | ||
| impfuzzy | 24:kglOX9kDxLS1jtW6bJnc+pl39/CYoAOovbOthv4/MLlzZHu9dZSudT8Q4wDtuKmF:7S9QS1jtW6lc+ppQYQ3r+ZSuWQ4nKo/f | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Moves the original executable to a new location |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x449030 lstrlenW
0x449034 MultiByteToWideChar
0x449038 WideCharToMultiByte
0x44903c GetConsoleOutputCP
0x449040 lstrcpyW
0x449044 SetEndOfFile
0x449048 HeapReAlloc
0x44904c HeapSize
0x449050 GetConsoleCP
0x449054 FlushFileBuffers
0x449058 lstrcmpiW
0x44905c lstrcmpW
0x449060 FormatMessageW
0x449064 LocalFree
0x449068 GetProcAddress
0x44906c GetModuleHandleW
0x449070 GetLastError
0x449074 CloseHandle
0x449078 WriteFile
0x44907c CreateFileW
0x449080 WriteConsoleW
0x449084 GetStdHandle
0x449088 QueryPerformanceCounter
0x44908c GetCurrentProcessId
0x449090 GetCurrentThreadId
0x449094 GetSystemTimeAsFileTime
0x449098 InitializeSListHead
0x44909c IsDebuggerPresent
0x4490a0 UnhandledExceptionFilter
0x4490a4 SetUnhandledExceptionFilter
0x4490a8 GetStartupInfoW
0x4490ac IsProcessorFeaturePresent
0x4490b0 GetCurrentProcess
0x4490b4 TerminateProcess
0x4490b8 InterlockedPushEntrySList
0x4490bc InterlockedFlushSList
0x4490c0 RtlUnwind
0x4490c4 SetLastError
0x4490c8 EnterCriticalSection
0x4490cc LeaveCriticalSection
0x4490d0 DeleteCriticalSection
0x4490d4 InitializeCriticalSectionAndSpinCount
0x4490d8 TlsAlloc
0x4490dc TlsGetValue
0x4490e0 TlsSetValue
0x4490e4 TlsFree
0x4490e8 FreeLibrary
0x4490ec LoadLibraryExW
0x4490f0 EncodePointer
0x4490f4 RaiseException
0x4490f8 ExitProcess
0x4490fc GetModuleHandleExW
0x449100 GetModuleFileNameW
0x449104 GetCommandLineA
0x449108 GetCommandLineW
0x44910c GetCurrentThread
0x449110 GetStringTypeW
0x449114 HeapFree
0x449118 HeapAlloc
0x44911c GetFileType
0x449120 ReadFile
0x449124 GetConsoleMode
0x449128 ReadConsoleW
0x44912c OutputDebugStringW
0x449130 FindClose
0x449134 FindFirstFileExW
0x449138 FindNextFileW
0x44913c IsValidCodePage
0x449140 GetACP
0x449144 GetOEMCP
0x449148 GetCPInfo
0x44914c GetEnvironmentStringsW
0x449150 FreeEnvironmentStringsW
0x449154 SetEnvironmentVariableW
0x449158 SetStdHandle
0x44915c GetLocaleInfoW
0x449160 IsValidLocale
0x449164 GetUserDefaultLCID
0x449168 EnumSystemLocalesW
0x44916c GetDateFormatW
0x449170 GetTimeFormatW
0x449174 CompareStringW
0x449178 LCMapStringW
0x44917c GetProcessHeap
0x449180 SetConsoleCtrlHandler
0x449184 GetFileSizeEx
0x449188 SetFilePointerEx
0x44918c DecodePointer
USER32.dll
0x449194 GrayStringA
0x449198 GetDC
0x44919c MessageBoxA
ADVAPI32.dll
0x449000 RegDeleteTreeW
0x449004 RegSetValueExW
0x449008 RegQueryValueExW
0x44900c RegOpenKeyExW
0x449010 RegOpenKeyW
0x449014 RegEnumValueW
0x449018 RegEnumKeyExW
0x44901c RegDeleteValueW
0x449020 RegCreateKeyExW
0x449024 RegCreateKeyW
0x449028 RegCloseKey
EAT(Export Address Table) is none
KERNEL32.dll
0x449030 lstrlenW
0x449034 MultiByteToWideChar
0x449038 WideCharToMultiByte
0x44903c GetConsoleOutputCP
0x449040 lstrcpyW
0x449044 SetEndOfFile
0x449048 HeapReAlloc
0x44904c HeapSize
0x449050 GetConsoleCP
0x449054 FlushFileBuffers
0x449058 lstrcmpiW
0x44905c lstrcmpW
0x449060 FormatMessageW
0x449064 LocalFree
0x449068 GetProcAddress
0x44906c GetModuleHandleW
0x449070 GetLastError
0x449074 CloseHandle
0x449078 WriteFile
0x44907c CreateFileW
0x449080 WriteConsoleW
0x449084 GetStdHandle
0x449088 QueryPerformanceCounter
0x44908c GetCurrentProcessId
0x449090 GetCurrentThreadId
0x449094 GetSystemTimeAsFileTime
0x449098 InitializeSListHead
0x44909c IsDebuggerPresent
0x4490a0 UnhandledExceptionFilter
0x4490a4 SetUnhandledExceptionFilter
0x4490a8 GetStartupInfoW
0x4490ac IsProcessorFeaturePresent
0x4490b0 GetCurrentProcess
0x4490b4 TerminateProcess
0x4490b8 InterlockedPushEntrySList
0x4490bc InterlockedFlushSList
0x4490c0 RtlUnwind
0x4490c4 SetLastError
0x4490c8 EnterCriticalSection
0x4490cc LeaveCriticalSection
0x4490d0 DeleteCriticalSection
0x4490d4 InitializeCriticalSectionAndSpinCount
0x4490d8 TlsAlloc
0x4490dc TlsGetValue
0x4490e0 TlsSetValue
0x4490e4 TlsFree
0x4490e8 FreeLibrary
0x4490ec LoadLibraryExW
0x4490f0 EncodePointer
0x4490f4 RaiseException
0x4490f8 ExitProcess
0x4490fc GetModuleHandleExW
0x449100 GetModuleFileNameW
0x449104 GetCommandLineA
0x449108 GetCommandLineW
0x44910c GetCurrentThread
0x449110 GetStringTypeW
0x449114 HeapFree
0x449118 HeapAlloc
0x44911c GetFileType
0x449120 ReadFile
0x449124 GetConsoleMode
0x449128 ReadConsoleW
0x44912c OutputDebugStringW
0x449130 FindClose
0x449134 FindFirstFileExW
0x449138 FindNextFileW
0x44913c IsValidCodePage
0x449140 GetACP
0x449144 GetOEMCP
0x449148 GetCPInfo
0x44914c GetEnvironmentStringsW
0x449150 FreeEnvironmentStringsW
0x449154 SetEnvironmentVariableW
0x449158 SetStdHandle
0x44915c GetLocaleInfoW
0x449160 IsValidLocale
0x449164 GetUserDefaultLCID
0x449168 EnumSystemLocalesW
0x44916c GetDateFormatW
0x449170 GetTimeFormatW
0x449174 CompareStringW
0x449178 LCMapStringW
0x44917c GetProcessHeap
0x449180 SetConsoleCtrlHandler
0x449184 GetFileSizeEx
0x449188 SetFilePointerEx
0x44918c DecodePointer
USER32.dll
0x449194 GrayStringA
0x449198 GetDC
0x44919c MessageBoxA
ADVAPI32.dll
0x449000 RegDeleteTreeW
0x449004 RegSetValueExW
0x449008 RegQueryValueExW
0x44900c RegOpenKeyExW
0x449010 RegOpenKeyW
0x449014 RegEnumValueW
0x449018 RegEnumKeyExW
0x44901c RegDeleteValueW
0x449020 RegCreateKeyExW
0x449024 RegCreateKeyW
0x449028 RegCloseKey
EAT(Export Address Table) is none