ScreenShot
| Created | 2021.08.17 17:46 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (malicious, high confidence, Artemis, Unsafe, Attribute, HighConfidence, a variant of Generik, GMCYYCB, FileRepMalware, Generic ML PUA, Woreflint, LokiBot, 7ULAEM, BScope, Kryptik, CLASSIC, ZexaF, CCZ@aimNM0ki, confidence, HwoCUXwA) | ||
| md5 | a5082cf7d178e6ecdff4b46002ab3347 | ||
| sha256 | b372ba907ad4c120ac6ddd86e8de1821d19dffef023bd32c18359bcf82326842 | ||
| ssdeep | 12288:VTTSysup4LojOUOPJOq550XlxLISP5Qch7K5m:VTTSysrsjOUuOq5qVLQyK5m | ||
| imphash | e9aef503b3e4a8eb831af674be5da9e3 | ||
| impfuzzy | 48:UfXXORCt79/x3on1YoHzhrOolshYsRgR4Q9GjuNsR/d3:gX+Ct75Wn1YOhrOolshuYd3 | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET INFO HTTP Request to a *.ga domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET INFO HTTP Request to a *.ga domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4370d0 CloseHandle
0x4370d4 CompareStringW
0x4370d8 CopyFileW
0x4370dc CreateDirectoryW
0x4370e0 CreateFileW
0x4370e4 CreateHardLinkW
0x4370e8 CreateProcessW
0x4370ec CreateSymbolicLinkW
0x4370f0 DecodePointer
0x4370f4 DeleteCriticalSection
0x4370f8 DeleteFileW
0x4370fc DuplicateHandle
0x437100 EnterCriticalSection
0x437104 ExitProcess
0x437108 ExpandEnvironmentStringsW
0x43710c FileTimeToLocalFileTime
0x437110 FileTimeToSystemTime
0x437114 FillConsoleOutputAttribute
0x437118 FillConsoleOutputCharacterW
0x43711c FindClose
0x437120 FindFirstFileExW
0x437124 FindFirstFileW
0x437128 FindNextFileW
0x43712c FlushFileBuffers
0x437130 FormatMessageW
0x437134 FreeEnvironmentStringsW
0x437138 FreeLibrary
0x43713c GetACP
0x437140 GetCPInfo
0x437144 GetCommandLineA
0x437148 GetCommandLineW
0x43714c GetConsoleCP
0x437150 GetConsoleMode
0x437154 GetConsoleOutputCP
0x437158 GetConsoleScreenBufferInfo
0x43715c GetCurrentDirectoryW
0x437160 GetCurrentProcess
0x437164 GetCurrentProcessId
0x437168 GetCurrentThreadId
0x43716c GetDateFormatW
0x437170 GetDiskFreeSpaceExW
0x437174 GetEnvironmentStringsW
0x437178 GetEnvironmentVariableW
0x43717c GetExitCodeProcess
0x437180 GetFileAttributesExW
0x437184 GetFileAttributesW
0x437188 GetFileInformationByHandle
0x43718c GetFileType
0x437190 GetFullPathNameW
0x437194 GetLastError
0x437198 GetLocalTime
0x43719c GetModuleFileNameW
0x4371a0 GetModuleHandleExW
0x4371a4 GetModuleHandleW
0x4371a8 GetOEMCP
0x4371ac GetProcAddress
0x4371b0 GetProcessHeap
0x4371b4 GetShortPathNameW
0x4371b8 GetStartupInfoW
0x4371bc GetStdHandle
0x4371c0 GetStringTypeW
0x4371c4 GetSystemDirectoryW
0x4371c8 GetSystemTimeAsFileTime
0x4371cc GetTempFileNameW
0x4371d0 GetTempPathW
0x4371d4 GetTimeFormatW
0x4371d8 GetVolumeInformationW
0x4371dc GetWindowsDirectoryW
0x4371e0 HeapAlloc
0x4371e4 HeapFree
0x4371e8 HeapReAlloc
0x4371ec HeapSize
0x4371f0 InitializeCriticalSectionAndSpinCount
0x4371f4 InitializeSListHead
0x4371f8 IsDebuggerPresent
0x4371fc IsProcessorFeaturePresent
0x437200 IsValidCodePage
0x437204 LCMapStringW
0x437208 LeaveCriticalSection
0x43720c LoadLibraryExW
0x437210 LocalAlloc
0x437214 LocalFree
0x437218 MoveFileExW
0x43721c MoveFileW
0x437220 MultiByteToWideChar
0x437224 QueryPerformanceCounter
0x437228 RaiseException
0x43722c ReadConsoleW
0x437230 ReadFile
0x437234 RemoveDirectoryW
0x437238 RtlUnwind
0x43723c SearchPathW
0x437240 SetConsoleCursorPosition
0x437244 SetConsoleMode
0x437248 SetConsoleTextAttribute
0x43724c SetConsoleTitleW
0x437250 SetCurrentDirectoryW
0x437254 SetEnvironmentVariableW
0x437258 SetFileAttributesW
0x43725c SetFilePointer
0x437260 SetFilePointerEx
0x437264 SetLastError
0x437268 SetStdHandle
0x43726c SetUnhandledExceptionFilter
0x437270 SetVolumeLabelW
0x437274 TerminateProcess
0x437278 TlsAlloc
0x43727c TlsFree
0x437280 TlsGetValue
0x437284 TlsSetValue
0x437288 UnhandledExceptionFilter
0x43728c WaitForSingleObject
0x437290 WideCharToMultiByte
0x437294 WriteConsoleW
0x437298 WriteFile
0x43729c lstrcatW
0x4372a0 lstrcmpW
0x4372a4 lstrcmpiW
0x4372a8 lstrcpyW
0x4372ac lstrcpynW
0x4372b0 lstrlenW
USER32.dll
0x4372b8 CharNextExA
0x4372bc CharUpperBuffW
0x4372c0 GetDC
0x4372c4 GrayStringA
0x4372c8 IsCharAlphaNumericW
0x4372cc IsCharAlphaW
0x4372d0 LoadStringW
0x4372d4 MessageBoxA
0x4372d8 wsprintfW
SHELL32.dll
0x4372e0 FindExecutableW
0x4372e4 SHFileOperationW
0x4372e8 SHGetFileInfoW
ADVAPI32.dll
0x4372f0 GetFileSecurityW
0x4372f4 GetSecurityDescriptorOwner
0x4372f8 LookupAccountSidW
0x4372fc RegCloseKey
0x437300 RegCreateKeyExW
0x437304 RegDeleteKeyW
0x437308 RegEnumKeyExW
0x43730c RegOpenKeyExW
0x437310 RegQueryValueExW
0x437314 RegSetValueExW
EAT(Export Address Table) is none
KERNEL32.dll
0x4370d0 CloseHandle
0x4370d4 CompareStringW
0x4370d8 CopyFileW
0x4370dc CreateDirectoryW
0x4370e0 CreateFileW
0x4370e4 CreateHardLinkW
0x4370e8 CreateProcessW
0x4370ec CreateSymbolicLinkW
0x4370f0 DecodePointer
0x4370f4 DeleteCriticalSection
0x4370f8 DeleteFileW
0x4370fc DuplicateHandle
0x437100 EnterCriticalSection
0x437104 ExitProcess
0x437108 ExpandEnvironmentStringsW
0x43710c FileTimeToLocalFileTime
0x437110 FileTimeToSystemTime
0x437114 FillConsoleOutputAttribute
0x437118 FillConsoleOutputCharacterW
0x43711c FindClose
0x437120 FindFirstFileExW
0x437124 FindFirstFileW
0x437128 FindNextFileW
0x43712c FlushFileBuffers
0x437130 FormatMessageW
0x437134 FreeEnvironmentStringsW
0x437138 FreeLibrary
0x43713c GetACP
0x437140 GetCPInfo
0x437144 GetCommandLineA
0x437148 GetCommandLineW
0x43714c GetConsoleCP
0x437150 GetConsoleMode
0x437154 GetConsoleOutputCP
0x437158 GetConsoleScreenBufferInfo
0x43715c GetCurrentDirectoryW
0x437160 GetCurrentProcess
0x437164 GetCurrentProcessId
0x437168 GetCurrentThreadId
0x43716c GetDateFormatW
0x437170 GetDiskFreeSpaceExW
0x437174 GetEnvironmentStringsW
0x437178 GetEnvironmentVariableW
0x43717c GetExitCodeProcess
0x437180 GetFileAttributesExW
0x437184 GetFileAttributesW
0x437188 GetFileInformationByHandle
0x43718c GetFileType
0x437190 GetFullPathNameW
0x437194 GetLastError
0x437198 GetLocalTime
0x43719c GetModuleFileNameW
0x4371a0 GetModuleHandleExW
0x4371a4 GetModuleHandleW
0x4371a8 GetOEMCP
0x4371ac GetProcAddress
0x4371b0 GetProcessHeap
0x4371b4 GetShortPathNameW
0x4371b8 GetStartupInfoW
0x4371bc GetStdHandle
0x4371c0 GetStringTypeW
0x4371c4 GetSystemDirectoryW
0x4371c8 GetSystemTimeAsFileTime
0x4371cc GetTempFileNameW
0x4371d0 GetTempPathW
0x4371d4 GetTimeFormatW
0x4371d8 GetVolumeInformationW
0x4371dc GetWindowsDirectoryW
0x4371e0 HeapAlloc
0x4371e4 HeapFree
0x4371e8 HeapReAlloc
0x4371ec HeapSize
0x4371f0 InitializeCriticalSectionAndSpinCount
0x4371f4 InitializeSListHead
0x4371f8 IsDebuggerPresent
0x4371fc IsProcessorFeaturePresent
0x437200 IsValidCodePage
0x437204 LCMapStringW
0x437208 LeaveCriticalSection
0x43720c LoadLibraryExW
0x437210 LocalAlloc
0x437214 LocalFree
0x437218 MoveFileExW
0x43721c MoveFileW
0x437220 MultiByteToWideChar
0x437224 QueryPerformanceCounter
0x437228 RaiseException
0x43722c ReadConsoleW
0x437230 ReadFile
0x437234 RemoveDirectoryW
0x437238 RtlUnwind
0x43723c SearchPathW
0x437240 SetConsoleCursorPosition
0x437244 SetConsoleMode
0x437248 SetConsoleTextAttribute
0x43724c SetConsoleTitleW
0x437250 SetCurrentDirectoryW
0x437254 SetEnvironmentVariableW
0x437258 SetFileAttributesW
0x43725c SetFilePointer
0x437260 SetFilePointerEx
0x437264 SetLastError
0x437268 SetStdHandle
0x43726c SetUnhandledExceptionFilter
0x437270 SetVolumeLabelW
0x437274 TerminateProcess
0x437278 TlsAlloc
0x43727c TlsFree
0x437280 TlsGetValue
0x437284 TlsSetValue
0x437288 UnhandledExceptionFilter
0x43728c WaitForSingleObject
0x437290 WideCharToMultiByte
0x437294 WriteConsoleW
0x437298 WriteFile
0x43729c lstrcatW
0x4372a0 lstrcmpW
0x4372a4 lstrcmpiW
0x4372a8 lstrcpyW
0x4372ac lstrcpynW
0x4372b0 lstrlenW
USER32.dll
0x4372b8 CharNextExA
0x4372bc CharUpperBuffW
0x4372c0 GetDC
0x4372c4 GrayStringA
0x4372c8 IsCharAlphaNumericW
0x4372cc IsCharAlphaW
0x4372d0 LoadStringW
0x4372d4 MessageBoxA
0x4372d8 wsprintfW
SHELL32.dll
0x4372e0 FindExecutableW
0x4372e4 SHFileOperationW
0x4372e8 SHGetFileInfoW
ADVAPI32.dll
0x4372f0 GetFileSecurityW
0x4372f4 GetSecurityDescriptorOwner
0x4372f8 LookupAccountSidW
0x4372fc RegCloseKey
0x437300 RegCreateKeyExW
0x437304 RegDeleteKeyW
0x437308 RegEnumKeyExW
0x43730c RegOpenKeyExW
0x437310 RegQueryValueExW
0x437314 RegSetValueExW
EAT(Export Address Table) is none