popup

Report - vbc.exe

UPX Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.19 09:44 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
8.4
ZERO API file : malware
VT API (file) 46 detected (Noon, malicious, high confidence, GenericKD, Save, runner, ali1000123, Kryptik, Eldorado, Attribute, HighConfidence, HMCU, Blocker, FileRepMetagen, Auto, HPGen, Unsafe, Score, STOP, se37341, StopCrypt, CoinMiner, Glupteba, R437681, ZexaF, sq1@amDvdhpG, ai score=86, BScope, CLASSIC, Static AI, Suspicious PE, susgen, GenKryptik, FJBW, confidence, 100%, HwoCUugA)
md5 46b2b8e7621a93ae6b876b071da55212
sha256 9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
ssdeep 6144:0zAfLQsyTvBg96hLshzuKd4lNC0wxkBl0:3LITa6SJuwaB
imphash 477c037bd85187d535326c948fa8e5de
impfuzzy 48:XPInZyq/tfXd/lScgYzrJtn6LQcYv0H1Vs:XP4xtl9SczzrJtnQQcYcH1K
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (12cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.wang0911.com/otcl/?uzu4=W0aQsAfnZT9K8WsD4i5637X8WoT/2UA8HayUDBPHV5pQR9uMddXCE1ucNEuG5AYfMdvmFofK&OjQl7x=9r74bd4h
whois
HK Korea 154.92.6.107 clean
http://www.fussionpromos.com/otcl/?uzu4=R6pBimEX126Y/7jz26NSIB+pAf+iSCkbIcynLs+ia55rI8fnMgFdof6zFKq4BsG3kSXOUZFo&OjQl7x=9r74bd4h
whois
US UNIFIEDLAYER-AS-1 192.254.185.89 3833 mailcious
http://www.sxhuanghe.com/otcl/?uzu4=bykNueCGzGef1kTLSC6P98gcCLtJHJm8XaoDN192w2lHtEo2seD5whRxipE3R8Jwf92JqfL+&OjQl7x=9r74bd4h
whois
US AMAZON-AES 3.223.115.185 clean
www.sxhuanghe.com
whois
US AMAZON-AES 3.223.115.185 clean
www.schuldenzaesurgesetz.info
whois
Unknown clean
www.fussionpromos.com
whois
US UNIFIEDLAYER-AS-1 192.254.185.89 clean
www.wang0911.com
whois
HK Korea 154.92.6.107 clean
www.onenesstokyo.com
whois
Unknown clean
3.223.115.185
whois
US AMAZON-AES 3.223.115.185 mailcious
154.92.6.107
whois
HK Korea 154.92.6.107 clean
192.254.185.89
whois
US UNIFIEDLAYER-AS-1 192.254.185.89 mailcious

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x431008 lstrlenA
 0x43100c EnumDateFormatsExW
 0x431010 WriteConsoleOutputW
 0x431014 InterlockedIncrement
 0x431018 GetConsoleAliasA
 0x43101c InterlockedDecrement
 0x431020 WritePrivateProfileSectionA
 0x431024 GetSystemWindowsDirectoryW
 0x431028 GetEnvironmentStringsW
 0x43102c GetUserDefaultLCID
 0x431030 WriteConsoleInputA
 0x431034 GetComputerNameW
 0x431038 SetEvent
 0x43103c GetConsoleAliasesLengthA
 0x431040 GetConsoleTitleA
 0x431044 CreateActCtxW
 0x431048 InitializeCriticalSection
 0x43104c GetConsoleCP
 0x431050 GetVersionExW
 0x431054 DnsHostnameToComputerNameW
 0x431058 lstrcpynW
 0x43105c SetConsoleCursorPosition
 0x431060 GetFileAttributesW
 0x431064 VerifyVersionInfoA
 0x431068 HeapQueryInformation
 0x43106c IsBadWritePtr
 0x431070 GetCompressedFileSizeA
 0x431074 GetSystemDirectoryA
 0x431078 CreateFileW
 0x43107c lstrcatA
 0x431080 GetACP
 0x431084 GetVolumePathNameA
 0x431088 FlushFileBuffers
 0x43108c InterlockedExchange
 0x431090 GetLastError
 0x431094 GetProcAddress
 0x431098 PeekConsoleInputW
 0x43109c CreateTimerQueueTimer
 0x4310a0 LocalLock
 0x4310a4 GetConsoleDisplayMode
 0x4310a8 EnterCriticalSection
 0x4310ac SetTimerQueueTimer
 0x4310b0 GetLocalTime
 0x4310b4 WriteConsoleA
 0x4310b8 LocalAlloc
 0x4310bc DeleteTimerQueue
 0x4310c0 CreateTapePartition
 0x4310c4 BeginUpdateResourceA
 0x4310c8 GlobalGetAtomNameW
 0x4310cc WaitForMultipleObjects
 0x4310d0 SetEnvironmentVariableA
 0x4310d4 GetModuleFileNameA
 0x4310d8 GetModuleHandleA
 0x4310dc WriteConsoleOutputAttribute
 0x4310e0 EndUpdateResourceA
 0x4310e4 ReadConsoleInputW
 0x4310e8 FindFirstVolumeW
 0x4310ec GetCurrentProcessId
 0x4310f0 AreFileApisANSI
 0x4310f4 LCMapStringW
 0x4310f8 GetSystemDefaultLangID
 0x4310fc UnhandledExceptionFilter
 0x431100 SetUnhandledExceptionFilter
 0x431104 HeapReAlloc
 0x431108 HeapAlloc
 0x43110c GetModuleHandleW
 0x431110 Sleep
 0x431114 ExitProcess
 0x431118 GetCommandLineA
 0x43111c GetStartupInfoA
 0x431120 WriteFile
 0x431124 GetStdHandle
 0x431128 TlsGetValue
 0x43112c TlsAlloc
 0x431130 TlsSetValue
 0x431134 TlsFree
 0x431138 SetLastError
 0x43113c GetCurrentThreadId
 0x431140 DeleteCriticalSection
 0x431144 LeaveCriticalSection
 0x431148 HeapCreate
 0x43114c VirtualFree
 0x431150 HeapFree
 0x431154 VirtualAlloc
 0x431158 TerminateProcess
 0x43115c GetCurrentProcess
 0x431160 IsDebuggerPresent
 0x431164 LoadLibraryA
 0x431168 InitializeCriticalSectionAndSpinCount
 0x43116c FreeEnvironmentStringsA
 0x431170 GetEnvironmentStrings
 0x431174 FreeEnvironmentStringsW
 0x431178 WideCharToMultiByte
 0x43117c SetHandleCount
 0x431180 GetFileType
 0x431184 QueryPerformanceCounter
 0x431188 GetTickCount
 0x43118c GetSystemTimeAsFileTime
 0x431190 RaiseException
 0x431194 GetCPInfo
 0x431198 GetOEMCP
 0x43119c IsValidCodePage
 0x4311a0 RtlUnwind
 0x4311a4 HeapSize
 0x4311a8 GetLocaleInfoA
 0x4311ac GetStringTypeA
 0x4311b0 MultiByteToWideChar
 0x4311b4 GetStringTypeW
 0x4311b8 LCMapStringA
USER32.dll
 0x4311c0 RealGetWindowClassA
ADVAPI32.dll
 0x431000 AdjustTokenGroups

EAT(Export Address Table) Library

0x401003 @GetAnotherVice@12
0x401000 @SetFirstEverVice@4

Similarity measure (PE file only) - Checking for service failure