popup

Report - vbc.exe

PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.19 19:24 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
8.2
ZERO API file : malware
VT API (file) 22 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, confidence, Attribute, HighConfidence, Kryptik, HMDQ, Androm, MalwareX, Generic ML PUA, Crowti, Score, Sabsik, ZexaF, ouZ@aG8GZqhi, Static AI, Suspicious PE, GenKryptik, FJEK, QVM20)
md5 1ba29471321f0be5a3064e6c226fb80d
sha256 a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9
ssdeep 6144:4yvNSulGHlTYvF/Ot7HEg1qRjy/fF03px:4yvBQHjt7HEgYAne3px
imphash f86f9a1397ea2f648b8914df9ad78914
impfuzzy 6:5lJM2+5XpAiBJAGvwGDvZ/OE5TaO0wD4g/QKRJyQwD3UwzP0:fuJVAGjDvZGPRwD4g9R4QwDkt
  Network IP location

Signature (19cnts)

Level Description
warning File has been identified by 22 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Putty Files
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Moves the original executable to a new location
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (3cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.227.139.5/sxisodifntose.php/XjjuWy0TVqjre
whois
US Turunc Smart Bilgisayar Ve Teknoloji Ve Dis Tecaret Limited 185.227.139.5 3949 mailcious
107.180.56.180
whois
US AS-26496-GO-DADDY-COM-LLC 107.180.56.180 malware
185.227.139.5
whois
US Turunc Smart Bilgisayar Ve Teknoloji Ve Dis Tecaret Limited 185.227.139.5 mailcious

Suricata ids

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x404000 HeapFree
 0x404004 lstrlenW
 0x404008 WriteFile
 0x40400c CreateFileW
 0x404010 GetLastError
 0x404014 lstrcatW
 0x404018 CloseHandle
 0x40401c LoadLibraryW
 0x404020 HeapAlloc
 0x404024 GetProcAddress
 0x404028 ExitProcess
 0x40402c GetProcessHeap
 0x404030 EnumTimeFormatsA
 0x404034 WideCharToMultiByte
USER32.dll
 0x404050 MessageBoxW
 0x404054 LoadStringW
 0x404058 MessageBoxA
MSVCRT.dll
 0x40403c wcsrchr
 0x404040 memcpy
 0x404044 _wcsnicmp
 0x404048 memset

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure