ScreenShot
| Created | 2021.08.20 17:16 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (Agensla, malicious, high confidence, Fragtor, Artemis, Unsafe, confidence, ZexaCO, GqZ@aqJbnomi, Kryptik, Eldorado, Attribute, HighConfidence, HMEA, SpyBotNET, kcloud, Tnega, score, ai score=80, AgentTesla, MalwareX, Static AI, Suspicious PE, GenKryptik, FJFZ, QVM20) | ||
| md5 | 2b5346dcfa4f86d3ef68060c22e5a087 | ||
| sha256 | be76239da7234a7e43d56d819e0558d91bdc872aef6e08db9f612ca30355bb9b | ||
| ssdeep | 12288:bekuQ7HtohvcLYA7jEiB165kdQKC8dGJ2LBXLRYXvQKMgGrGtXi5J+GPR:bekuQ7DEiB1mkdQ4dGJ2LBXLRYXvQK9G | ||
| imphash | 4f489b335db6d5ec89d1f80710469941 | ||
| impfuzzy | 24:tHjDo22XAuvcrT+jWm0+lbO1McS1jtX6bJnc+plvCPMVZMv7lSOovHZHu9gTmFw6:V8XAuErwq9S1jtX6lc+pIEVZGTVuzL/y | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x443030 CreateThread
0x443034 GetSystemDirectoryW
0x443038 VirtualAlloc
0x44303c FreeLibrary
0x443040 GetModuleFileNameW
0x443044 GetModuleHandleA
0x443048 GetProcAddress
0x44304c LoadLibraryExW
0x443050 LoadLibraryA
0x443054 lstrcpynW
0x443058 ExitProcess
0x44305c lstrlenW
0x443060 CompareStringW
0x443064 MultiByteToWideChar
0x443068 EnumTimeFormatsA
0x44306c GetThreadLocale
0x443070 GetUserDefaultLangID
0x443074 WriteConsoleW
0x443078 ReadConsoleW
0x44307c CloseHandle
0x443080 HeapReAlloc
0x443084 CreateEventW
0x443088 WaitForSingleObject
0x44308c SetEvent
0x443090 GetProcessHeap
0x443094 HeapFree
0x443098 HeapAlloc
0x44309c GetLastError
0x4430a0 WriteFile
0x4430a4 ReadFile
0x4430a8 CreateFileW
0x4430ac lstrcpyW
0x4430b0 GetCommandLineW
0x4430b4 HeapSize
0x4430b8 SetFilePointerEx
0x4430bc GetFileSizeEx
0x4430c0 GetConsoleMode
0x4430c4 QueryPerformanceCounter
0x4430c8 GetCurrentProcessId
0x4430cc GetCurrentThreadId
0x4430d0 GetSystemTimeAsFileTime
0x4430d4 InitializeSListHead
0x4430d8 IsDebuggerPresent
0x4430dc UnhandledExceptionFilter
0x4430e0 SetUnhandledExceptionFilter
0x4430e4 GetStartupInfoW
0x4430e8 IsProcessorFeaturePresent
0x4430ec GetModuleHandleW
0x4430f0 GetCurrentProcess
0x4430f4 TerminateProcess
0x4430f8 InterlockedPushEntrySList
0x4430fc InterlockedFlushSList
0x443100 RtlUnwind
0x443104 SetLastError
0x443108 EnterCriticalSection
0x44310c LeaveCriticalSection
0x443110 DeleteCriticalSection
0x443114 InitializeCriticalSectionAndSpinCount
0x443118 TlsAlloc
0x44311c TlsGetValue
0x443120 TlsSetValue
0x443124 TlsFree
0x443128 EncodePointer
0x44312c RaiseException
0x443130 GetStdHandle
0x443134 GetModuleHandleExW
0x443138 GetCurrentThread
0x44313c GetDateFormatW
0x443140 GetTimeFormatW
0x443144 LCMapStringW
0x443148 GetLocaleInfoW
0x44314c IsValidLocale
0x443150 GetUserDefaultLCID
0x443154 EnumSystemLocalesW
0x443158 GetFileType
0x44315c OutputDebugStringW
0x443160 FindClose
0x443164 FindFirstFileExW
0x443168 FindNextFileW
0x44316c IsValidCodePage
0x443170 GetACP
0x443174 GetOEMCP
0x443178 GetCPInfo
0x44317c GetCommandLineA
0x443180 WideCharToMultiByte
0x443184 GetEnvironmentStringsW
0x443188 FreeEnvironmentStringsW
0x44318c SetEnvironmentVariableW
0x443190 SetStdHandle
0x443194 GetStringTypeW
0x443198 SetConsoleCtrlHandler
0x44319c FlushFileBuffers
0x4431a0 GetConsoleOutputCP
0x4431a4 DecodePointer
USER32.dll
0x4431ac MessageBoxA
0x4431b0 LoadStringW
ADVAPI32.dll
0x443000 StartServiceCtrlDispatcherA
0x443004 SetServiceStatus
0x443008 RegisterServiceCtrlHandlerA
0x44300c OpenServiceW
0x443010 OpenSCManagerW
0x443014 DeleteService
0x443018 CreateServiceW
0x44301c CloseServiceHandle
0x443020 RegQueryValueExW
0x443024 RegOpenKeyW
0x443028 RegCloseKey
ole32.dll
0x4431b8 CoInitializeEx
0x4431bc CLSIDFromString
0x4431c0 CoUninitialize
EAT(Export Address Table) is none
KERNEL32.dll
0x443030 CreateThread
0x443034 GetSystemDirectoryW
0x443038 VirtualAlloc
0x44303c FreeLibrary
0x443040 GetModuleFileNameW
0x443044 GetModuleHandleA
0x443048 GetProcAddress
0x44304c LoadLibraryExW
0x443050 LoadLibraryA
0x443054 lstrcpynW
0x443058 ExitProcess
0x44305c lstrlenW
0x443060 CompareStringW
0x443064 MultiByteToWideChar
0x443068 EnumTimeFormatsA
0x44306c GetThreadLocale
0x443070 GetUserDefaultLangID
0x443074 WriteConsoleW
0x443078 ReadConsoleW
0x44307c CloseHandle
0x443080 HeapReAlloc
0x443084 CreateEventW
0x443088 WaitForSingleObject
0x44308c SetEvent
0x443090 GetProcessHeap
0x443094 HeapFree
0x443098 HeapAlloc
0x44309c GetLastError
0x4430a0 WriteFile
0x4430a4 ReadFile
0x4430a8 CreateFileW
0x4430ac lstrcpyW
0x4430b0 GetCommandLineW
0x4430b4 HeapSize
0x4430b8 SetFilePointerEx
0x4430bc GetFileSizeEx
0x4430c0 GetConsoleMode
0x4430c4 QueryPerformanceCounter
0x4430c8 GetCurrentProcessId
0x4430cc GetCurrentThreadId
0x4430d0 GetSystemTimeAsFileTime
0x4430d4 InitializeSListHead
0x4430d8 IsDebuggerPresent
0x4430dc UnhandledExceptionFilter
0x4430e0 SetUnhandledExceptionFilter
0x4430e4 GetStartupInfoW
0x4430e8 IsProcessorFeaturePresent
0x4430ec GetModuleHandleW
0x4430f0 GetCurrentProcess
0x4430f4 TerminateProcess
0x4430f8 InterlockedPushEntrySList
0x4430fc InterlockedFlushSList
0x443100 RtlUnwind
0x443104 SetLastError
0x443108 EnterCriticalSection
0x44310c LeaveCriticalSection
0x443110 DeleteCriticalSection
0x443114 InitializeCriticalSectionAndSpinCount
0x443118 TlsAlloc
0x44311c TlsGetValue
0x443120 TlsSetValue
0x443124 TlsFree
0x443128 EncodePointer
0x44312c RaiseException
0x443130 GetStdHandle
0x443134 GetModuleHandleExW
0x443138 GetCurrentThread
0x44313c GetDateFormatW
0x443140 GetTimeFormatW
0x443144 LCMapStringW
0x443148 GetLocaleInfoW
0x44314c IsValidLocale
0x443150 GetUserDefaultLCID
0x443154 EnumSystemLocalesW
0x443158 GetFileType
0x44315c OutputDebugStringW
0x443160 FindClose
0x443164 FindFirstFileExW
0x443168 FindNextFileW
0x44316c IsValidCodePage
0x443170 GetACP
0x443174 GetOEMCP
0x443178 GetCPInfo
0x44317c GetCommandLineA
0x443180 WideCharToMultiByte
0x443184 GetEnvironmentStringsW
0x443188 FreeEnvironmentStringsW
0x44318c SetEnvironmentVariableW
0x443190 SetStdHandle
0x443194 GetStringTypeW
0x443198 SetConsoleCtrlHandler
0x44319c FlushFileBuffers
0x4431a0 GetConsoleOutputCP
0x4431a4 DecodePointer
USER32.dll
0x4431ac MessageBoxA
0x4431b0 LoadStringW
ADVAPI32.dll
0x443000 StartServiceCtrlDispatcherA
0x443004 SetServiceStatus
0x443008 RegisterServiceCtrlHandlerA
0x44300c OpenServiceW
0x443010 OpenSCManagerW
0x443014 DeleteService
0x443018 CreateServiceW
0x44301c CloseServiceHandle
0x443020 RegQueryValueExW
0x443024 RegOpenKeyW
0x443028 RegCloseKey
ole32.dll
0x4431b8 CoInitializeEx
0x4431bc CLSIDFromString
0x4431c0 CoUninitialize
EAT(Export Address Table) is none