popup

Report - vbc.exe

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.24 16:50 Machine s1_win7_x6402
Filename vbc.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
8.6
ZERO API file : malware
VT API (file) 25 detected (malicious, high confidence, Unsafe, Save, Attribute, HighConfidence, GenKryptik, FJLP, Androm, FileRepMalware, ZPACK, kcloud, Pwsteal, score, Artemis, AgentTesla, Kryptik, CLASSIC, Static AI, Suspicious PE, ZexaF, oqZ@aWQ@D0bi, confidence)
md5 252cae0537d8c3aa42d8e69ad802b966
sha256 8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6
ssdeep 6144:cxB+lzu0FKw3wIZ6ifYfFPxhypIahW9LYJvtKs5xi:cb+Zu0FKw0ZhOIm7GUi
imphash 76cb49957629b5fe0d40d13588a8762e
impfuzzy 6:5vai5XqlJHmSRGDYBJAEfG81TaupKSKA/QKRJyQwDiJ7MLMKJABLHIfTOXGpJqX0:lJEYDoAgGDuGA9R4QwDkM+BsfThpJqE
  Network IP location

Signature (20cnts)

Level Description
warning File has been identified by 25 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Putty Files
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Moves the original executable to a new location
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://65.21.223.84/~t/i.html/XjjuWy0TVqjre
whois
Unknown 65.21.223.84 4356 mailcious
65.21.223.84
whois
Unknown 65.21.223.84 mailcious

Suricata ids

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x402000 GetStdHandle
 0x402004 WriteFile
 0x402008 GetLastError
 0x40200c HeapAlloc
 0x402010 HeapFree
 0x402014 GetProcessHeap
 0x402018 GetModuleHandleW
 0x40201c GetProcAddress
 0x402020 LoadLibraryA
 0x402024 LocalFree
 0x402028 lstrlenW
 0x40202c WideCharToMultiByte
 0x402030 EnumTimeFormatsW
 0x402034 GetConsoleOutputCP
 0x402038 WriteConsoleW
USER32.dll
 0x402050 LoadStringW
 0x402054 MessageBoxW
ole32.dll
 0x40205c OleInitialize
 0x402060 OleUninitialize
MSVCRT.dll
 0x402040 towlower
 0x402044 malloc
 0x402048 memset

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure