ScreenShot
| Created | 2021.08.25 09:16 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 5ba5c0d5ca760b500600849aad55ffec | ||
| sha256 | b0a256cca5749cf78de4bff027557274d430d54ee5f443bcf5f8a5a67d919dea | ||
| ssdeep | 6144:4KLLLm/E+gazhC+O7Xo3pyWxih+Xfi6ylttH5:4KHLm/JgA4XuhBX6935 | ||
| imphash | 439ff53323e9506db8654c0d8af9cf37 | ||
| impfuzzy | 6:+TaupKx5XtSRMvblJfG4yRlbb7RBuQLHQ3Q/QKRBKBJqX00OXn:VucJFpG4qpQQ03Q9RcBJqd4 | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x402150 EnumTimeFormatsW
0x402154 GetConsoleOutputCP
0x402158 GetLastError
0x40215c GetModuleHandleW
0x402160 GetProcessHeap
0x402164 GetStdHandle
0x402168 HeapAlloc
0x40216c HeapFree
0x402170 LocalFree
0x402174 VirtualProtect
0x402178 WideCharToMultiByte
0x40217c WriteConsoleW
0x402180 WriteFile
0x402184 lstrlenW
ole32.dll
0x40218c OleUninitialize
USER32.dll
0x402194 LoadStringW
MSVCRT.dll
0x40219c malloc
0x4021a0 memset
0x4021a4 towlower
EAT(Export Address Table) is none
KERNEL32.dll
0x402150 EnumTimeFormatsW
0x402154 GetConsoleOutputCP
0x402158 GetLastError
0x40215c GetModuleHandleW
0x402160 GetProcessHeap
0x402164 GetStdHandle
0x402168 HeapAlloc
0x40216c HeapFree
0x402170 LocalFree
0x402174 VirtualProtect
0x402178 WideCharToMultiByte
0x40217c WriteConsoleW
0x402180 WriteFile
0x402184 lstrlenW
ole32.dll
0x40218c OleUninitialize
USER32.dll
0x402194 LoadStringW
MSVCRT.dll
0x40219c malloc
0x4021a0 memset
0x4021a4 towlower
EAT(Export Address Table) is none