popup

Report - vbc.exe

Generic Malware PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.26 08:31 Machine s1_win7_x6402
Filename vbc.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
9.0
ZERO API file : clean
VT API (file) 46 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Razy, Unsafe, Save, confidence, 100%, FormBook, Eldorado, Attribute, HighConfidence, Kryptik, HMFG, MalwareX, Fareit, Auto, Siggen3, R002C0DHP21, Static AI, Suspicious PE, kcloud, 1V9N73W, score, R438791, GenericRXPU, ai score=100, BScope, TrojanPSW, Agensla, AgentTesla, CLASSIC, Outbreak, GenKryptik, FJLZ, ZexaF, ouZ@aaHWMBci, Genetic)
md5 61d4b8cc54596921d5cbed6d4209377f
sha256 243dee23b179d34c88b6494be767a9cafcb36a57ffeef9f21ebbd463d1220b24
ssdeep 6144:EDZ5OoVH+VtU0vc/C4Fg2fY6bQVlhIt0yGHuBuRpY:CsoeUlT0bhu0uF
imphash 439ff53323e9506db8654c0d8af9cf37
impfuzzy 6:+TaupKx5XtSRMvblJfG4yRlbb7RBuQLHQ3Q/QKRBKBJqX00OXn:VucJFpG4qpQQ03Q9RcBJqd4
  Network IP location

Signature (20cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Putty Files
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Moves the original executable to a new location
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://65.21.223.84/~t/i.html/m9vo3uzZGXz0z
whois
Unknown 65.21.223.84 4356 mailcious
65.21.223.84
whois
Unknown 65.21.223.84 mailcious

Suricata ids

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x402150 EnumTimeFormatsW
 0x402154 GetConsoleOutputCP
 0x402158 GetLastError
 0x40215c GetModuleHandleW
 0x402160 GetProcessHeap
 0x402164 GetStdHandle
 0x402168 HeapAlloc
 0x40216c HeapFree
 0x402170 LocalFree
 0x402174 VirtualProtect
 0x402178 WideCharToMultiByte
 0x40217c WriteConsoleW
 0x402180 WriteFile
 0x402184 lstrlenW
ole32.dll
 0x40218c OleUninitialize
USER32.dll
 0x402194 LoadStringW
MSVCRT.dll
 0x40219c malloc
 0x4021a0 memset
 0x4021a4 towlower

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure