ScreenShot
| Created | 2021.08.27 15:47 | Machine | s1_win7_x6401 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 14 detected (AIDetect, malware2, malicious, high confidence, Artemis, Unsafe, Save, confidence, Generic ML PUA, Score, Phonzy, Yukleyici) | ||
| md5 | 97c2aecf2380200fc50b84d72af34480 | ||
| sha256 | 8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07 | ||
| ssdeep | 6144:64XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pzy:xXe9PPlowWX0t6mOQwg1Qd15CcYk0WeC | ||
| imphash | ef471c0edf1877cd5a881a6a8bf647b9 | ||
| impfuzzy | 12:VA/DzqYOZQDe78r4B3ExjLAkcOaiTQQnd3mxCHoJ:V0DBace7PxExjLAkcOV2kw | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4e8708 LoadLibraryA
0x4e870c GetProcAddress
0x4e8710 VirtualProtect
0x4e8714 VirtualAlloc
0x4e8718 VirtualFree
0x4e871c ExitProcess
ADVAPI32.dll
0x4e8724 AddAce
COMCTL32.dll
0x4e872c ImageList_Remove
COMDLG32.dll
0x4e8734 GetSaveFileNameW
GDI32.dll
0x4e873c LineTo
IPHLPAPI.DLL
0x4e8744 IcmpSendEcho
MPR.dll
0x4e874c WNetUseConnectionW
ole32.dll
0x4e8754 CoGetObject
OLEAUT32.dll
0x4e875c VariantInit
PSAPI.DLL
0x4e8764 GetProcessMemoryInfo
SHELL32.dll
0x4e876c DragFinish
USER32.dll
0x4e8774 GetDC
USERENV.dll
0x4e877c LoadUserProfileW
UxTheme.dll
0x4e8784 IsThemeActive
VERSION.dll
0x4e878c VerQueryValueW
WININET.dll
0x4e8794 FtpOpenFileW
WINMM.dll
0x4e879c timeGetTime
WSOCK32.dll
0x4e87a4 socket
EAT(Export Address Table) is none
KERNEL32.DLL
0x4e8708 LoadLibraryA
0x4e870c GetProcAddress
0x4e8710 VirtualProtect
0x4e8714 VirtualAlloc
0x4e8718 VirtualFree
0x4e871c ExitProcess
ADVAPI32.dll
0x4e8724 AddAce
COMCTL32.dll
0x4e872c ImageList_Remove
COMDLG32.dll
0x4e8734 GetSaveFileNameW
GDI32.dll
0x4e873c LineTo
IPHLPAPI.DLL
0x4e8744 IcmpSendEcho
MPR.dll
0x4e874c WNetUseConnectionW
ole32.dll
0x4e8754 CoGetObject
OLEAUT32.dll
0x4e875c VariantInit
PSAPI.DLL
0x4e8764 GetProcessMemoryInfo
SHELL32.dll
0x4e876c DragFinish
USER32.dll
0x4e8774 GetDC
USERENV.dll
0x4e877c LoadUserProfileW
UxTheme.dll
0x4e8784 IsThemeActive
VERSION.dll
0x4e878c VerQueryValueW
WININET.dll
0x4e8794 FtpOpenFileW
WINMM.dll
0x4e879c timeGetTime
WSOCK32.dll
0x4e87a4 socket
EAT(Export Address Table) is none