ScreenShot
| Created | 2021.09.14 09:57 | Machine | s1_win7_x6402 |
| Filename | vbc.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, ZexaF, BuW@aO4u6Pni, Lokibot, Kryptik, HMLP, Noon, Generic@ML, RDML, Nw2lUTh+SA3tAW8bGFZVnw, HPGen, Emotet, score, BScope, Static AI, Suspicious PE, susgen, GenKryptik, FIBB, confidence) | ||
| md5 | 5aa59f1c07762000eb9c7fe832a65765 | ||
| sha256 | 7bc13c6b1b2d366a92c075d090e1976a033a6c5e79b202a2932227eb72ed46be | ||
| ssdeep | 6144:ldj7gD05mQ/kQNac4hhCu6Rgm0qj8OhFnZVvwubXW4dbHRf+oLjQikrl2Dr9MzI:v/5T46Wm0w8G5ZpVbvHRfz9gl2Dryz | ||
| imphash | dcf2f9fcff3367bb9fab051bdc1c6f91 | ||
| impfuzzy | 48:0Z0msNMf8uhmMYxcSCtRH8x8Kb5tJiozGnRyK/T4FpX/g4+:0CNMftmXxcSCtRw55fanRlT4FpP4 | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x42c188 StrCmpNA
KERNEL32.dll
0x42c010 WriteConsoleW
0x42c014 SetFilePointerEx
0x42c018 SetStdHandle
0x42c01c GetConsoleMode
0x42c020 GetConsoleCP
0x42c024 FlushFileBuffers
0x42c028 EnumSystemLocalesW
0x42c02c GetUserDefaultLCID
0x42c030 IsValidLocale
0x42c034 GetLocaleInfoW
0x42c038 LCMapStringW
0x42c03c CompareStringW
0x42c040 GetTimeFormatW
0x42c044 GetDateFormatW
0x42c048 HeapSize
0x42c04c GetStringTypeW
0x42c050 HeapAlloc
0x42c054 OutputDebugStringW
0x42c058 RtlUnwind
0x42c05c LoadLibraryExW
0x42c060 FreeLibrary
0x42c064 SetConsoleCtrlHandler
0x42c068 IsProcessorFeaturePresent
0x42c06c IsDebuggerPresent
0x42c070 GetCPInfo
0x42c074 GetOEMCP
0x42c078 GetACP
0x42c07c IsValidCodePage
0x42c080 HeapFree
0x42c084 FatalAppExitA
0x42c088 LeaveCriticalSection
0x42c08c EnterCriticalSection
0x42c090 VirtualProtect
0x42c094 CloseHandle
0x42c098 HeapReAlloc
0x42c09c GetFileType
0x42c0a0 CreateSemaphoreW
0x42c0a4 GetModuleHandleW
0x42c0a8 GetTickCount
0x42c0ac TlsFree
0x42c0b0 GetCommandLineA
0x42c0b4 GetLastError
0x42c0b8 SetLastError
0x42c0bc GetCurrentThread
0x42c0c0 GetCurrentThreadId
0x42c0c4 EncodePointer
0x42c0c8 DecodePointer
0x42c0cc ExitProcess
0x42c0d0 GetModuleHandleExW
0x42c0d4 GetProcAddress
0x42c0d8 AreFileApisANSI
0x42c0dc MultiByteToWideChar
0x42c0e0 WideCharToMultiByte
0x42c0e4 GetProcessHeap
0x42c0e8 GetStdHandle
0x42c0ec CreateFileW
0x42c0f0 DeleteCriticalSection
0x42c0f4 GetStartupInfoW
0x42c0f8 GetModuleFileNameA
0x42c0fc WriteFile
0x42c100 GetModuleFileNameW
0x42c104 QueryPerformanceCounter
0x42c108 GetCurrentProcessId
0x42c10c GetSystemTimeAsFileTime
0x42c110 GetEnvironmentStringsW
0x42c114 FreeEnvironmentStringsW
0x42c118 UnhandledExceptionFilter
0x42c11c SetUnhandledExceptionFilter
0x42c120 InitializeCriticalSectionAndSpinCount
0x42c124 CreateEventW
0x42c128 Sleep
0x42c12c GetCurrentProcess
0x42c130 TerminateProcess
0x42c134 TlsAlloc
0x42c138 TlsGetValue
0x42c13c TlsSetValue
SHELL32.dll
0x42c174 SHEmptyRecycleBinW
0x42c178 SHInvokePrinterCommandA
0x42c17c DragQueryFileW
0x42c180 SHGetFileInfoA
WINMM.dll
0x42c1a0 joyGetPos
0x42c1a4 waveInGetNumDevs
0x42c1a8 mmioRenameW
0x42c1ac midiInGetErrorTextW
0x42c1b0 midiStreamOut
WINSPOOL.DRV
0x42c1b8 EnumPrintProcessorDatatypesA
0x42c1bc AddPrintProvidorW
0x42c1c0 DeletePrintProvidorA
0x42c1c4 DevicePropertySheets
RPCRT4.dll
0x42c15c NdrRpcSsDefaultAllocate
0x42c160 NdrByteCountPointerMarshall
0x42c164 NdrServerCall
0x42c168 NdrInterfacePointerFree
0x42c16c NdrConvert2
OLEAUT32.dll
0x42c144 VarI4FromCy
0x42c148 VarI4FromUI4
0x42c14c VariantChangeTypeEx
0x42c150 OleLoadPictureEx
0x42c154 VarBoolFromDec
rtm.dll
0x42c1cc RtmCloseEnumerationHandle
0x42c1d0 MgmDeInitialize
0x42c1d4 MgmTakeInterfaceOwnership
0x42c1d8 MgmGetFirstMfe
COMDLG32.dll
0x42c000 GetSaveFileNameW
0x42c004 GetOpenFileNameA
0x42c008 PrintDlgW
USER32.dll
0x42c190 MessageBoxW
0x42c194 GetDC
0x42c198 GrayStringA
EAT(Export Address Table) is none
SHLWAPI.dll
0x42c188 StrCmpNA
KERNEL32.dll
0x42c010 WriteConsoleW
0x42c014 SetFilePointerEx
0x42c018 SetStdHandle
0x42c01c GetConsoleMode
0x42c020 GetConsoleCP
0x42c024 FlushFileBuffers
0x42c028 EnumSystemLocalesW
0x42c02c GetUserDefaultLCID
0x42c030 IsValidLocale
0x42c034 GetLocaleInfoW
0x42c038 LCMapStringW
0x42c03c CompareStringW
0x42c040 GetTimeFormatW
0x42c044 GetDateFormatW
0x42c048 HeapSize
0x42c04c GetStringTypeW
0x42c050 HeapAlloc
0x42c054 OutputDebugStringW
0x42c058 RtlUnwind
0x42c05c LoadLibraryExW
0x42c060 FreeLibrary
0x42c064 SetConsoleCtrlHandler
0x42c068 IsProcessorFeaturePresent
0x42c06c IsDebuggerPresent
0x42c070 GetCPInfo
0x42c074 GetOEMCP
0x42c078 GetACP
0x42c07c IsValidCodePage
0x42c080 HeapFree
0x42c084 FatalAppExitA
0x42c088 LeaveCriticalSection
0x42c08c EnterCriticalSection
0x42c090 VirtualProtect
0x42c094 CloseHandle
0x42c098 HeapReAlloc
0x42c09c GetFileType
0x42c0a0 CreateSemaphoreW
0x42c0a4 GetModuleHandleW
0x42c0a8 GetTickCount
0x42c0ac TlsFree
0x42c0b0 GetCommandLineA
0x42c0b4 GetLastError
0x42c0b8 SetLastError
0x42c0bc GetCurrentThread
0x42c0c0 GetCurrentThreadId
0x42c0c4 EncodePointer
0x42c0c8 DecodePointer
0x42c0cc ExitProcess
0x42c0d0 GetModuleHandleExW
0x42c0d4 GetProcAddress
0x42c0d8 AreFileApisANSI
0x42c0dc MultiByteToWideChar
0x42c0e0 WideCharToMultiByte
0x42c0e4 GetProcessHeap
0x42c0e8 GetStdHandle
0x42c0ec CreateFileW
0x42c0f0 DeleteCriticalSection
0x42c0f4 GetStartupInfoW
0x42c0f8 GetModuleFileNameA
0x42c0fc WriteFile
0x42c100 GetModuleFileNameW
0x42c104 QueryPerformanceCounter
0x42c108 GetCurrentProcessId
0x42c10c GetSystemTimeAsFileTime
0x42c110 GetEnvironmentStringsW
0x42c114 FreeEnvironmentStringsW
0x42c118 UnhandledExceptionFilter
0x42c11c SetUnhandledExceptionFilter
0x42c120 InitializeCriticalSectionAndSpinCount
0x42c124 CreateEventW
0x42c128 Sleep
0x42c12c GetCurrentProcess
0x42c130 TerminateProcess
0x42c134 TlsAlloc
0x42c138 TlsGetValue
0x42c13c TlsSetValue
SHELL32.dll
0x42c174 SHEmptyRecycleBinW
0x42c178 SHInvokePrinterCommandA
0x42c17c DragQueryFileW
0x42c180 SHGetFileInfoA
WINMM.dll
0x42c1a0 joyGetPos
0x42c1a4 waveInGetNumDevs
0x42c1a8 mmioRenameW
0x42c1ac midiInGetErrorTextW
0x42c1b0 midiStreamOut
WINSPOOL.DRV
0x42c1b8 EnumPrintProcessorDatatypesA
0x42c1bc AddPrintProvidorW
0x42c1c0 DeletePrintProvidorA
0x42c1c4 DevicePropertySheets
RPCRT4.dll
0x42c15c NdrRpcSsDefaultAllocate
0x42c160 NdrByteCountPointerMarshall
0x42c164 NdrServerCall
0x42c168 NdrInterfacePointerFree
0x42c16c NdrConvert2
OLEAUT32.dll
0x42c144 VarI4FromCy
0x42c148 VarI4FromUI4
0x42c14c VariantChangeTypeEx
0x42c150 OleLoadPictureEx
0x42c154 VarBoolFromDec
rtm.dll
0x42c1cc RtmCloseEnumerationHandle
0x42c1d0 MgmDeInitialize
0x42c1d4 MgmTakeInterfaceOwnership
0x42c1d8 MgmGetFirstMfe
COMDLG32.dll
0x42c000 GetSaveFileNameW
0x42c004 GetOpenFileNameA
0x42c008 PrintDlgW
USER32.dll
0x42c190 MessageBoxW
0x42c194 GetDC
0x42c198 GrayStringA
EAT(Export Address Table) is none