ScreenShot
Created | 2021.10.14 15:45 | Machine | s1_win7_x6402 |
Filename | vbc.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 59 detected (NeshtaB, Neshta, tn9H, malicious, high confidence, Unsafe, confidence, 100%, OBIX, Neshuta, Winlock, fmobyw, Apanas, A + W32, A@3ypg, HLLP, ASVirus, score, ai score=83, CLASSIC, GenAsa, Mo0tdcmmg3o, Static AI, Malicious PE, FileInfector, Infector, Gen9) | ||
md5 | 3fc196a38075b3009bbb2c7991f07cd3 | ||
sha256 | 0bb5a52f4fe79a8c7fbb4462c472827d0a58e78b985dd102e6f444d41613e19e | ||
ssdeep | 12288:lkASB5SqHstIYcU6TBVrpLQRFw7qO504/dRBb7Se1v/klohx/i77MGc:lmB5vMtIYcUAXGFC5TdPb7n58lo2cGc | ||
imphash | 9f4693fc0c511135129493f2161d1e86 | ||
impfuzzy | 48:8cfpH9rngO0Mw+4Qk90pvn3O4Ga5tQ4w6T3:8cfpHZgO0MJ430pv3l |
Network IP location
Signature (24cnts)
Level | Description |
---|---|
danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Deletes executed files from disk |
watch | Installs itself for autorun at Windows startup |
watch | Manipulates memory of a non-child process indicative of process injection |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | Steals private information from local Internet browsers |
notice | Terminates another process |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Tries to locate where the browsers are installed |
Rules (38cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | CryptBot_IN | CryptBot | binaries (download) |
danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
warning | NSIS_Installer | Null Soft Installer | binaries (download) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | ASPack_Zero | ASPack packed file | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (upload) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | KeyLogger | Run a KeyLogger | memory |
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4150dc DeleteCriticalSection
0x4150e0 LeaveCriticalSection
0x4150e4 EnterCriticalSection
0x4150e8 InitializeCriticalSection
0x4150ec VirtualFree
0x4150f0 VirtualAlloc
0x4150f4 LocalFree
0x4150f8 LocalAlloc
0x4150fc GetVersion
0x415100 GetCurrentThreadId
0x415104 GetThreadLocale
0x415108 GetStartupInfoA
0x41510c GetLocaleInfoA
0x415110 GetCommandLineA
0x415114 FreeLibrary
0x415118 ExitProcess
0x41511c WriteFile
0x415120 UnhandledExceptionFilter
0x415124 RtlUnwind
0x415128 RaiseException
0x41512c GetStdHandle
user32.dll
0x415134 GetKeyboardType
0x415138 MessageBoxA
advapi32.dll
0x415140 RegQueryValueExA
0x415144 RegOpenKeyExA
0x415148 RegCloseKey
oleaut32.dll
0x415150 SysFreeString
0x415154 SysReAllocStringLen
kernel32.dll
0x41515c TlsSetValue
0x415160 TlsGetValue
0x415164 LocalAlloc
0x415168 GetModuleHandleA
advapi32.dll
0x415170 RegSetValueExA
0x415174 RegOpenKeyExA
0x415178 RegCloseKey
kernel32.dll
0x415180 WriteFile
0x415184 WinExec
0x415188 SetFilePointer
0x41518c SetFileAttributesA
0x415190 SetEndOfFile
0x415194 SetCurrentDirectoryA
0x415198 ReleaseMutex
0x41519c ReadFile
0x4151a0 GetWindowsDirectoryA
0x4151a4 GetTempPathA
0x4151a8 GetShortPathNameA
0x4151ac GetModuleFileNameA
0x4151b0 GetLogicalDriveStringsA
0x4151b4 GetLocalTime
0x4151b8 GetLastError
0x4151bc GetFileSize
0x4151c0 GetFileAttributesA
0x4151c4 GetDriveTypeA
0x4151c8 GetCommandLineA
0x4151cc FreeLibrary
0x4151d0 FindNextFileA
0x4151d4 FindFirstFileA
0x4151d8 FindClose
0x4151dc DeleteFileA
0x4151e0 CreateMutexA
0x4151e4 CreateFileA
0x4151e8 CreateDirectoryA
0x4151ec CloseHandle
gdi32.dll
0x4151f4 StretchDIBits
0x4151f8 SetDIBits
0x4151fc SelectObject
0x415200 GetObjectA
0x415204 GetDIBits
0x415208 DeleteObject
0x41520c DeleteDC
0x415210 CreateSolidBrush
0x415214 CreateDIBSection
0x415218 CreateCompatibleDC
0x41521c CreateCompatibleBitmap
0x415220 BitBlt
user32.dll
0x415228 ReleaseDC
0x41522c GetSysColor
0x415230 GetIconInfo
0x415234 GetDC
0x415238 FillRect
0x41523c DestroyIcon
0x415240 CopyImage
0x415244 CharLowerBuffA
shell32.dll
0x41524c ShellExecuteA
0x415250 ExtractIconA
EAT(Export Address Table) is none
kernel32.dll
0x4150dc DeleteCriticalSection
0x4150e0 LeaveCriticalSection
0x4150e4 EnterCriticalSection
0x4150e8 InitializeCriticalSection
0x4150ec VirtualFree
0x4150f0 VirtualAlloc
0x4150f4 LocalFree
0x4150f8 LocalAlloc
0x4150fc GetVersion
0x415100 GetCurrentThreadId
0x415104 GetThreadLocale
0x415108 GetStartupInfoA
0x41510c GetLocaleInfoA
0x415110 GetCommandLineA
0x415114 FreeLibrary
0x415118 ExitProcess
0x41511c WriteFile
0x415120 UnhandledExceptionFilter
0x415124 RtlUnwind
0x415128 RaiseException
0x41512c GetStdHandle
user32.dll
0x415134 GetKeyboardType
0x415138 MessageBoxA
advapi32.dll
0x415140 RegQueryValueExA
0x415144 RegOpenKeyExA
0x415148 RegCloseKey
oleaut32.dll
0x415150 SysFreeString
0x415154 SysReAllocStringLen
kernel32.dll
0x41515c TlsSetValue
0x415160 TlsGetValue
0x415164 LocalAlloc
0x415168 GetModuleHandleA
advapi32.dll
0x415170 RegSetValueExA
0x415174 RegOpenKeyExA
0x415178 RegCloseKey
kernel32.dll
0x415180 WriteFile
0x415184 WinExec
0x415188 SetFilePointer
0x41518c SetFileAttributesA
0x415190 SetEndOfFile
0x415194 SetCurrentDirectoryA
0x415198 ReleaseMutex
0x41519c ReadFile
0x4151a0 GetWindowsDirectoryA
0x4151a4 GetTempPathA
0x4151a8 GetShortPathNameA
0x4151ac GetModuleFileNameA
0x4151b0 GetLogicalDriveStringsA
0x4151b4 GetLocalTime
0x4151b8 GetLastError
0x4151bc GetFileSize
0x4151c0 GetFileAttributesA
0x4151c4 GetDriveTypeA
0x4151c8 GetCommandLineA
0x4151cc FreeLibrary
0x4151d0 FindNextFileA
0x4151d4 FindFirstFileA
0x4151d8 FindClose
0x4151dc DeleteFileA
0x4151e0 CreateMutexA
0x4151e4 CreateFileA
0x4151e8 CreateDirectoryA
0x4151ec CloseHandle
gdi32.dll
0x4151f4 StretchDIBits
0x4151f8 SetDIBits
0x4151fc SelectObject
0x415200 GetObjectA
0x415204 GetDIBits
0x415208 DeleteObject
0x41520c DeleteDC
0x415210 CreateSolidBrush
0x415214 CreateDIBSection
0x415218 CreateCompatibleDC
0x41521c CreateCompatibleBitmap
0x415220 BitBlt
user32.dll
0x415228 ReleaseDC
0x41522c GetSysColor
0x415230 GetIconInfo
0x415234 GetDC
0x415238 FillRect
0x41523c DestroyIcon
0x415240 CopyImage
0x415244 CharLowerBuffA
shell32.dll
0x41524c ShellExecuteA
0x415250 ExtractIconA
EAT(Export Address Table) is none