ScreenShot
| Created | 2023.05.17 09:14 | Machine | s1_win7_x6401 |
| Filename | vbc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetectMalware, 9m1@eWgPnPk, Vy7z, malicious, confidence, Attribute, HighConfidence, high confidence, ESYI, score, Mokes, aqct, InjectorX, SmokeLoader, cqjou, Artemis, high, ai score=88, Sabsik, Casdet, Detected, BScope, TrojanPSW, Stelega, unsafe, Chgt, R002H09EG23, CLASSIC, PossibleThreat, FORTIEDR) | ||
| md5 | bc8dfcb4093f0bb356e3103af15f3d1b | ||
| sha256 | 7f016599bc5b598d9ba9f8e869a36e0c128bc6bbccffb391b05993b62ca71baa | ||
| ssdeep | 12288:yoHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD:yo0odC3lMHiEptXW+xVW8MeH | ||
| imphash | 622a88682c24693792ff46e3135c6d5e | ||
| impfuzzy | 48:mv1z/1wzwZQwgPwbbV2pgkzRxW3Yl39w6pFqHr+1SJXI4TU2FNmWcFpAhHpw+8x1:m9z/1GwZQfPubopgkzRxWuNvpFqHr+we | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Raccoon_Stealer_1_Zero | Raccoon Stealer | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vba | (no description) | memory |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0xfa31000 CryptAcquireContextW
0xfa31004 CryptDeriveKey
KERNEL32.DLL
0xfa3100c VirtualProtect
0xfa31010 CreateFileW
0xfa31014 Sleep
0xfa31018 GetTickCount
0xfa3101c WriteFile
0xfa31020 RtlFillMemory
MSVBVM60.DLL
0xfa31028 None
0xfa3102c __vbaStrI2
0xfa31030 _CIcos
0xfa31034 _adj_fptan
0xfa31038 __vbaVarMove
0xfa3103c __vbaVarVargNofree
0xfa31040 __vbaFreeVar
0xfa31044 __vbaLineInputStr
0xfa31048 __vbaLenBstr
0xfa3104c __vbaStrVarMove
0xfa31050 __vbaFreeVarList
0xfa31054 _adj_fdiv_m64
0xfa31058 __vbaFreeObjList
0xfa3105c __vbaStrErrVarCopy
0xfa31060 _adj_fprem1
0xfa31064 __vbaVarCmpNe
0xfa31068 __vbaStrCat
0xfa3106c __vbaSetSystemError
0xfa31070 __vbaRecDestruct
0xfa31074 __vbaHresultCheckObj
0xfa31078 _adj_fdiv_m32
0xfa3107c __vbaAryDestruct
0xfa31080 None
0xfa31084 None
0xfa31088 __vbaObjSet
0xfa3108c None
0xfa31090 _adj_fdiv_m16i
0xfa31094 __vbaObjSetAddref
0xfa31098 _adj_fdivr_m16i
0xfa3109c __vbaBoolVarNull
0xfa310a0 __vbaRefVarAry
0xfa310a4 _CIsin
0xfa310a8 __vbaErase
0xfa310ac __vbaVarZero
0xfa310b0 __vbaVarCmpGt
0xfa310b4 __vbaChkstk
0xfa310b8 __vbaFileClose
0xfa310bc None
0xfa310c0 EVENT_SINK_AddRef
0xfa310c4 __vbaStrCmp
0xfa310c8 __vbaVarTstEq
0xfa310cc None
0xfa310d0 DllFunctionCall
0xfa310d4 __vbaVarOr
0xfa310d8 __vbaRedimPreserve
0xfa310dc _adj_fpatan
0xfa310e0 __vbaRedim
0xfa310e4 EVENT_SINK_Release
0xfa310e8 _CIsqrt
0xfa310ec EVENT_SINK_QueryInterface
0xfa310f0 __vbaExceptHandler
0xfa310f4 None
0xfa310f8 _adj_fprem
0xfa310fc _adj_fdivr_m64
0xfa31100 None
0xfa31104 None
0xfa31108 __vbaFPException
0xfa3110c __vbaStrVarVal
0xfa31110 __vbaUbound
0xfa31114 __vbaVarCat
0xfa31118 None
0xfa3111c None
0xfa31120 _CIlog
0xfa31124 __vbaFileOpen
0xfa31128 __vbaNew2
0xfa3112c None
0xfa31130 None
0xfa31134 _adj_fdiv_m32i
0xfa31138 _adj_fdivr_m32i
0xfa3113c __vbaStrCopy
0xfa31140 __vbaI4Str
0xfa31144 __vbaVarNot
0xfa31148 __vbaFreeStrList
0xfa3114c _adj_fdivr_m32
0xfa31150 _adj_fdiv_r
0xfa31154 None
0xfa31158 __vbaI4Var
0xfa3115c None
0xfa31160 __vbaAryLock
0xfa31164 __vbaVarDup
0xfa31168 __vbaVarCopy
0xfa3116c None
0xfa31170 _CIatan
0xfa31174 __vbaCastObj
0xfa31178 __vbaStrMove
0xfa3117c __vbaR8IntI4
0xfa31180 _allmul
0xfa31184 __vbaLenVarB
0xfa31188 _CItan
0xfa3118c __vbaAryUnlock
0xfa31190 _CIexp
0xfa31194 __vbaFreeObj
0xfa31198 __vbaFreeStr
EAT(Export Address Table) is none
ADVAPI32.DLL
0xfa31000 CryptAcquireContextW
0xfa31004 CryptDeriveKey
KERNEL32.DLL
0xfa3100c VirtualProtect
0xfa31010 CreateFileW
0xfa31014 Sleep
0xfa31018 GetTickCount
0xfa3101c WriteFile
0xfa31020 RtlFillMemory
MSVBVM60.DLL
0xfa31028 None
0xfa3102c __vbaStrI2
0xfa31030 _CIcos
0xfa31034 _adj_fptan
0xfa31038 __vbaVarMove
0xfa3103c __vbaVarVargNofree
0xfa31040 __vbaFreeVar
0xfa31044 __vbaLineInputStr
0xfa31048 __vbaLenBstr
0xfa3104c __vbaStrVarMove
0xfa31050 __vbaFreeVarList
0xfa31054 _adj_fdiv_m64
0xfa31058 __vbaFreeObjList
0xfa3105c __vbaStrErrVarCopy
0xfa31060 _adj_fprem1
0xfa31064 __vbaVarCmpNe
0xfa31068 __vbaStrCat
0xfa3106c __vbaSetSystemError
0xfa31070 __vbaRecDestruct
0xfa31074 __vbaHresultCheckObj
0xfa31078 _adj_fdiv_m32
0xfa3107c __vbaAryDestruct
0xfa31080 None
0xfa31084 None
0xfa31088 __vbaObjSet
0xfa3108c None
0xfa31090 _adj_fdiv_m16i
0xfa31094 __vbaObjSetAddref
0xfa31098 _adj_fdivr_m16i
0xfa3109c __vbaBoolVarNull
0xfa310a0 __vbaRefVarAry
0xfa310a4 _CIsin
0xfa310a8 __vbaErase
0xfa310ac __vbaVarZero
0xfa310b0 __vbaVarCmpGt
0xfa310b4 __vbaChkstk
0xfa310b8 __vbaFileClose
0xfa310bc None
0xfa310c0 EVENT_SINK_AddRef
0xfa310c4 __vbaStrCmp
0xfa310c8 __vbaVarTstEq
0xfa310cc None
0xfa310d0 DllFunctionCall
0xfa310d4 __vbaVarOr
0xfa310d8 __vbaRedimPreserve
0xfa310dc _adj_fpatan
0xfa310e0 __vbaRedim
0xfa310e4 EVENT_SINK_Release
0xfa310e8 _CIsqrt
0xfa310ec EVENT_SINK_QueryInterface
0xfa310f0 __vbaExceptHandler
0xfa310f4 None
0xfa310f8 _adj_fprem
0xfa310fc _adj_fdivr_m64
0xfa31100 None
0xfa31104 None
0xfa31108 __vbaFPException
0xfa3110c __vbaStrVarVal
0xfa31110 __vbaUbound
0xfa31114 __vbaVarCat
0xfa31118 None
0xfa3111c None
0xfa31120 _CIlog
0xfa31124 __vbaFileOpen
0xfa31128 __vbaNew2
0xfa3112c None
0xfa31130 None
0xfa31134 _adj_fdiv_m32i
0xfa31138 _adj_fdivr_m32i
0xfa3113c __vbaStrCopy
0xfa31140 __vbaI4Str
0xfa31144 __vbaVarNot
0xfa31148 __vbaFreeStrList
0xfa3114c _adj_fdivr_m32
0xfa31150 _adj_fdiv_r
0xfa31154 None
0xfa31158 __vbaI4Var
0xfa3115c None
0xfa31160 __vbaAryLock
0xfa31164 __vbaVarDup
0xfa31168 __vbaVarCopy
0xfa3116c None
0xfa31170 _CIatan
0xfa31174 __vbaCastObj
0xfa31178 __vbaStrMove
0xfa3117c __vbaR8IntI4
0xfa31180 _allmul
0xfa31184 __vbaLenVarB
0xfa31188 _CItan
0xfa3118c __vbaAryUnlock
0xfa31190 _CIexp
0xfa31194 __vbaFreeObj
0xfa31198 __vbaFreeStr
EAT(Export Address Table) is none