popup

Report - vbc.exe

Formbook Malicious Library PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.05.18 10:48 Machine s1_win7_x6401
Filename vbc.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
2.4
ZERO API file : clean
VT API (file)
md5 59f9df6fb26fb1a5c6343a443075649b
sha256 f4611e247ca37320626c3b06c1fab325db0ce1052e9d9b4d2d22572bc83f30a6
ssdeep 3072:Tg5nTzdiQSnMzqOC4xUHwJnfV7hvJr+C4uzX6KmZFIQ2yyLgLiyn3YiT4lXG0Cm:Tg5TzBWkvxxuwVNtvJV4uzXkKabToxB
imphash
impfuzzy 3::
  Network IP location

Signature (6cnts)

Level Description
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (3cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (38cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.towfire.life/f619/?E9W=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&NC=ptGp
whois
US VIMRO-AS15189 67.223.117.160 33475 mailcious
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.towfire.life/f619/
whois
US VIMRO-AS15189 67.223.117.160 33475 mailcious
http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp
whois
US CLOUDFLARENET 172.67.194.173 33500 clean
http://www.28588v.com/f619/
whois
JP BGPNET Global ASN 137.220.225.205 33501 clean
http://www.gospelfy.online/f619/
whois
GB Wildcard UK Limited 185.27.134.115 33496 clean
http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp
whois
US AMAZON-AES 54.91.6.89 33494 clean
http://www.smartinnoventions.com/f619/
whois
NL PCextreme B.V. 5.157.87.204 33493 clean
http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp
whois
GB Wildcard UK Limited 185.27.134.115 33496 clean
http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp
whois
US DREAMHOST-AS 208.113.186.56 33499 clean
http://www.skillfulp10.buzz/f619/
whois
US CLOUDFLARENET 172.67.194.173 33500 clean
http://www.stephenwang.photography/f619/
whois
US DREAMHOST-AS 208.113.186.56 33499 clean
http://www.sockmomma.com/f619/
whois
US DXTL Tseung Kwan O Service 154.94.121.119 33498 clean
http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp
whois
JP BGPNET Global ASN 137.220.225.73 33501 clean
http://www.intake-tree.com/f619/
whois
US AMAZON-AES 54.157.4.65 33494 clean
http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp
whois
NL PCextreme B.V. 5.157.87.204 33493 clean
http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp
whois
US DXTL Tseung Kwan O Service 154.94.121.119 33498 clean
http://www.queenkidul.com/f619/
whois
DE Hostinger International Limited 45.130.230.191 33497 clean
http://www.queenkidul.com/f619/?E9W=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&NC=ptGp
whois
DE Hostinger International Limited 45.130.230.191 33497 mailcious
www.towfire.life
whois
US VIMRO-AS15189 67.223.117.160 mailcious
www.stephenwang.photography
whois
US DREAMHOST-AS 208.113.186.56 mailcious
www.queenkidul.com
whois
DE Hostinger International Limited 45.130.230.191 mailcious
www.smartinnoventions.com
whois
NL PCextreme B.V. 5.157.87.204 mailcious
www.gospelfy.online
whois
GB Wildcard UK Limited 185.27.134.115 mailcious
www.sockmomma.com
whois
US DXTL Tseung Kwan O Service 154.94.121.119 mailcious
www.skillfulp10.buzz
whois
US CLOUDFLARENET 172.67.194.173 mailcious
www.intake-tree.com
whois
US AMAZON-AES 54.91.6.89 mailcious
www.28588v.com
whois
JP BGPNET Global ASN 137.220.202.242 mailcious
54.196.16.164
whois
US AMAZON-AES 54.196.16.164 clean
104.21.34.8
whois
US CLOUDFLARENET 104.21.34.8 mailcious
208.113.186.56
whois
US DREAMHOST-AS 208.113.186.56 mailcious
67.223.117.160
whois
US VIMRO-AS15189 67.223.117.160 mailcious
185.27.134.115
whois
GB Wildcard UK Limited 185.27.134.115 mailcious
154.94.121.119
whois
US DXTL Tseung Kwan O Service 154.94.121.119 mailcious
137.220.202.242
whois
JP BGPNET Global ASN 137.220.202.242 clean
45.130.230.191
whois
DE Hostinger International Limited 45.130.230.191 mailcious
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
5.157.87.204
whois
NL PCextreme B.V. 5.157.87.204 mailcious

Suricata ids

ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO HTTP Request to a *.buzz domain
ET MALWARE FormBook CnC Checkin (GET)

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure