VirTool:Win32/VBInject.gen!FA is a generic detection for malicious files that are obfuscated using particular techniques to protect them from detection or analysis.
Threat behavior
VirTool:Win32/VBInject.gen!FA is a generic detection for malicious files that are obfuscated using particular techniques to protect them from detection or analysis.
A malicious file is generally encrypted/and or compressed and stored inside another program, which decodes the malicious file and loads it. The malicious program may be injected into a clean process or loaded in a new process of its own. Unlike a “dropper”, the malicious executable is never written to disk as a separate file.
Malicious programs detected as VirTool:Win32/VBInject.gen!FA can have virtually any purpose, as this technique is utilized by many different malware families in the wild in order to protect them from detection or analysis.
Symptoms
VirTool:Win32/VBInject.gen!FA is a generic detection for certain forms of obfuscated malware. The loader is written in Visual Basic and the malicious code is stored encrypted. The original file behaves as a loader for the encrypted malicious code, thus the code could have virtually any purpose.
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Sample:
MD5 182d0c0af03bcc4eb67c38d69c0db12e
SHA-1 aaf94609f4ba30853a84094d97df0c2f45290c64
SHA-256 6373d56448f7fd57ae432dbb01b3f89c8c57330251139e68a755a0648e60af18
ssdeep 1536:sQuA9sdF0XR0Yaflj4LQ2Vp73Lxxkq8Bn:NuAydF6R5a9j4LQAL1Sb
Size 63.9 KB (65444 bytes)
Type Win32 EXE
Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win32 Executable (generic) (52.9%) Generic Win/DOS Executable (23.5%) DOS Executable Generic (23.4%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PE header basic information:
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-11-23 16:40:50
Link date 5:40 PM 11/23/2009
Entry Point 0x000019AC
Number of sections 3
PE sections:
Name Virtual address Virtual size Raw size Entropy MD5
.aaaa 4096 23864 24576 4.94 b70b35bb9706019ec5ad7aa0fbfd1005
.bbbb 28672 1992 0 0.00 d41d8cd98f00b204e9800998ecf8427e
.cccc 32768 2980 4096 4.14 fc2be698dfc2e1aaed9c330b183bea18
Number of PE resources by type:
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language:
NEUTRAL 2
SPANISH MODERN 1
No comments:
Post a Comment