Concrete signature match: Virus Tool - Tool used to create or modify malware for 32-bit Windows platform, family Vbinder
VirTool:Win32/Vbinder is a malicious utility designed to bundle multiple files, often a legitimate application with a hidden payload, into a single executable. It utilizes Visual Basic, drops temporary files, and abuses legitimate Windows functions and LOLBINs (e.g., ShellExecute, mshta, regsvr32, rundll32, PowerShell) for execution, persistence (scheduled tasks, BITS jobs), and potentially evasion through API hooking and data encoding.
Relevant strings associated with this threat: - ShellExecuteA (PEHSTR) - MSVBVM60.DLL (PEHSTR) - shell32.dll (PEHSTR_EXT) - ShellExecuteA (PEHSTR_EXT) - MSVBVM60.DLL (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule VirTool_Win32_Vbinder_A_2147606414_0
{
meta:
author = "threatcheck.sh"
detection_name = "VirTool:Win32/Vbinder.A"
threat_id = "2147606414"
type = "VirTool"
platform = "Win32: Windows 32-bit platform"
family = "Vbinder"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR"
threshold = "5"
strings_accuracy = "High"
strings:
$x_1_1 = {46 00 69 00 6c 00 65 00 4e 00 61 00 6d 00 65 00 00 00 00 00 12 00 00 00 46 00 69 00 6c 00 65 00 4e 00 61 00 6d 00 65 00 32 00 00 00 10 00 00 00 74 00 65 00 6d 00 70 00 2e 00 74 00 78 00 74 00} //weight: 1, accuracy: High
$x_1_2 = "proje\\MK Binder\\server\\Project1.vbp" wide //weight: 1
$x_1_3 = "ShellExecuteA" ascii //weight: 1
$x_1_4 = "GetTempPathA" ascii //weight: 1
$x_1_5 = "MSVBVM60.DLL" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}a5d512a60a8f143de06511f726cb40d40f8966dfcb19a3b9ee85486c2326e192adad54be1b08e170154310f79e242cfe0e14f979c518aad3a384e70379fbdb8aIsolate the infected system immediately. Perform a full system scan with updated antivirus software to remove the binder and any dropped malicious components. Manually inspect for persistence mechanisms (e.g., scheduled tasks, registry run keys, BITS jobs) and review system logs for suspicious activity, particularly execution of LOLBINs like PowerShell, mshta, or rundll32, to identify and mitigate any secondary infections or lateral movement.