Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2021, 9:13 a.m.	April 13, 2021, 9:17 a.m.

Size	364.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`688a80f956364e2d3937b973c41cfbb6`
SHA256	`f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3`
CRC32	`481AB02B`
ssdeep	`6144:udyAPECLp4dK/eNvPn7JhCDQ9RTatK5DQtwpEpEywGvUnek:udyAf/eNvP3CDQ9RatCDyw2we`
Yara	win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
3204
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  4356

Name	Response	Post-Analysis Lookup
www.krphp.com	CNAME www.krphp.com.fbidns.com A 51.79.19.142	51.79.19.142
www.buyeverythingforbaby.com	CNAME buyeverythingforbaby.com A 34.102.136.180	34.102.136.180
www.yetbor.com	A 8.210.22.196	8.210.22.196
www.likehowto.com	A 203.76.236.103	203.76.236.103
www.gujaratmba.com	A 45.196.105.175	45.196.105.175
www.vt999app.net
www.valid8.network	CNAME valid8.network A 182.50.132.242	182.50.132.242
www.suns-brothers.com	CNAME suns-brothers.com A 153.127.214.150	153.127.214.150
www.az-pcp.com
www.scott-re.online	A 34.102.136.180 CNAME scott-re.online	34.102.136.180
www.elticrecruit.com	A 216.239.34.21 A 216.239.32.21 A 216.239.38.21 A 216.239.36.21	216.239.36.21
www.ufa2345.com	A 104.21.69.35 A 172.67.203.156	172.67.203.156
www.xpddwrfj.icu
www.topmejoresproductos.com	A 209.99.40.222	209.99.40.222
www.raison-sociale.com	A 164.132.235.17	164.132.235.17

IP Address	Status	Action
104.21.69.35	Active	Moloch
153.127.214.150	Active	Moloch
164.124.101.2	Active	Moloch
164.132.235.17	Active	Moloch
172.217.25.14	Active	Moloch
182.50.132.242	Active	Moloch
203.76.236.103	Active	Moloch
209.99.40.222	Active	Moloch
216.239.34.21	Active	Moloch
34.102.136.180	Active	Moloch
45.196.105.175	Active	Moloch
51.79.19.142	Active	Moloch
8.210.22.196	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 9:13 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.tuz
section	.jul
section	.new

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.scott-re.online/nnmd/?9rq=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ufa2345.com/nnmd/?9rq=yfw2M87HGp1q9j5w2tOxvPCGM4BQpJS5ADPSvETU0AeQ1mwLyedYVruDCTm82rBipcZzI418&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.suns-brothers.com/nnmd/?9rq=63wAYXMAzZTyFdbPgeduTMtZQGbVrU0zhbRFEm9YjPWC1DQzp3NhpDeeRLu3xGp5GtFJL6GJ&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.elticrecruit.com/nnmd/?9rq=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gujaratmba.com/nnmd/?9rq=jbWwWnjt2fcw4sTPwkTTgKQsQCJDA9NuaUgkL4WeQHKWMPBCQlGqgB/Udc+7oCkc2k0at6cZ&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.raison-sociale.com/nnmd/?9rq=P1LpRENdnqb1fbOGyNga4nCXTVuCGTreTbOaFjWN+nixYx/3vSvBuhMK5uJ9XJmSyj6SVpMN&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yetbor.com/nnmd/?9rq=yFTKtd1luZIo7wvqEcSXbkRM0Fu9DXTErvPZ/33h4h9ltL5T5vX0h6V8ouFS6Gain5PLz56o&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.valid8.network/nnmd/?9rq=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.topmejoresproductos.com/nnmd/?9rq=5oGfYuXOY9e6Wgzyw65MR7pWmotIxUI2yZPS8hwMrcBGefCHV1tZ9t+5FZg010TA0GKtEOYf&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.krphp.com/nnmd/?9rq=PjB4lvTlAKGYAKn+VSQZPpVCBgwlvzjythr7BfvIej7nd7TDf0ugYZ/oqO22EBbm4ji9UIJN&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.likehowto.com/nnmd/?9rq=vRs6n4JRqe7Dt1ePX7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWm4G1cXUL/JYAaDcAVpU&OtxhT2=wZR8DbLPAxEHbr
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.buyeverythingforbaby.com/nnmd/?9rq=ubi4+Pcpe5Ar+4Jek7aF79/+gi3GiunqWbDqm/5cKY51CC3oh7TAhiurYFYoh5USfo3eOT/h&OtxhT2=wZR8DbLPAxEHbr

Performs some HTTP requests (23 events)

request	POST http://www.scott-re.online/nnmd/
request	GET http://www.scott-re.online/nnmd/?9rq=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.ufa2345.com/nnmd/
request	GET http://www.ufa2345.com/nnmd/?9rq=yfw2M87HGp1q9j5w2tOxvPCGM4BQpJS5ADPSvETU0AeQ1mwLyedYVruDCTm82rBipcZzI418&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.suns-brothers.com/nnmd/
request	GET http://www.suns-brothers.com/nnmd/?9rq=63wAYXMAzZTyFdbPgeduTMtZQGbVrU0zhbRFEm9YjPWC1DQzp3NhpDeeRLu3xGp5GtFJL6GJ&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.elticrecruit.com/nnmd/
request	GET http://www.elticrecruit.com/nnmd/?9rq=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.gujaratmba.com/nnmd/
request	GET http://www.gujaratmba.com/nnmd/?9rq=jbWwWnjt2fcw4sTPwkTTgKQsQCJDA9NuaUgkL4WeQHKWMPBCQlGqgB/Udc+7oCkc2k0at6cZ&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.raison-sociale.com/nnmd/
request	GET http://www.raison-sociale.com/nnmd/?9rq=P1LpRENdnqb1fbOGyNga4nCXTVuCGTreTbOaFjWN+nixYx/3vSvBuhMK5uJ9XJmSyj6SVpMN&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.yetbor.com/nnmd/
request	GET http://www.yetbor.com/nnmd/?9rq=yFTKtd1luZIo7wvqEcSXbkRM0Fu9DXTErvPZ/33h4h9ltL5T5vX0h6V8ouFS6Gain5PLz56o&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.valid8.network/nnmd/
request	GET http://www.valid8.network/nnmd/?9rq=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.topmejoresproductos.com/nnmd/
request	GET http://www.topmejoresproductos.com/nnmd/?9rq=5oGfYuXOY9e6Wgzyw65MR7pWmotIxUI2yZPS8hwMrcBGefCHV1tZ9t+5FZg010TA0GKtEOYf&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.krphp.com/nnmd/
request	GET http://www.krphp.com/nnmd/?9rq=PjB4lvTlAKGYAKn+VSQZPpVCBgwlvzjythr7BfvIej7nd7TDf0ugYZ/oqO22EBbm4ji9UIJN&OtxhT2=wZR8DbLPAxEHbr
request	GET http://www.likehowto.com/nnmd/?9rq=vRs6n4JRqe7Dt1ePX7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWm4G1cXUL/JYAaDcAVpU&OtxhT2=wZR8DbLPAxEHbr
request	POST http://www.buyeverythingforbaby.com/nnmd/
request	GET http://www.buyeverythingforbaby.com/nnmd/?9rq=ubi4+Pcpe5Ar+4Jek7aF79/+gi3GiunqWbDqm/5cKY51CC3oh7TAhiurYFYoh5USfo3eOT/h&OtxhT2=wZR8DbLPAxEHbr

Sends data using the HTTP POST Method (11 events)

request	POST http://www.scott-re.online/nnmd/
request	POST http://www.ufa2345.com/nnmd/
request	POST http://www.suns-brothers.com/nnmd/
request	POST http://www.elticrecruit.com/nnmd/
request	POST http://www.gujaratmba.com/nnmd/
request	POST http://www.raison-sociale.com/nnmd/
request	POST http://www.yetbor.com/nnmd/
request	POST http://www.valid8.network/nnmd/
request	POST http://www.topmejoresproductos.com/nnmd/
request	POST http://www.krphp.com/nnmd/
request	POST http://www.buyeverythingforbaby.com/nnmd/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 131072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f6c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3204 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 4356 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00049400', u'virtual_address': u'0x00001000', u'entropy': 7.499075477815836, u'name': u'.text', u'virtual_size': u'0x0004928f'}

entropy

7.49907547782

description

A section with a high entropy has been found

entropy

0.808275862069

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 4356 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 13, 2021, 9:13 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4356 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3204 called NtSetContextThread to modify thread in remote process 4356
NtSetContextThread April 13, 2021, 9:13 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4312976 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 4356	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3204 resumed a thread in remote process 4356
NtResumeThread April 13, 2021, 9:13 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 4356	1	0	0

Generates some ICMP traffic

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.688a80f956364e2d
McAfee	Artemis!688A80F95636
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
K7GW	Riskware ( 800800801 )
BitDefenderTheta	Gen:NN.ZexaF.34670.wCX@aef7ZmlG
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HKJF
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	UDS:Trojan.Win64.Injects
Paloalto	generic.ml
Tencent	Win32.Trojan.Inject.Auto
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.fh
Emsisoft	Trojan.Agent (A)
Ikarus	Backdoor.Win32.Kredoor
Microsoft	Trojan:Win32/Glupteba!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPE.R415606
Rising	Malware.Heuristic!ET#76% (RDMK:cmRtazrQs268OxTX56XosN8ibayF)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/GenKryptik.FDXJ!tr
AVG	Win32:Malware-gen
Qihoo-360	HEUR/QVM10.1.8928.Malware.Gen

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 13, 2021, 9:13 a.m.	thread_identifier: 7528 thread_handle: 0x0000007c process_identifier: 4356 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread April 13, 2021, 9:13 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection April 13, 2021, 9:13 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 4356 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 4356 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory April 13, 2021, 9:13 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4356 process_handle: 0x00000080	1	1
NtSetContextThread April 13, 2021, 9:13 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4312976 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 4356	1	0
NtResumeThread April 13, 2021, 9:13 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 4356	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All