Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 1, 2021, 9:27 a.m.	May 1, 2021, 9:31 a.m.

Size	621.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1d0d4b1031abf4a7e6da58d81bc98d6b`
SHA256	`ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852`
CRC32	`D0510ED3`
ssdeep	`6144:F0iuS5WG1jOS7mzIzNVfvIP1FiTRG1ehnByaz4LL/t4bVDkS7+1akhuDUUqdVvI:FrMG1jOQrzN9gdWZByaknOqzbh4cVQ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
6704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ May 1, 2021, 9:27 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636100 registers.edi: 3032664 registers.eax: 1636100 registers.ebp: 1636180 registers.edx: 0 registers.ebx: 3032664 registers.esi: 3032664 registers.ecx: 2	1
__exception__ May 1, 2021, 9:27 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636284 registers.edi: 1636472 registers.eax: 1636284 registers.ebp: 1636364 registers.edx: 0 registers.ebx: 3032664 registers.esi: 1636472 registers.ecx: 2	1
__exception__ May 1, 2021, 9:27 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636388 registers.edi: 1636576 registers.eax: 1636388 registers.ebp: 1636468 registers.edx: 0 registers.ebx: 3032664 registers.esi: 1636576 registers.ecx: 2	1
__exception__ May 1, 2021, 9:27 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636732 registers.edi: 1636920 registers.eax: 1636732 registers.ebp: 1636812 registers.edx: 0 registers.ebx: 3032664 registers.esi: 1636920 registers.ecx: 2	1
__exception__ May 1, 2021, 9:27 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636788 registers.edi: 1636976 registers.eax: 1636788 registers.ebp: 1636868 registers.edx: 0 registers.ebx: 3032664 registers.esi: 1636976 registers.ecx: 2	1
__exception__ May 1, 2021, 9:28 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1634836 registers.edi: 3032664 registers.eax: 1634836 registers.ebp: 1634916 registers.edx: 0 registers.ebx: 3032664 registers.esi: 3032664 registers.ecx: 2	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 6704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (2 events)

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0007406c

size

0x00000028

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0007406c

size

0x00000028

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 6704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x005b0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00064000', u'virtual_address': u'0x00001000', u'entropy': 6.837447403762908, u'name': u'.text', u'virtual_size': u'0x00063bc8'}

entropy

6.83744740376

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000d000', u'virtual_address': u'0x00068000', u'entropy': 7.289945199422651, u'name': u'.rsrc', u'virtual_size': u'0x0000c094'}

entropy

7.28994519942

description

A section with a high entropy has been found

entropy

0.991228070175

description

Overall entropy of this PE file is high

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 985eef2d472527b8467433e096684a106b0d2e5d

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46216129
FireEye	Generic.mg.1d0d4b1031abf4a7
McAfee	Artemis!1D0D4B1031AB
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057bb441 )
Alibaba	Trojan:Win32/Injector.30a39f2b
K7GW	Trojan ( 0057bb441 )
Cybereason	malicious.7e1b98
Cyren	W32/VBCrypt.A!Generic
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EPGC
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan-Spy.Win32.Noon.bbcm
BitDefender	Trojan.GenericKD.46216129
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.46216129
Sophos	Generic ML PUA (PUA)
VIPRE	VirTool.Win32.Vbinder.gen.g (v)
McAfee-GW-Edition	BehavesLike.Win32.Autorun.jc
Emsisoft	Trojan.GenericKD.46216129 (B)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Trojan.Win32.Malicious.4!c
GData	Win32.Trojan-Stealer.FormBook.LT3B61
BitDefenderTheta	Gen:NN.ZevbaF.34686.Mm3@a81E70jO
TrendMicro-HouseCall	TROJ_FRS.VSNW1ED21
Rising	Trojan.Injector!8.C4 (CLOUD)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EFWK!tr
Webroot	W32.Malware.Gen
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All