Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 25, 2021, 9:50 a.m.	May 25, 2021, 10:02 a.m.

Size	662.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9c0ab971e60116467107fe8dd787e5cf`
SHA256	`ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15`
CRC32	`FE21B38B`
ssdeep	`12288:RdrMG1jOQrzN9gYEditSMDQePJcLLzcnDaYOdrg:IajLV98otSMDHPuLsDJ0g`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Foreign language identified in PE resource (3 events)

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x00079998

size

0x00000028

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x00079998

size

0x00000028

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x00079998

size

0x00000028

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00075000', u'virtual_address': u'0x00001000', u'entropy': 6.92456471363538, u'name': u'.text', u'virtual_size': u'0x00074be0'}

entropy

6.92456471364

description

A section with a high entropy has been found

entropy

0.983193277311

description

Overall entropy of this PE file is high

Yara rule detected in process memory (10 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	SEH__vba
description	Checks if being debugged	rule	anti_dbg
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.9c0ab971e6011646
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.b9ab89
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZevbaF.34690.Pm3@aOjd4@oO
VBA32	Malware-Cryptor.VB.gen.1
Malwarebytes	Malware.AI.3647425024
Ikarus	VirTool.Win32.Vbinder
eGambit	Unsafe.AI_Score_91%
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_90% (D)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All