Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 4, 2021, 9:31 a.m.	Aug. 4, 2021, 9:44 a.m.

Size	291.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a4e87c684a48d0b140509540dd333232`
SHA256	`e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d`
CRC32	`DBFEA803`
ssdeep	`6144:Z3CWs6VpP25tNZSCV+PJD2wyQH4KrenMNR9ShadU5EtW:ZyWs825tNB+920DqMb9xc`
PDB Path	C:\xampp\htdocs\Cryptor\08b91ca520dd42228f3b7ad445e5f796\Loader\pr1\Release\pr1.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1740
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2092

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.227.139.18	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 185.227.139.18:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 185.227.139.18:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 185.227.139.18:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 185.227.139.18:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.227.139.18:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.227.139.18:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 185.227.139.18:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 185.227.139.18:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49163 -> 185.227.139.18:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49163 -> 185.227.139.18:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49163 -> 185.227.139.18:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49163 -> 185.227.139.18:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\xampp\htdocs\Cryptor\08b91ca520dd42228f3b7ad445e5f796\Loader\pr1\Release\pr1.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2021, 9:31 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 4, 2021, 9:31 a.m.	stacktrace: vbc+0x12fdd @ 0x412fdd vbc+0x1296e @ 0x41296e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec exception.symbol: vbc+0x2b41 exception.instruction: mov cl, byte ptr [edx] exception.module: vbc.exe exception.exception_code: 0xc0000005 exception.offset: 11073 exception.address: 0x402b41 registers.esp: 45809460 registers.edi: 36630318 registers.eax: 45809696 registers.ebp: 45809468 registers.edx: 9220096 registers.ebx: 45809696 registers.esi: 1007250992 registers.ecx: 13	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used, Connection to IP address

suspicious_request

POST http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre

Performs some HTTP requests (1 event)

request

POST http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre

Sends data using the HTTP POST Method (1 event)

request

POST http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 1740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00413000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 1740 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 9:31 a.m.	process_identifier: 1740 region_size: 217088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 4, 2021, 9:31 a.m.	number_of_free_clusters: 3005316 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Aug. 4, 2021, 9:31 a.m.	number_of_free_clusters: 3005316 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Aug. 4, 2021, 9:31 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\vbc.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

185.227.139.18

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1740 called NtSetContextThread to modify thread in remote process 2092
NtSetContextThread Aug. 4, 2021, 9:31 a.m.	registers.eip: 1997996484 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2092	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.a4e87c684a48d0b1
McAfee	Artemis!A4E87C684A48
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cyren	W32/Injector.AKA.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FIJA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Generic.Cryptor.X.95A0412F
MicroWorld-eScan	Generic.Cryptor.X.95A0412F
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Generic.Cryptor.X.95A0412F
Emsisoft	Generic.Cryptor.X.95A0412F (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Sophos	Generic ML PUA (PUA)
eGambit	Unsafe.AI_Score_99%
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Generic.Cryptor.X.95A0412F
BitDefenderTheta	Gen:NN.ZexaF.34058.suZ@aCqRgcei
ALYac	Generic.Cryptor.X.95A0412F
MAX	malware (ai score=82)
VBA32	BScope.Trojan-Dropper.Injector
Rising	Trojan.Kryptik!1.D84E (CLASSIC)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/GenKryptik.FIIH!tr
Webroot	W32.Malware.Gen
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (W)
Qihoo-360	HEUR/QVM10.1.053B.Malware.Gen

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All