Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2021, 9:17 a.m.	Aug. 6, 2021, 9:41 a.m.

Size	286.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ccedd914fbe08e1b2812df96dc74278e`
SHA256	`0655ee712ee939add7c23e011eb887fe70f085e1fea6df1dbeb07bc8df7ffdb7`
CRC32	`73D0AB13`
ssdeep	`6144:p6W2Lqr88kcKh6skSJwTxUl2IcseaMV7m:QTt8LSJwTxlIcQS7`
PDB Path	C:\bucosiriyuj5.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2388
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2252

Name	Response	Post-Analysis Lookup
www.fussionpromos.com	A 192.254.185.89 CNAME fussionpromos.com	192.254.185.89
www.sergrtr.com	CNAME shops.myshopify.com A 23.227.38.74 CNAME sergeg.myshopify.com	23.227.38.74
www.lenatwo.com	CNAME lenatwo.com A 46.4.153.33	46.4.153.33
www.vidacocktails.com	CNAME vidacocktails.com A 34.102.136.180	34.102.136.180

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.254.185.89	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch
46.4.153.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 192.254.185.89:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 192.254.185.89:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 192.254.185.89:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 46.4.153.33:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 46.4.153.33:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 46.4.153.33:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2021, 9:17 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\bucosiriyuj5.pdb

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	FIJUYOPECETALAVUTIVENAHIS
resource name	LOMELIBEGOCIROVURILOHIYESAD

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sergrtr.com/otcl/?uVjH=mBDnt/Gh8erpdJmR5LUsgS6AYomiYv6KKx4Ciy1VWZ+lm+O2aYdlFCHe7BXtcsumDYUDE2bt&R2Mxt=MjOp3dr0kBhPCb6P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fussionpromos.com/otcl/?uVjH=R6pBimEX126Y/7jz26NSIB+pAf+iSCkbIcynLs+ia55rI8fnMgFdof6zFKq4BsG3kSXOUZFo&R2Mxt=MjOp3dr0kBhPCb6P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vidacocktails.com/otcl/?uVjH=rypAyBghX+oRSAWiWZi6HXfSOOQXpfwEtRIEbFlRCYHxrojr5D9YoFHDjuuw3w1SPlmQfBvX&R2Mxt=MjOp3dr0kBhPCb6P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lenatwo.com/otcl/?uVjH=jjpdYGPxaq0GEExKffhLJbVQdJjKexSz1KEBGQRYOyI7/Bdn/luiGJqh0JO76VQxmlxEikAe&R2Mxt=MjOp3dr0kBhPCb6P

Performs some HTTP requests (4 events)

request	GET http://www.sergrtr.com/otcl/?uVjH=mBDnt/Gh8erpdJmR5LUsgS6AYomiYv6KKx4Ciy1VWZ+lm+O2aYdlFCHe7BXtcsumDYUDE2bt&R2Mxt=MjOp3dr0kBhPCb6P
request	GET http://www.fussionpromos.com/otcl/?uVjH=R6pBimEX126Y/7jz26NSIB+pAf+iSCkbIcynLs+ia55rI8fnMgFdof6zFKq4BsG3kSXOUZFo&R2Mxt=MjOp3dr0kBhPCb6P
request	GET http://www.vidacocktails.com/otcl/?uVjH=rypAyBghX+oRSAWiWZi6HXfSOOQXpfwEtRIEbFlRCYHxrojr5D9YoFHDjuuw3w1SPlmQfBvX&R2Mxt=MjOp3dr0kBhPCb6P
request	GET http://www.lenatwo.com/otcl/?uVjH=jjpdYGPxaq0GEExKffhLJbVQdJjKexSz1KEBGQRYOyI7/Bdn/luiGJqh0JO76VQxmlxEikAe&R2Mxt=MjOp3dr0kBhPCb6P

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0027c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2388 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2252 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Foreign language identified in PE resource (14 events)

name

FIJUYOPECETALAVUTIVENAHIS

language

LANG_SERBIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x0287bc28

size

0x000021af

name

LOMELIBEGOCIROVURILOHIYESAD

language

LANG_SERBIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x0287b5f0

size

0x00000636

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x0287b120

size

0x00000468

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0287e310

size

0x000002b2

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0287e310

size

0x000002b2

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0287de10

size

0x00000028

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0287de10

size

0x00000028

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0287b588

size

0x00000068

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00039a00', u'virtual_address': u'0x00001000', u'entropy': 7.661293889575676, u'name': u'.text', u'virtual_size': u'0x00039940'}

entropy

7.66129388958

description

A section with a high entropy has been found

entropy

0.808771929825

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 6, 2021, 9:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2252 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 6, 2021, 9:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2252 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 called NtSetContextThread to modify thread in remote process 2252
NtSetContextThread Aug. 6, 2021, 9:17 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4320080 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2252	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2252
NtResumeThread Aug. 6, 2021, 9:17 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2252	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 6, 2021, 9:17 a.m.	thread_identifier: 2236 thread_handle: 0x0000007c process_identifier: 2252 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Aug. 6, 2021, 9:17 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Aug. 6, 2021, 9:17 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2252 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2252 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Aug. 6, 2021, 9:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2252 process_handle: 0x00000080	1	1
NtSetContextThread Aug. 6, 2021, 9:17 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4320080 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2252	1	0
NtResumeThread Aug. 6, 2021, 9:17 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2252	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Injects.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen14.55661
MicroWorld-eScan	Trojan.GenericKD.37352858
McAfee	RDN/Generic.grp
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00576f791 )
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 00576f791 )
Cybereason	malicious.618489
Arcabit	Trojan.Generic.D239F59A
Cyren	W32/Kryptik.EVR.gen!Eldorado
Symantec	Packed.Generic.525
ESET-NOD32	a variant of Win32/Kryptik.HLYT
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Generic-9883819-0
Kaspersky	HEUR:Trojan.Win32.Injects.gen
BitDefender	Trojan.GenericKD.37352858
Avast	Win32:PWSX-gen [Trj]
Rising	Trojan.Kryptik!1.D82C (CLASSIC)
Ad-Aware	Trojan.GenericKD.37352858
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Agent.wnhqn@0
F-Secure	Trojan.TR/Kryptik.pjuvk
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
FireEye	Generic.mg.ccedd914fbe08e1b
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Malicious PE
Avira	TR/Kryptik.pjuvk
MAX	malware (ai score=100)
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Ransom:Win32/StopCrypt.MYK!MTB
ZoneAlarm	HEUR:Trojan.Win32.Injects.gen
GData	Trojan.GenericKD.37352858
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalPE.R435772
Acronis	suspicious
VBA32	BScope.Trojan.Bingoml
ALYac	Trojan.GenericKD.37352858
Malwarebytes	Trojan.MalPack.GS
Tencent	Win32.Trojan.Inject.Auto
Ikarus	Trojan-Banker.UrSnif
Fortinet	W32/Kryptik.HLYQ!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Heur.Generic.HwoCueAA

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All