Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2021, 9:17 a.m.	Aug. 6, 2021, 9:48 a.m.

Size	307.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1421f8b770cb41d7b33fe2e80c6691e9`
SHA256	`ada5044d0bbf03ca1dabe6feedc1b265179b4a2623de9d6f8e2bde31f7f03d5a`
CRC32	`E1E48BA8`
ssdeep	`6144:hC3ZxTPGcMDjzKeml0uhCvzXHe9ZLsooBRwoOL:hKb8DjzKeQ0ucXHe9ZooAwoO`
PDB Path	C:\depar.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2648
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  1160

Name	Response	Post-Analysis Lookup
www.baileyfred.com
www.mood-street-food.com	A 66.235.200.147 CNAME mood-street-food.com	66.235.200.147
www.livesupgrade.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.227.38.74	Active	Moloch
66.235.200.147	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 66.235.200.147:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 66.235.200.147:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 66.235.200.147:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2021, 9:17 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\depar.pdb

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.livesupgrade.com/c244/?jPg8=sHXsfwOXiK7jrrP9uOC/H86ZPlKBjRkw0E3ojIegjKKr3xSRhIPhHgoL2XAJK99QMXFfUNAT&P0D=AdsxIRr
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.mood-street-food.com/c244/?jPg8=/7wWxO8qWNv6Gj71bI065/AN6akWd6fpCE5qVo3rjtTiIXX+bkB7ykTM4tcn3R0DCd4x72pR&P0D=AdsxIRr

Performs some HTTP requests (2 events)

request	GET http://www.livesupgrade.com/c244/?jPg8=sHXsfwOXiK7jrrP9uOC/H86ZPlKBjRkw0E3ojIegjKKr3xSRhIPhHgoL2XAJK99QMXFfUNAT&P0D=AdsxIRr
request	GET http://www.mood-street-food.com/c244/?jPg8=/7wWxO8qWNv6Gj71bI065/AN6akWd6fpCE5qVo3rjtTiIXX+bkB7ykTM4tcn3R0DCd4x72pR&P0D=AdsxIRr

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dac000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 2648 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 1160 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Foreign language identified in PE resource (20 events)

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02881390

size

0x00000468

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02883590

size

0x000001f8

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02883590

size

0x000001f8

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02881898

size

0x00000028

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02881898

size

0x00000028

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028817f8

size

0x00000068

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028817f8

size

0x00000068

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00038c00', u'virtual_address': u'0x00001000', u'entropy': 7.724287305571445, u'name': u'.text', u'virtual_size': u'0x00038a70'}

entropy

7.72428730557

description

A section with a high entropy has been found

entropy

0.741830065359

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 6, 2021, 9:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 1160 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 6, 2021, 9:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1160 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 called NtSetContextThread to modify thread in remote process 1160
NtSetContextThread Aug. 6, 2021, 9:17 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4320032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1160	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 resumed a thread in remote process 1160
NtResumeThread Aug. 6, 2021, 9:17 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1160	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 6, 2021, 9:17 a.m.	thread_identifier: 2076 thread_handle: 0x0000007c process_identifier: 1160 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Aug. 6, 2021, 9:17 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Aug. 6, 2021, 9:17 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1160 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Aug. 6, 2021, 9:17 a.m.	process_identifier: 1160 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Aug. 6, 2021, 9:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1160 process_handle: 0x00000080	1	1
NtSetContextThread Aug. 6, 2021, 9:17 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4320032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1160	1	0
NtResumeThread Aug. 6, 2021, 9:17 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1160	1	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Injects.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46737262
McAfee	RDN/Generic.grp
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00576f791 )
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 00576f791 )
Cybereason	malicious.80ff4d
Arcabit	Trojan.Generic.D2C9276E
Cyren	W32/Kryptik.EVB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HLYN
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Raccoon-9883751-1
Kaspersky	HEUR:Trojan.Win32.Inject.gen
BitDefender	Trojan.GenericKD.46737262
Avast	Win32:BotX-gen [Trj]
Rising	Trojan.Kryptik!1.D82C (CLASSIC)
Ad-Aware	Trojan.GenericKD.46737262
Sophos	Mal/Generic-R + Troj/Krypt-W
DrWeb	Trojan.Siggen14.54374
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.1421f8b770cb41d7
Emsisoft	Trojan.Agent (A)
SentinelOne	Static AI - Malicious PE
Avira	TR/Crypt.Agent.httjs
MAX	malware (ai score=100)
Gridinsoft	Ransom.Win32.STOP.ko!se3230
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
GData	Win32.Trojan.PSE.HV2Z5F
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.SmokeLoader.R435601
ALYac	Trojan.GenericKD.46737262
VBA32	BScope.Trojan.Bingoml
Malwarebytes	Trojan.MalPack.GS
TrendMicro-HouseCall	TROJ_GEN.R06CH0CH421
Tencent	Win32.Trojan.Inject.Auto
Ikarus	Win32.Outbreak
Fortinet	W32/UrSnif.C6C8!tr
AVG	Win32:BotX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Trojan.Generic.HwoCueAA

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All