Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 6, 2021, 4:33 p.m.	Aug. 6, 2021, 4:35 p.m.

Size	114.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`3e82d4b205d458e65db00eb0f4231546`
SHA256	`92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752`
CRC32	`25B5C296`
ssdeep	`3072:tgZApdYrD28fbJB2yLtyT4bjjxK3QdjrxivW+DXnH4vymbc1g:t/pe1J04bXtrxivW+D34vC`
Yara	UPX_Zero - UPX packed file Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

VanillaStub.exe "C:\Users\test22\AppData\Local\Temp\VanillaStub.exe"
420

Name	Response	Post-Analysis Lookup
0.tcp.sa.ngrok.io	A 18.228.115.60 A 18.229.248.167	18.228.115.60

IP Address	Status	Action
164.124.101.2	Active	Moloch
18.228.115.60	Active	Moloch
18.229.248.167	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:62228 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
UDP 192.168.56.103:55511 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
UDP 192.168.56.103:57684 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2021, 4:33 p.m.			0	0
IsDebuggerPresent Aug. 6, 2021, 4:33 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2021, 4:33 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2021, 4:33 p.m.	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 6, 2021, 4:33 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

VanillaStub.exe tried to sleep 5145315940 seconds, actually delayed analysis time by 5145315940 seconds

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.MSIL.Blocker.j!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader30.7283
MicroWorld-eScan	Generic.MSIL.Blocker.1.B2B2D9DC
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Generic.MSIL.Blocker.1.B2B2D9DC
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0054dd361 )
Alibaba	Trojan:Win32/Laqma.d5ecf07a
K7GW	Trojan ( 0054dd361 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Generic.MSIL.Blocker.1.B2B2D9DC
BitDefenderTheta	Gen:NN.ZemsilF.34058.hm0@a4uylvg
Cyren	W32/MSIL_Agent.BIX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.BYD
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Razy-9790647-0
Kaspersky	HEUR:Trojan-Ransom.MSIL.Blocker.gen
BitDefender	Generic.MSIL.Blocker.1.B2B2D9DC
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan.Blocker.Lneo
Ad-Aware	Generic.MSIL.Blocker.1.B2B2D9DC
Emsisoft	Generic.MSIL.Blocker.1.B2B2D9DC (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom_Blocker.R002C0DG521
McAfee-GW-Edition	GenericRXIF-TH!3E82D4B205D4
FireEye	Generic.mg.3e82d4b205d458e6
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.MSIL.lmst
Avira	HEUR/AGEN.1121262
Antiy-AVL	Trojan/Generic.ASMalwS.33D5EF4
Gridinsoft	Ransom.Win32.Blocker.dd!n
Microsoft	Trojan:Win32/Laqma
ZoneAlarm	HEUR:Trojan-Ransom.MSIL.Blocker.gen
GData	Generic.MSIL.Blocker.1.B2B2D9DC
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.R278710
McAfee	GenericRXIF-TH!3E82D4B205D4
MAX	malware (ai score=83)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	Ransom_Blocker.R002C0DG521
Rising	Backdoor.VanillaRAT!1.C9D1 (CLASSIC)
Yandex	Trojan.Agent!+UKaGwCk0FM
Ikarus	Backdoor.Quasar
Fortinet	MSIL/Agent.BYD!tr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 61 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49212
dead_host	192.168.56.103:49217
dead_host	18.229.248.167:19296
dead_host	192.168.56.103:49205
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49208
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49213
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49209
dead_host	192.168.56.103:49218
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49214
dead_host	192.168.56.103:49219
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49207
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49220
dead_host	192.168.56.103:49161
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185

VanillaStub.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All