popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Generic Malware UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 27, 2021, 3:30 p.m. Aug. 27, 2021, 3:46 p.m.
Size 368.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 97c2aecf2380200fc50b84d72af34480
SHA256 8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07
CRC32 F4EED372
ssdeep 6144:64XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pzy:xXe9PPlowWX0t6mOQwg1Qd15CcYk0WeC
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
a.tmp.ninja
A 198.251.89.86
198.251.89.86
IP Address Status Action
172.67.188.154 Active Moloch
179.189.229.254 Active Moloch
164.124.101.2 Active Moloch
198.251.89.86 Active Moloch
221.147.172.5 Active Moloch
46.99.175.149 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49201 -> 198.251.89.86:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49201
198.251.89.86:443 		C=US, O=Let's Encrypt, CN=R3 CN=tmp.ninja 18:1e:74:ce:9a:11:17:62:1e:3f:92:91:ef:9c:28:d4:4c:9b:c7:29

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET https://a.tmp.ninja/aWRwMVU
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03ac0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00054200', u'virtual_address': u'0x0008c000', u'entropy': 7.937154753817282, u'name': u'UPX1', u'virtual_size': u'0x00055000'} entropy 7.93715475382 description A section with a high entropy has been found
entropy 0.91689373297 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
host 172.67.188.154
host 179.189.229.254
host 221.147.172.5
host 46.99.175.149
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
McAfee Artemis!97C2AECF2380
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_60% (W)
APEX Malicious
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
FireEye Generic.mg.97c2aecf2380200f
eGambit Unsafe.AI_Score_99%
Microsoft Trojan:Script/Phonzy.C!ml
AhnLab-V3 Trojan/Win.Generic.C4609845
Webroot Pua.Yukleyici
dead_host 172.67.188.154:443