Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 19, 2021, 10:42 a.m.	Sept. 19, 2021, 10:50 a.m.

Size	433.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`2a59d2396654692dc87a81df7554b608`
SHA256	`04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566`
CRC32	`D2104BEA`
ssdeep	`6144:1+j7ADL5mgPkQNac4hRyu+QO+IjNeiKFoESrDxBDs/t8zJJqxiu:4g5T47O+iN7KFoEMDxBol0Jqx`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1760
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2232

Name	Response	Post-Analysis Lookup
www.comprarmiaspiradora.com	A 91.195.240.13	91.195.240.13
www.findsmartvestorpro.com	A 34.98.99.30 CNAME findsmartvestorpro.com	34.98.99.30
www.banban365.net	A 34.98.99.30 CNAME banban365.net	34.98.99.30
www.besthypee.com	A 34.98.99.30 CNAME besthypee.com	34.98.99.30
www.helpmovingandstorage.com	A 209.15.40.102 CNAME helpmovingandstorage.com	209.15.40.102
www.darenscape.com	CNAME darenscape.com A 34.102.136.180	34.102.136.180
www.shinebrightjournal.com	A 66.96.162.247	66.96.162.247
www.qipai039.com	A 47.91.170.222	47.91.170.222
www.asteroid.finance	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.210
www.recargasasec.com	CNAME recargasasec.com A 157.230.119.90	157.230.119.90
www.mengzhanxy.com	A 154.85.61.184 CNAME hk839.pc51.com	154.85.61.184
www.puffycannabis.com	A 34.102.136.180 CNAME puffycannabis.com	34.102.136.180
www.breathlessandinlove.com	A 172.67.155.190 A 104.21.40.174	104.21.40.174

IP Address	Status	Action
154.85.61.184	Active	Moloch
157.230.119.90	Active	Moloch
164.124.101.2	Active	Moloch
172.67.155.190	Active	Moloch
198.54.117.212	Active	Moloch
209.15.40.102	Active	Moloch
34.102.136.180	Active	Moloch
34.98.99.30	Active	Moloch
47.91.170.222	Active	Moloch
66.96.162.247	Active	Moloch
91.195.240.13	Active	Moloch
92.119.113.140	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 157.230.119.90:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 157.230.119.90:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 157.230.119.90:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 66.96.162.247:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 66.96.162.247:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 66.96.162.247:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 91.195.240.13:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 91.195.240.13:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 91.195.240.13:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 154.85.61.184:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 154.85.61.184:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 154.85.61.184:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 209.15.40.102:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 209.15.40.102:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 209.15.40.102:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 198.54.117.212:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 198.54.117.212:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 198.54.117.212:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 172.67.155.190:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 172.67.155.190:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 172.67.155.190:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

OZX

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.recargasasec.com/b6a4/?pPc=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.findsmartvestorpro.com/b6a4/?pPc=2zUiPygWWhGhTTPt59aALdzubfJOZPfGYm8T4hMrtq8qpNxJkD0bejz9pJEVuH2VhcQLkVD+&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.breathlessandinlove.com/b6a4/?pPc=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.darenscape.com/b6a4/?pPc=/o8bd4Yn+5EYQl0+0B6vT8FOqtBFFV3vKtm6qVeMT3pPn9BnW0HxlU6BOHg8g2MYVqRIgKAb&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.asteroid.finance/b6a4/?pPc=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.helpmovingandstorage.com/b6a4/?pPc=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.puffycannabis.com/b6a4/?pPc=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.banban365.net/b6a4/?pPc=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.shinebrightjournal.com/b6a4/?pPc=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.comprarmiaspiradora.com/b6a4/?pPc=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.besthypee.com/b6a4/?pPc=Qns5Qsf7idreXcQcAn7ngAtcze6YDtPoIPtFsjnoPncdjMyZsXPG24zliSsXwtCsnKHDqpq8&1b=W6RpsLRPH
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mengzhanxy.com/b6a4/?pPc=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&1b=W6RpsLRPH

Performs some HTTP requests (12 events)

request	GET http://www.recargasasec.com/b6a4/?pPc=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&1b=W6RpsLRPH
request	GET http://www.findsmartvestorpro.com/b6a4/?pPc=2zUiPygWWhGhTTPt59aALdzubfJOZPfGYm8T4hMrtq8qpNxJkD0bejz9pJEVuH2VhcQLkVD+&1b=W6RpsLRPH
request	GET http://www.breathlessandinlove.com/b6a4/?pPc=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&1b=W6RpsLRPH
request	GET http://www.darenscape.com/b6a4/?pPc=/o8bd4Yn+5EYQl0+0B6vT8FOqtBFFV3vKtm6qVeMT3pPn9BnW0HxlU6BOHg8g2MYVqRIgKAb&1b=W6RpsLRPH
request	GET http://www.asteroid.finance/b6a4/?pPc=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&1b=W6RpsLRPH
request	GET http://www.helpmovingandstorage.com/b6a4/?pPc=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&1b=W6RpsLRPH
request	GET http://www.puffycannabis.com/b6a4/?pPc=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&1b=W6RpsLRPH
request	GET http://www.banban365.net/b6a4/?pPc=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&1b=W6RpsLRPH
request	GET http://www.shinebrightjournal.com/b6a4/?pPc=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&1b=W6RpsLRPH
request	GET http://www.comprarmiaspiradora.com/b6a4/?pPc=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&1b=W6RpsLRPH
request	GET http://www.besthypee.com/b6a4/?pPc=Qns5Qsf7idreXcQcAn7ngAtcze6YDtPoIPtFsjnoPncdjMyZsXPG24zliSsXwtCsnKHDqpq8&1b=W6RpsLRPH
request	GET http://www.mengzhanxy.com/b6a4/?pPc=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&1b=W6RpsLRPH

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1760 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0015f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 2232 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00036e00', u'virtual_address': u'0x00037000', u'entropy': 7.99373884162874, u'name': u'.rsrc', u'virtual_size': u'0x00036dd8'}

entropy

7.99373884163

description

A section with a high entropy has been found

entropy

0.508101851852

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 19, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

92.119.113.140

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1760 called NtSetContextThread to modify thread in remote process 2232
NtSetContextThread Sept. 19, 2021, 10:42 a.m.	registers.eip: 2007957956 registers.esp: 3930924 registers.edi: 0 registers.eax: 4313264 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e8 process_identifier: 2232	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

47.91.170.222:80

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Noon.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Generic.30046783
ALYac	Trojan.Generic.30046783
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 005734ab1 )
K7AntiVirus	Trojan ( 005734ab1 )
Arcabit	Trojan.Generic.D1CA7A3F
Cyren	W32/Kryptik.FGF.gen!Eldorado
Symantec	Trojan.Formbook
ESET-NOD32	a variant of Win32/Kryptik.HMLP
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.Generic.30046783
ViRobot	Trojan.Win32.Z.Agent.443392.DF
Avast	Win32:PWSX-gen [Trj]
Rising	Trojan.Kryptik!1.D978 (CLASSIC)
Ad-Aware	Trojan.Generic.30046783
Sophos	ML/PE-A
DrWeb	Trojan.PWS.Stealer.23680
TrendMicro	Mal_HPGen-37b
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
FireEye	Generic.mg.2a59d2396654692d
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Suspicious PE
Jiangmin	TrojanSpy.Noon.sbx
Webroot	W32.Trojan.Gen
Avira	TR/AD.Swotter.ufyds
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Lokibot.DECC!MTB
GData	Win32.Trojan-Stealer.FormBook.UF4WRE
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Hpgen.R441406
McAfee	RDN/Generic PWS.y
VBA32	BScope.Trojan-Dropper.Injector
Malwarebytes	Spyware.LokiBot
TrendMicro-HouseCall	Mal_HPGen-37b
Tencent	Win32.Trojan.Inject.Auto
Ikarus	Trojan.Agent
Fortinet	W32/GenKryptik.FIBB!tr
BitDefenderTheta	Gen:NN.ZexaF.34142.BuW@am5z!3ci
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.300983.susgen

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All