Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 23, 2021, 8:24 a.m.	Sept. 23, 2021, 8:42 a.m.

Size	732.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7a23da05dfbd236cb33b6d7a2a1f262d`
SHA256	`da641202fb53638f3aad2bda8a87d215855cf03aa658637e3dd70dbe5c3c47fd`
CRC32	`DBF3905A`
ssdeep	`12288:lAmtiK5oIXkuAiOM/KJ+OJ3lvUtuQezKJU8rpIX1lQ5WSDQxfFT1Sk:G+FoIUOON+wVvnzK/elQRD+fFT1S`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2488
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2308

Name	Response	Post-Analysis Lookup
www.ord9route.art	A 202.165.66.108	202.165.66.108
www.nnvv942.com	CNAME nnvv942.com A 199.241.1.183	199.241.1.183
www.lamarfish.com	A 204.11.56.48	204.11.56.48
www.kjslink.com
www.bebo.xyz	A 86.105.245.69	86.105.245.69
www.centrounac.com	A 34.98.99.30 CNAME centrounac.com	34.98.99.30
www.adorotudoisso.club	A 208.113.216.170	208.113.216.170
www.mammutphilippines.com	A 199.59.242.153 CNAME 70716.BODIS.com	199.59.242.153
www.createreleaserepeat.com	A 75.126.100.9	75.126.100.9

IP Address	Status	Action
164.124.101.2	Active	Moloch
199.241.1.183	Active	Moloch
199.59.242.153	Active	Moloch
202.165.66.108	Active	Moloch
204.11.56.48	Active	Moloch
208.113.216.170	Active	Moloch
34.98.99.30	Active	Moloch
75.126.100.9	Active	Moloch
86.105.245.69	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 204.11.56.48:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 199.59.242.153:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 208.113.216.170:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 204.11.56.48:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 199.59.242.153:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 204.11.56.48:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 208.113.216.170:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 199.59.242.153:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 208.113.216.170:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 199.241.1.183:80 -> 192.168.56.102:49170	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.102:49170 -> 199.241.1.183:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 199.241.1.183:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 199.241.1.183:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 202.165.66.108:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 202.165.66.108:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 202.165.66.108:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 86.105.245.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 86.105.245.69:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 86.105.245.69:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 75.126.100.9:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 86.105.245.69:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.102:49172 -> 75.126.100.9:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 75.126.100.9:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 23, 2021, 8:24 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 23, 2021, 8:24 a.m.			0	0
IsDebuggerPresent Sept. 23, 2021, 8:24 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 23, 2021, 8:24 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lamarfish.com/n90q/?nH=oLp1INRQcYlCIwnKN0Njm6Xoc+cRt/X9prI3xjM3Ww6ORPuYc4D5wUV8peSbJSvq5hgWAqN2&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mammutphilippines.com/n90q/?nH=GiWrvS//gQ2q/hIV6Zy/o5YW6c6VukN0OH9ROBeGDhiEQY+72LoQ1NiOAxiqbd0Y0wIFk2Ut&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.adorotudoisso.club/n90q/?nH=+AznKtSaeUwG4Xhx64dkxKeTbLa++kdbf8CsCGDIfyM3i3hWyBe26u1HjGAigACJ/I2g9jsl&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.centrounac.com/n90q/?nH=4AF0SqrcHbMbXHT29t0gKs+41/yAIXWaLUNVn/nIRBk+MAbhn5ZCt0buIkQBoGEu5wc0Q/41&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.nnvv942.com/n90q/?nH=8fnm1kg073ztZrdYEgPG88qlh15erAvqUZr4iV0Eq8UimOtZmlwKxqbhgxKQuef6PrzJkwXT&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bebo.xyz/n90q/?nH=Dro1KrF0gyNlcbSU541z19qzrfyzXKuAHParq6y5Eexi213YrSW+4q3W+dE4BNn0Eap4e/tW&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.createreleaserepeat.com/n90q/?nH=SsuzvQ6HV6taaD+W8X3ly66BXMf4dXdtK5LrBFfasaPP85NssPTn5/qtxMT4ZatflkGo0SY1&GF=6l8lMtkXCnqDR4j
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ord9route.art/n90q/?nH=m4pl3ok5EqTqfLMyT/hFtIlAKU9zniQdbH9l3O+ovtt51rXL7aP0rtbmfw7iHYfUW+rGLckW&GF=6l8lMtkXCnqDR4j

Performs some HTTP requests (8 events)

request	GET http://www.lamarfish.com/n90q/?nH=oLp1INRQcYlCIwnKN0Njm6Xoc+cRt/X9prI3xjM3Ww6ORPuYc4D5wUV8peSbJSvq5hgWAqN2&GF=6l8lMtkXCnqDR4j
request	GET http://www.mammutphilippines.com/n90q/?nH=GiWrvS//gQ2q/hIV6Zy/o5YW6c6VukN0OH9ROBeGDhiEQY+72LoQ1NiOAxiqbd0Y0wIFk2Ut&GF=6l8lMtkXCnqDR4j
request	GET http://www.adorotudoisso.club/n90q/?nH=+AznKtSaeUwG4Xhx64dkxKeTbLa++kdbf8CsCGDIfyM3i3hWyBe26u1HjGAigACJ/I2g9jsl&GF=6l8lMtkXCnqDR4j
request	GET http://www.centrounac.com/n90q/?nH=4AF0SqrcHbMbXHT29t0gKs+41/yAIXWaLUNVn/nIRBk+MAbhn5ZCt0buIkQBoGEu5wc0Q/41&GF=6l8lMtkXCnqDR4j
request	GET http://www.nnvv942.com/n90q/?nH=8fnm1kg073ztZrdYEgPG88qlh15erAvqUZr4iV0Eq8UimOtZmlwKxqbhgxKQuef6PrzJkwXT&GF=6l8lMtkXCnqDR4j
request	GET http://www.bebo.xyz/n90q/?nH=Dro1KrF0gyNlcbSU541z19qzrfyzXKuAHParq6y5Eexi213YrSW+4q3W+dE4BNn0Eap4e/tW&GF=6l8lMtkXCnqDR4j
request	GET http://www.createreleaserepeat.com/n90q/?nH=SsuzvQ6HV6taaD+W8X3ly66BXMf4dXdtK5LrBFfasaPP85NssPTn5/qtxMT4ZatflkGo0SY1&GF=6l8lMtkXCnqDR4j
request	GET http://www.ord9route.art/n90q/?nH=m4pl3ok5EqTqfLMyT/hFtIlAKU9zniQdbH9l3O+ovtt51rXL7aP0rtbmfw7iHYfUW+rGLckW&GF=6l8lMtkXCnqDR4j

Allocates read-write-execute memory (usually to unpack itself) (47 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04351000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00768000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2308 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008ca00', u'virtual_address': u'0x00002000', u'entropy': 7.94204974679355, u'name': u'.text', u'virtual_size': u'0x0008c924'}

entropy

7.94204974679

description

A section with a high entropy has been found

entropy

0.768442622951

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 23, 2021, 8:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2308 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f0	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 2728437 seconds, actually delayed analysis time by 2728437 seconds

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 23, 2021, 8:25 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL¼öSà \|Ô@@.text{\| ` base_address: 0x00400000 process_identifier: 2308 process_handle: 0x000003f0	1	1	0
WriteProcessMemory Sept. 23, 2021, 8:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2308 process_handle: 0x000003f0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 23, 2021, 8:25 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL¼öSà \|Ô@@.text{\| ` base_address: 0x00400000 process_identifier: 2308 process_handle: 0x000003f0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 2308
NtSetContextThread Sept. 23, 2021, 8:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314240 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003ec process_identifier: 2308	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 resumed a thread in remote process 2308
NtResumeThread Sept. 23, 2021, 8:25 a.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 2308	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.MSIL.Noon.l!c
Elastic	malicious (high confidence)
McAfee	PWS-FCZF!7A23DA05DFBD
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/MSIL_Kryptik.AIQ.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.bc
Ikarus	Win32.Outbreak
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.CVB!MTB
GData	Win32.Trojan-Stealer.FormBook.LLITSW
Cynet	Malicious (score: 100)
MAX	malware (ai score=96)
Malwarebytes	Malware.AI.2760679192
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Cybereason	malicious.d89fa4

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 23, 2021, 8:24 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread Sept. 23, 2021, 8:24 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread Sept. 23, 2021, 8:24 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2488	1	0
CreateProcessInternalW Sept. 23, 2021, 8:25 a.m.	thread_identifier: 2252 thread_handle: 0x000003ec process_identifier: 2308 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003f0	1	1
NtGetContextThread Sept. 23, 2021, 8:25 a.m.	thread_handle: 0x000003ec	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 8:25 a.m.	process_identifier: 2308 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 8:25 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL¼öSà \|Ô@@.text{\| ` base_address: 0x00400000 process_identifier: 2308 process_handle: 0x000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 8:25 a.m.	buffer: base_address: 0x00401000 process_identifier: 2308 process_handle: 0x000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 8:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2308 process_handle: 0x000003f0	1	1
NtSetContextThread Sept. 23, 2021, 8:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314240 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003ec process_identifier: 2308	1	0
NtResumeThread Sept. 23, 2021, 8:25 a.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 2308	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All