Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 25, 2021, 10:56 a.m.	Sept. 25, 2021, 11:10 a.m.

Size	1.9MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`f22c9479a75f069c121ca390b35d3541`
SHA256	`cb892b4b5ea77832886be5bfe2ba04ada67bcdfb7501c1832389caa005ef31bd`
CRC32	`7BE8B034`
ssdeep	`49152:f0go55qAJy2AhOGK7qlWfAWSTUvVg3l+:sh5xJy2KxK+fTOg1`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library MPRESS_Zero - MPRESS packed file IsPE32 - (no description)

vida.exe "C:\Users\test22\AppData\Local\Temp\vida.exe"
3068

Name	Response	Post-Analysis Lookup
mas.to	A 88.99.75.82	88.99.75.82

IP Address	Status	Action
164.124.101.2	Active	Moloch
88.99.75.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49164 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:52062 -> 164.124.101.2:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
UDP 192.168.56.102:52062 -> 8.8.8.8:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
TCP 88.99.75.82:443 -> 192.168.56.102:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TYPELIB

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Sept. 25, 2021, 10:56 a.m.	stacktrace: vida+0x33d298 @ 0x73d298 vida+0x372f33 @ 0x772f33 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1638148 registers.edi: 5570560 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 1572907 registers.esi: 2008380459 registers.ecx: 3928227840	1
__exception__ Sept. 25, 2021, 10:56 a.m.	stacktrace: exception.instruction_r: ed e9 0d 28 01 00 c3 e9 53 2a 01 00 c0 45 ff ff exception.symbol: vida+0x394f40 exception.instruction: in eax, dx exception.module: vida.exe exception.exception_code: 0xc0000096 exception.offset: 3755840 exception.address: 0x794f40 registers.esp: 1638268 registers.edi: 8990166 registers.eax: 1750617430 registers.ebp: 5570560 registers.edx: 2130532438 registers.ebx: 2147483650 registers.esi: 6671958 registers.ecx: 20	1
__exception__ Sept. 25, 2021, 10:56 a.m.	stacktrace: exception.instruction_r: ed e9 f1 68 04 00 c1 f5 35 3e 01 00 0e db dc 38 exception.symbol: vida+0x34d071 exception.instruction: in eax, dx exception.module: vida.exe exception.exception_code: 0xc0000096 exception.offset: 3461233 exception.address: 0x74d071 registers.esp: 1638268 registers.edi: 8990166 registers.eax: 1447909480 registers.ebp: 5570560 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6671958 registers.ecx: 10	1
__exception__ Sept. 25, 2021, 10:56 a.m.	stacktrace: exception.instruction_r: 8a 08 40 3a cb 75 f9 2b c2 50 56 b9 5c 10 4d 00 exception.symbol: vida+0x106e0 exception.instruction: mov cl, byte ptr [eax] exception.module: vida.exe exception.exception_code: 0xc0000005 exception.offset: 67296 exception.address: 0x4106e0 registers.esp: 1637024 registers.edi: 0 registers.eax: 0 registers.ebp: 16 registers.edx: 1 registers.ebx: 0 registers.esi: 0 registers.ecx: 1637052	1

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77b7f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 749568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 344064 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2021, 10:56 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cf000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001c7000', u'virtual_address': u'0x00001000', u'entropy': 7.999882431035201, u'name': u'.MPRESS1', u'virtual_size': u'0x0040b000'}

entropy

7.99988243104

description

A section with a high entropy has been found

entropy

0.927861330614

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Checks for the presence of known windows from debuggers and forensic tools (18 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 25, 2021, 10:56 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 25, 2021, 10:56 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 25, 2021, 10:56 a.m.	stacktrace: exception.instruction_r: ed e9 f1 68 04 00 c1 f5 35 3e 01 00 0e db dc 38 exception.symbol: vida+0x34d071 exception.instruction: in eax, dx exception.module: vida.exe exception.exception_code: 0xc0000096 exception.offset: 3461233 exception.address: 0x74d071 registers.esp: 1638268 registers.edi: 8990166 registers.eax: 1447909480 registers.ebp: 5570560 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6671958 registers.ecx: 10	1	0	0

Generates some ICMP traffic

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.f22c9479a75f069c
McAfee	Artemis!F22C9479A75F
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	Mal/Generic-R + Mal/EncPk-PC
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34170.6nuaaeoIMhnO
VBA32	BScope.Trojan.Wacatac
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_93%
CrowdStrike	win/malicious_confidence_100% (W)

vida.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All