popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Generic Malware PWS PE32 .NET EXE PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 20, 2021, 5:34 p.m. Oct. 20, 2021, 5:40 p.m.
Size 350.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 9a092f3515d0d124eada8025f048dcb8
SHA256 cf0dac69d1019ef5bfe48cec8864233431019b8421a63c515a97f76c5f9f7554
CRC32 E33667DD
ssdeep 6144:B2qKgkIdzNWgKDTzPAJRJ6hlu6tS7zvpt1OfA9qbAJLjr0+Df1RC869tzk6yIg:45QzRKD/PURMyU2zv04eAJLzf1RZ8zU
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
179.189.229.254 Active Moloch
164.124.101.2 Active Moloch
46.99.175.217 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49203 -> 46.99.175.217:443 2404317 ET CNC Feodo Tracker Reported CnC Server group 18 A Network Trojan was detected
TCP 192.168.56.101:49205 -> 179.189.229.254:443 2404308 ET CNC Feodo Tracker Reported CnC Server group 9 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00940000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00480000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00057000', u'virtual_address': u'0x00002000', u'entropy': 7.713308425810533, u'name': u'.text', u'virtual_size': u'0x00056ed4'} entropy 7.71330842581 description A section with a high entropy has been found
entropy 0.994285714286 description Overall entropy of this PE file is high
host 179.189.229.254
host 46.99.175.217
Elastic malicious (high confidence)
FireEye Generic.mg.9a092f3515d0d124
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
Cybereason malicious.f6c9e9
Cyren W32/MSIL_Kryptik.FXC.gen!Eldorado
Symantec Scr.Malcode!gdn30
ESET-NOD32 a variant of MSIL/GenKryptik.FMHP
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
Avast Win32:MalwareX-gen [Trj]
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Sophos ML/PE-A
SentinelOne Static AI - Malicious PE
Microsoft Trojan:Win32/Pwsteal.Q!bit
Cynet Malicious (score: 100)
BitDefenderTheta Gen:NN.ZemsilF.34218.vm0@aq9U87b
VBA32 CIL.HeapOverride.Heur
Malwarebytes MachineLearning/Anomalous.94%
Fortinet MSIL/Kryptik.ADFN!tr
AVG Win32:MalwareX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)