Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 25, 2021, 5:02 p.m.	Oct. 25, 2021, 5:06 p.m.

Size	697.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f29e9e4fa36add92b5e974b87999acc1`
SHA256	`6b52710407ef9ac5e2f4054b1faddb2d3a935f5e8c0ca1ec15a7dcf56aa4368f`
CRC32	`5F91DBD4`
ssdeep	`12288:D2VTp/B1gZIBsWFKqI6cIx5YFUNyVEowTrQyRwjhROEO:8TBoME6cI7YeNyVEolyRw`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2372
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2772

Name	Response	Post-Analysis Lookup
secure01-redirect.net	A 185.224.212.69	185.224.212.69

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.224.212.69	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49179 -> 185.224.212.69:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 185.224.212.69:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.224.212.69:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49175 -> 185.224.212.69:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 185.224.212.69:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.224.212.69:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 185.224.212.69:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.224.212.69:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 185.224.212.69:80 -> 192.168.56.103:49175	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 185.224.212.69:80 -> 192.168.56.103:49179	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.224.212.69:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.224.212.69:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 185.224.212.69:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.224.212.69:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 185.224.212.69:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 185.224.212.69:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 185.224.212.69:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 185.224.212.69:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 25, 2021, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 25, 2021, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 25, 2021, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 25, 2021, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 25, 2021, 5:03 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 25, 2021, 5:02 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 25, 2021, 5:02 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used

suspicious_request

POST http://secure01-redirect.net/ga20/fre.php

Performs some HTTP requests (1 event)

request

POST http://secure01-redirect.net/ga20/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://secure01-redirect.net/ga20/fre.php

Allocates read-write-execute memory (usually to unpack itself) (50 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:02 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Oct. 25, 2021, 5:03 p.m.	number_of_free_clusters: 2499612 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Oct. 25, 2021, 5:03 p.m.	number_of_free_clusters: 2499612 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Oct. 25, 2021, 5:03 p.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\vbc.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000adc00', u'virtual_address': u'0x00002000', u'entropy': 7.788963294843408, u'name': u'.text', u'virtual_size': u'0x000adbf4'}

entropy

7.78896329484

description

A section with a high entropy has been found

entropy

0.997130559541

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 25, 2021, 5:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.ibsensoftware.com/

Yara rule detected in process memory (11 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2772 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e0	1	0	0

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À base_address: 0x00400000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: TÍ<¨K¢`Ý;U base_address: 0x0041a000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2772 process_handle: 0x000001e0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À base_address: 0x00400000 process_identifier: 2772 process_handle: 0x000001e0	1	1	0

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2372 called NtSetContextThread to modify thread in remote process 2772
NtSetContextThread Oct. 25, 2021, 5:03 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e4 process_identifier: 2772	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2372 resumed a thread in remote process 2772
NtResumeThread Oct. 25, 2021, 5:03 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 2772	1	0	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.f29e9e4fa36add92
McAfee	PWS-FCZF!F29E9E4FA36A
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.257835
BitDefenderTheta	Gen:NN.ZemsilF.34236.Rm0@a8yvb7c
Cyren	W32/MSIL_Kryptik.DLB.gen!Eldorado
Symantec	Trojan.Gen.9
ESET-NOD32	a variant of MSIL/Kryptik.ADGN
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	MachineLearning/Anomalous.94%
TrendMicro-HouseCall	TROJ_GEN.R002C0PJP21
Yandex	Trojan.AvsArher.bUaQs6
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.ADFY!tr
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 25, 2021, 5:02 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread Oct. 25, 2021, 5:02 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2372	1	0
CreateProcessInternalW Oct. 25, 2021, 5:03 p.m.	thread_identifier: 2768 thread_handle: 0x000001e4 process_identifier: 2772 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001e0	1	1
NtGetContextThread Oct. 25, 2021, 5:03 p.m.	thread_handle: 0x000001e4	1	0
NtAllocateVirtualMemory Oct. 25, 2021, 5:03 p.m.	process_identifier: 2772 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e0	1	0
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À base_address: 0x00400000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: base_address: 0x00401000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: base_address: 0x00415000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: TÍ<¨K¢`Ý;U base_address: 0x0041a000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: base_address: 0x004a0000 process_identifier: 2772 process_handle: 0x000001e0	1	1
WriteProcessMemory Oct. 25, 2021, 5:03 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2772 process_handle: 0x000001e0	1	1
NtSetContextThread Oct. 25, 2021, 5:03 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e4 process_identifier: 2772	1	0
NtResumeThread Oct. 25, 2021, 5:03 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Oct. 25, 2021, 5:03 p.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2772	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All