Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 9:23 a.m.	Nov. 1, 2021, 9:24 a.m.

Size	375.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1463a8e3cbd8b63c709495a91ff95506`
SHA256	`eed781a42769761d30787cecd662c5b6ba70589724a456d09ae008e1bd68835f`
CRC32	`1FF49D32`
ssdeep	`6144:ulfZxZgD614b47d6f4Gz4K63CFWZ1BNkVnaiFqwQ/RQnfBP7KytiOvcJCQMyrHW/:ulfZxmWBSaiF3QZmPH1v+CKSzZkSXsPy`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1896
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2532

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 9:23 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 9:23 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 9:23 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72372000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:23 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01051000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 2532 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005d200', u'virtual_address': u'0x00002000', u'entropy': 7.720313803867444, u'name': u'.text', u'virtual_size': u'0x0005d160'}

entropy

7.72031380387

description

A section with a high entropy has been found

entropy

0.993333333333

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 1, 2021, 9:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 1, 2021, 9:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 1, 2021, 9:24 a.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000264		0	0
NtTerminateProcess Nov. 1, 2021, 9:24 a.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000264	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 2760 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496	0
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 2532 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 manipulating memory of non-child process 2760
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 2760 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 9:24 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL#OÓBà \| Ô@@.text<{\| ` base_address: 0x00400000 process_identifier: 2532 process_handle: 0x00000268	1	1	0
WriteProcessMemory Nov. 1, 2021, 9:24 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x00000268	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 9:24 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL#OÓBà \| Ô@@.text<{\| ` base_address: 0x00400000 process_identifier: 2532 process_handle: 0x00000268	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 called NtSetContextThread to modify thread in remote process 2532
NtSetContextThread Nov. 1, 2021, 9:24 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314144 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2532	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1896 resumed a thread in remote process 2532
NtResumeThread Nov. 1, 2021, 9:24 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2532	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.e6c9e9
Cyren	W32/MSIL_Troj.BRO.gen!Eldorado
Symantec	Trojan.Gen.9
ESET-NOD32	a variant of MSIL/Kryptik.ADIH
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Spy.MSIL.Noon.gen
Avast	Win32:PWSX-gen [Trj]
Sophos	Mal/Generic-S
DrWeb	Trojan.PWS.Stealer.31160
McAfee-GW-Edition	BehavesLike.Win32.Fareit.fc
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!1463A8E3CBD8
Malwarebytes	MachineLearning/Anomalous.97%
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.ADIA!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 1, 2021, 9:23 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1896	1	0
NtResumeThread Nov. 1, 2021, 9:23 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1896	1	0
NtResumeThread Nov. 1, 2021, 9:23 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1896	1	0
CreateProcessInternalW Nov. 1, 2021, 9:24 a.m.	thread_identifier: 3028 thread_handle: 0x00000254 process_identifier: 2760 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread Nov. 1, 2021, 9:24 a.m.	thread_handle: 0x00000254	1	0
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 2760 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496
CreateProcessInternalW Nov. 1, 2021, 9:24 a.m.	thread_identifier: 2772 thread_handle: 0x00000264 process_identifier: 2532 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread Nov. 1, 2021, 9:24 a.m.	thread_handle: 0x00000264	1	0
NtAllocateVirtualMemory Nov. 1, 2021, 9:24 a.m.	process_identifier: 2532 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0
WriteProcessMemory Nov. 1, 2021, 9:24 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL#OÓBà \| Ô@@.text<{\| ` base_address: 0x00400000 process_identifier: 2532 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 1, 2021, 9:24 a.m.	buffer: base_address: 0x00401000 process_identifier: 2532 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 1, 2021, 9:24 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x00000268	1	1
NtSetContextThread Nov. 1, 2021, 9:24 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314144 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2532	1	0
NtResumeThread Nov. 1, 2021, 9:24 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2532	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All