Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 1, 2022, 4:31 p.m.	March 1, 2022, 4:44 p.m.

Size	835.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2a3b03cc4ffd3c588050f95c0cd14ce5`
SHA256	`667e5e3584ef11bc6dc12e693546b3a62cb487d507379e9dc4be3a1767d80be9`
CRC32	`F1E204EC`
ssdeep	`24576:/PL+jNrEcHGRuZjMm9sDBUyaqZ1zHVPpMn78mZc6BD7:/PL+j+ce6qZ1MnFZc6`
PDB Path	E:\A\_work\4913\s\obj\Lab.Release\IOSDebugLauncher\Microsoft.IOSDebugLauncher.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2336

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 1, 2022, 4:31 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 1, 2022, 4:31 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 1, 2022, 4:31 p.m.			0	0
IsDebuggerPresent March 1, 2022, 4:31 p.m.			0	0
IsDebuggerPresent March 1, 2022, 4:31 p.m.			0	0
IsDebuggerPresent March 1, 2022, 4:31 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

E:\A\_work\4913\s\obj\Lab.Release\IOSDebugLauncher\Microsoft.IOSDebugLauncher.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 1, 2022, 4:31 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 1, 2022, 4:31 p.m.	stacktrace: sxsJitStartup-0x4ada2 clrjit+0x9af2 @ 0x737f9af2 sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x737f89ab sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x737f8848 sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x737f93dc sxsJitStartup-0x4b379 clrjit+0x951b @ 0x737f951b sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x737f71e9 sxsJitStartup-0x50878 clrjit+0x401c @ 0x737f401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x737f4132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x737f4282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x737f4595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x73973669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x73973701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x73973743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x7397399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x73973496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x739740db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x7395bcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73942ae9 0xac0071 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 50 24 89 55 f0 80 7a 01 0f 75 15 80 3a 1b 0f exception.instruction: mov edx, dword ptr [eax + 0x24] exception.exception_code: 0xc0000005 exception.symbol: sxsJitStartup-0x27eb9 clrjit+0x2c9db exception.address: 0x7381c9db registers.esp: 2876464 registers.edi: 11206672 registers.eax: 0 registers.ebp: 2876500 registers.edx: 0 registers.ebx: 11220448 registers.esi: 0 registers.ecx: 8	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 1, 2022, 4:31 p.m.

stacktrace:

sxsJitStartup-0x4ada2 clrjit+0x9af2 @ 0x737f9af2
sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x737f89ab
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x737f8848
sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x737f93dc
sxsJitStartup-0x4b379 clrjit+0x951b @ 0x737f951b
sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x737f71e9
sxsJitStartup-0x50878 clrjit+0x401c @ 0x737f401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x737f4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x737f4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x737f4595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x73973669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x73973701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x73973743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x7397399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x73973496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x739740db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x7395bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73942ae9
0xac0071
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 8b 50 24 89 55 f0 80 7a 01 0f 75 15 80 3a 1b 0f
exception.instruction: mov edx, dword ptr [eax + 0x24]
exception.exception_code: 0xc0000005
exception.symbol: sxsJitStartup-0x27eb9 clrjit+0x2c9db
exception.address: 0x7381c9db
registers.esp: 2876464
registers.edi: 11206672
registers.eax: 0
registers.ebp: 2876500
registers.edx: 0
registers.ebx: 11220448
registers.esi: 0
registers.ecx: 8

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 1, 2022, 4:31 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000bfc00', u'virtual_address': u'0x00002000', u'entropy': 7.974365407219521, u'name': u'.text', u'virtual_size': u'0x000bfa2d'}

entropy

7.97436540722

description

A section with a high entropy has been found

entropy

0.918562874251

description

Overall entropy of this PE file is high

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (moderate confidence)
FireEye	Generic.mg.2a3b03cc4ffd3c58
Sangfor	Suspicious.Win32.Save.a
ESET-NOD32	a variant of MSIL/Kryptik_AGen.LB
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!2A3B03CC4FFD
Malwarebytes	Malware.AI.868600930
SentinelOne	Static AI - Suspicious PE
BitDefenderTheta	Gen:NN.ZemsilCO.34232.0m0@aewbpPl
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_70% (W)
MaxSecure	Trojan.Malware.300983.susgen

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All