Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 9, 2022, 10:27 a.m.	April 9, 2022, 10:29 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`70d706225522cd3347c547789b252efe`
SHA256	`209f77f7c06469c75125d639bdca79aa1751e1d76a7288d349f113f9c75b7da4`
CRC32	`4BAD4541`
ssdeep	`12288:jbZlpwBJR/YP3ges5u4RT43HbPwcQHMPBlkeB5KYjnxu3mJNTafM6FgkAgez64eh:jpwR/w3gFbkfvB2M0YjY2/JkTeBeh`
PDB Path	E:\A\_work\903\s\obj\Microsoft.VisualStudio.Threading\Release\net472\Microsoft.VisualStudio.Threading.pdb
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file anti_vm_detect - Possibly employs anti-virtualization techniques Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2768

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 9, 2022, 10:27 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 9, 2022, 10:27 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 9, 2022, 10:27 a.m.			0	0
IsDebuggerPresent April 9, 2022, 10:27 a.m.			0	0
IsDebuggerPresent April 9, 2022, 10:27 a.m.			0	0
IsDebuggerPresent April 9, 2022, 10:27 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

E:\A\_work\903\s\obj\Microsoft.VisualStudio.Threading\Release\net472\Microsoft.VisualStudio.Threading.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 9, 2022, 10:27 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

IBC

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 9, 2022, 10:27 a.m.	stacktrace: sxsJitStartup-0x4ada2 clrjit+0x9af2 @ 0x742f9af2 sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x742f89ab sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x742f8848 sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x742f93dc sxsJitStartup-0x4b379 clrjit+0x951b @ 0x742f951b sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x742f71e9 sxsJitStartup-0x50878 clrjit+0x401c @ 0x742f401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x742f4132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x742f4282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x742f4595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x72e63669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x72e63701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x72e63743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x72e6399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x72e63496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x72e640db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x72e4bcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72e32ae9 0xb30071 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 50 24 89 55 f0 80 7a 01 0f 75 15 80 3a 1b 0f exception.instruction: mov edx, dword ptr [eax + 0x24] exception.exception_code: 0xc0000005 exception.symbol: sxsJitStartup-0x27eb9 clrjit+0x2c9db exception.address: 0x7431c9db registers.esp: 3730032 registers.edi: 7471120 registers.eax: 0 registers.ebp: 3730068 registers.edx: 0 registers.ebx: 7484744 registers.esi: 0 registers.ecx: 8	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 9, 2022, 10:27 a.m.

stacktrace:

sxsJitStartup-0x4ada2 clrjit+0x9af2 @ 0x742f9af2
sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x742f89ab
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x742f8848
sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x742f93dc
sxsJitStartup-0x4b379 clrjit+0x951b @ 0x742f951b
sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x742f71e9
sxsJitStartup-0x50878 clrjit+0x401c @ 0x742f401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x742f4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x742f4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x742f4595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x72e63669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x72e63701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x72e63743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x72e6399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x72e63496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x72e640db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x72e4bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72e32ae9
0xb30071
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 8b 50 24 89 55 f0 80 7a 01 0f 75 15 80 3a 1b 0f
exception.instruction: mov edx, dword ptr [eax + 0x24]
exception.exception_code: 0xc0000005
exception.symbol: sxsJitStartup-0x27eb9 clrjit+0x2c9db
exception.address: 0x7431c9db
registers.esp: 3730032
registers.edi: 7471120
registers.eax: 0
registers.ebp: 3730068
registers.edx: 0
registers.ebx: 7484744
registers.esi: 0
registers.ecx: 8

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2022, 10:27 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00119600', u'virtual_address': u'0x00002000', u'entropy': 6.8841016181506545, u'name': u'.text', u'virtual_size': u'0x00119579'}

entropy

6.88410161815

description

A section with a high entropy has been found

entropy

0.902928198957

description

Overall entropy of this PE file is high

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.Multi.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.39458507
Malwarebytes	Trojan.Crypt.MSIL
Sangfor	Trojan.MSIL.Injects.gen
Symantec	MSIL.KillAV!gen1
ESET-NOD32	a variant of MSIL/Kryptik.AETN
Kaspersky	HEUR:Trojan.MSIL.Injects.gen
BitDefender	Trojan.GenericKD.39458507
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.39458507
Emsisoft	Trojan.GenericKD.39458507 (B)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.70d706225522cd33
Sophos	Mal/Generic-S
Microsoft	Trojan:Win32/Formbook.AT!MTB
GData	Win32.Trojan-Stealer.FormBook.45VFFY
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.AgentTesla.C5016815
McAfee	Artemis!70D706225522
MAX	malware (ai score=87)
Rising	Trojan.Generic/MSIL@AI.90 (RDM.MSIL:TJy2OM5jJP8GgRijEHYz7w)
Fortinet	PossibleThreat.PALLASNET.H
BitDefenderTheta	Gen:NN.ZemsilF.34588.nn0@aq7HPAf
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All