Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 23, 2022, 7:41 a.m.	May 23, 2022, 8:20 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`61be5168cca3b1d728229f863b9f1162`
SHA256	`d8e0fd32eb51496e7f66b76ff106753742988dee2974cf885825a6d9aa8ee5f3`
CRC32	`205ABAAE`
ssdeep	`24576:TQGYT2NYwIeM8Q4eBAE5OdsoPUK3jhTi+sOo+spOYRo7tTK:TIuYheMp4zddskUkjhTi+kppOYRF`
PDB Path	C:\Nolor wilixac mecohin\Yapiy\Jopesono\Fis\Dabewiv tefanahe.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2288
- InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2656

Name	Response	Post-Analysis Lookup
www.click-tokens.com	A 66.29.142.85	66.29.142.85
www.enjoypresenting.com	CNAME enjoypresenting.com A 160.153.138.163	160.153.138.163
www.easeupp.com
www.watnefarms.com	A 23.231.95.172	23.231.95.172
www.mingoenterprises.net
www.flipwatch.xyz	CNAME flipwatch.xyz A 15.197.142.173 A 3.33.152.147	3.33.152.147
www.ut1r92k4.xyz	A 150.95.255.38	150.95.255.38
www.wona-nyc.com	A 185.68.16.31	185.68.16.31
www.chappyportal.com

IP Address	Status	Action
15.197.142.173	Active	Moloch
150.95.255.38	Active	Moloch
160.153.138.163	Active	Moloch
164.124.101.2	Active	Moloch
185.68.16.31	Active	Moloch
23.231.95.172	Active	Moloch
66.29.142.85	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 160.153.138.163:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 160.153.138.163:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 160.153.138.163:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 150.95.255.38:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 150.95.255.38:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 150.95.255.38:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 150.95.255.38:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 15.197.142.173:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.68.16.31:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 15.197.142.173:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.68.16.31:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 15.197.142.173:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.68.16.31:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 15.197.142.173:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 23.231.95.172:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 23.231.95.172:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 23.231.95.172:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 66.29.142.85:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 66.29.142.85:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 66.29.142.85:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 23, 2022, 7:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2022, 7:41 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Nolor wilixac mecohin\Yapiy\Jopesono\Fis\Dabewiv tefanahe.pdb

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.enjoypresenting.com/uu0p/?JDK8bDY=pWPehcmt8MxE/PomB4pHJBmYymSftkENTQjvbinm7aYa1O4gG/Xz2uMuumw/L0Tsuiv2UKaW&BX=E2J4tHWxrVn
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ut1r92k4.xyz/uu0p/?JDK8bDY=y9LlcKw7CILT/IAC242BlGhMDCoFzxuyKBPTsA5aMCCFzcBTVcaWng9Ihq1VfoCTHGtDhv3N&BX=E2J4tHWxrVn
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.flipwatch.xyz/uu0p/?JDK8bDY=snSF/BRZqGOG4KqEyCINSdYzeAunTsUuEOjGimgAYDiOT3cOHZjj6gt/qOBUqsQIyxOcVLya&BX=E2J4tHWxrVn
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.watnefarms.com/uu0p/?JDK8bDY=ot1/kmT2Pm41G1TcEZqa8wl/uWMf5XpS7bAC9++BFjK3AV5FF4nPR2HfH3PnTsJ6ayFBl+vP&BX=E2J4tHWxrVn
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wona-nyc.com/uu0p/?JDK8bDY=6EEcCW2hRleNxntoip/GZrjouJMXic+r2ls54VYWqIK+WcgvNzWiKdLZoB/oUPYZ+96qgzow&BX=E2J4tHWxrVn
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.click-tokens.com/uu0p/?JDK8bDY=JQnK+6RAiNMVdqZ3z2qVIKMKYF7w4bfaATfxd6xA4NOx6+DWi6nE8jG/7X+416DwL7N1O74k&BX=E2J4tHWxrVn

Performs some HTTP requests (6 events)

request	GET http://www.enjoypresenting.com/uu0p/?JDK8bDY=pWPehcmt8MxE/PomB4pHJBmYymSftkENTQjvbinm7aYa1O4gG/Xz2uMuumw/L0Tsuiv2UKaW&BX=E2J4tHWxrVn
request	GET http://www.ut1r92k4.xyz/uu0p/?JDK8bDY=y9LlcKw7CILT/IAC242BlGhMDCoFzxuyKBPTsA5aMCCFzcBTVcaWng9Ihq1VfoCTHGtDhv3N&BX=E2J4tHWxrVn
request	GET http://www.flipwatch.xyz/uu0p/?JDK8bDY=snSF/BRZqGOG4KqEyCINSdYzeAunTsUuEOjGimgAYDiOT3cOHZjj6gt/qOBUqsQIyxOcVLya&BX=E2J4tHWxrVn
request	GET http://www.watnefarms.com/uu0p/?JDK8bDY=ot1/kmT2Pm41G1TcEZqa8wl/uWMf5XpS7bAC9++BFjK3AV5FF4nPR2HfH3PnTsJ6ayFBl+vP&BX=E2J4tHWxrVn
request	GET http://www.wona-nyc.com/uu0p/?JDK8bDY=6EEcCW2hRleNxntoip/GZrjouJMXic+r2ls54VYWqIK+WcgvNzWiKdLZoB/oUPYZ+96qgzow&BX=E2J4tHWxrVn
request	GET http://www.click-tokens.com/uu0p/?JDK8bDY=JQnK+6RAiNMVdqZ3z2qVIKMKYF7w4bfaATfxd6xA4NOx6+DWi6nE8jG/7X+416DwL7N1O74k&BX=E2J4tHWxrVn

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 23, 2022, 7:41 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1101824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2022, 7:41 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1429504 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 2494464 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b9a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 176128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b710000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2656 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0012da00', u'virtual_address': u'0x00001000', u'entropy': 7.572360958410901, u'name': u'.text', u'virtual_size': u'0x0012d8b8'}

entropy

7.57236095841

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00020800', u'virtual_address': u'0x00133000', u'entropy': 7.298483069626212, u'name': u'.rsrc', u'virtual_size': u'0x00020710'}

entropy

7.29848306963

description

A section with a high entropy has been found

entropy

0.989633469086

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 23, 2022, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess May 23, 2022, 7:42 a.m.	status_code: 0x00000000 process_identifier: 2620 process_handle: 0x00000210		0	0
NtTerminateProcess May 23, 2022, 7:42 a.m.	status_code: 0x00000000 process_identifier: 2620 process_handle: 0x00000210	1	0	0

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 066a850c418dc3e58b735eee05608099c2a8f32c
buffer	Buffer with sha1: 00baf0edd715a9f67cbe69ddcbd53ed7472f5b08
buffer	Buffer with sha1: 2a062fbf9988f3e4b4f29ceaed6b4d5a46f41700

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 176128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x0000020c	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 manipulating memory of non-child process 2620
NtAllocateVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2620 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210		3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 called NtSetContextThread to modify thread in remote process 2656
NtSetContextThread May 23, 2022, 7:42 a.m.	registers.eip: 1999372740 registers.esp: 3341904 registers.edi: 0 registers.eax: 4321888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2656	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 23, 2022, 7:42 a.m.	thread_identifier: 2624 thread_handle: 0x0000020c process_identifier: 2620 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000210	1	1
NtGetContextThread May 23, 2022, 7:42 a.m.	thread_handle: 0x0000020c	1	0
NtAllocateVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2620 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210		3221225496
CreateProcessInternalW May 23, 2022, 7:42 a.m.	thread_identifier: 2660 thread_handle: 0x00000210 process_identifier: 2656 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000020c	1	1
NtGetContextThread May 23, 2022, 7:42 a.m.	thread_handle: 0x00000210	1	0
NtAllocateVirtualMemory May 23, 2022, 7:42 a.m.	process_identifier: 2656 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c	1	0
NtSetContextThread May 23, 2022, 7:42 a.m.	registers.eip: 1999372740 registers.esp: 3341904 registers.edi: 0 registers.eax: 4321888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2656	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
MicroWorld-eScan	Gen:Variant.Jaik.74944
FireEye	Generic.mg.61be5168cca3b1d7
McAfee	Artemis!61BE5168CCA3
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005931a41 )
Alibaba	Trojan:Win32/GenKryptik.db2e757c
K7GW	Trojan ( 005931a41 )
Arcabit	Trojan.Jaik.D124C0
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.FUVM
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Gen:Variant.Jaik.74944
Avast	Win32:CrypterX-gen [Trj]
Tencent	Win32.Trojan.Falsesign.Wogk
Ad-Aware	Gen:Variant.Jaik.74944
Emsisoft	Gen:Variant.Jaik.74944 (B)
DrWeb	Trojan.Siggen17.54618
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Trojan.Crypter
Avira	TR/Kryptik.ssrux
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Formbook.AT!MTB
ZoneAlarm	HEUR:Trojan-Spy.Win32.Noon.gen
GData	Gen:Variant.Jaik.74944
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.C5137799
ALYac	Gen:Variant.Jaik.74944
MAX	malware (ai score=81)
VBA32	BScope.TrojanSpy.Stealer
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CEK22
Rising	Trojan.Generic@AI.80 (RDML:YmnngsQiyXu5MAykBHEphA)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Kryptik.HPLW!tr
AVG	Win32:CrypterX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All