Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 6, 2022, 9:32 a.m.	July 6, 2022, 9:35 a.m.

Size	52.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1df7fc81095ae4a7c32c01c6ea402b58`
SHA256	`d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570`
CRC32	`803E87E1`
ssdeep	`768:Jm1k95P/DaOtifPYoeVSX9d9s9MXPtwcyU2jnBkfM7TM69jwRUwH:JmsPrNtifCebH1wE21kEvMUjwRUe`
Yara	IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2840

Name	Response	Post-Analysis Lookup
www.uplooder.net	A 144.76.120.25	144.76.120.25

IP Address	Status	Action
144.76.120.25	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 144.76.120.25:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 144.76.120.25:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	CN=uplooder.net	9f:34:64:54:51:09:f3:62:0d:6d:9e:86:2e:5c:d3:7d:9e:9a:d7:ff

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 6, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 6, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 6, 2022, 9:32 a.m.			0	0
IsDebuggerPresent July 6, 2022, 9:32 a.m.			0	0
IsDebuggerPresent July 6, 2022, 9:32 a.m.			0	0
IsDebuggerPresent July 6, 2022, 9:32 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 6, 2022, 9:32 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://www.uplooder.net/img/image/31/ca8d9d906f76a6c950c1f4a1ecdbbebc/Qvfaes-Hkxzfaej.png

Performs some HTTP requests (1 event)

request

GET https://www.uplooder.net/img/image/31/ca8d9d906f76a6c950c1f4a1ecdbbebc/Qvfaes-Hkxzfaej.png

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2022, 9:32 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 6, 2022, 9:32 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00004000', u'entropy': 7.190017544312122, u'name': u'.rsrc', u'virtual_size': u'0x0000ab68'}

entropy

7.19001754431

description

A section with a high entropy has been found

entropy

0.834951456311

description

Overall entropy of this PE file is high

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Multi.Generic.4!c
McAfee	Artemis!1DF7FC81095A
Malwarebytes	MachineLearning/Anomalous.94%
Symantec	MSIL.Downloader!gen7
Elastic	malicious (moderate confidence)
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	MalwareX-gen [Trj]
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Trojan.qh
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1249960
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Woreflint.A!cl
Cylance	Unsafe
Rising	Trojan.Generic/MSIL@AI.100 (RDM.MSIL:/Cn87/r6JdcZH0GrIY1Swg)
BitDefenderTheta	Gen:NN.ZemsilF.34786.dm0@a4NDfqo
AVG	MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All