Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 8, 2022, 9:43 a.m.	Dec. 8, 2022, 9:55 a.m.

Size	9.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b1171241b48005c847a23c77234243a5`
SHA256	`417598c79d3ab03c3e7dda9d7c3278db43dc2af7a8823016d6c737a716005817`
CRC32	`1516070E`
ssdeep	`96:mfYbmOfZ3fwbo7yA1pwF3Nhu5Ip04dLy6s0D7ekYzP/zzgRVMQkGgizNt:7aOJ1fwjvp0ALySukYzHPgRVMBlE`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2588

Name	Response	Post-Analysis Lookup
eisnt.com	A 185.32.190.113	185.32.190.113

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.32.190.113	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 185.32.190.113:80	2030384	ET HUNTING Suspicious Terse Request for .bmp	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 8, 2022, 9:43 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Dec. 8, 2022, 9:43 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 8, 2022, 9:42 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 9:42 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 9:43 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 9:43 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 8, 2022, 9:42 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://eisnt.com/ahu-punjab/Fgxogd.bmp

Performs some HTTP requests (1 event)

request

GET http://eisnt.com/ahu-punjab/Fgxogd.bmp

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:42 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:43 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 9:43 a.m.	process_identifier: 2588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 8, 2022, 9:42 a.m.	flags: 15 family: 0		111	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Seraph.4!c
MicroWorld-eScan	Trojan.GenericKD.64092025
FireEye	Trojan.GenericKD.64092025
Cylance	Unsafe
VIPRE	Gen:Variant.MSILHeracles.54634
Sangfor	Downloader.Msil.Seraph.V2y0
K7AntiVirus	Trojan-Downloader ( 0059c2be1 )
Cybereason	malicious.ae5242
Arcabit	Trojan.MSILHeracles.DD56A
Symantec	MSIL.Downloader!gen8
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.OGH
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Trojan.GenericKD.64092025
Avast	Win32:MalwareX-gen [Trj]
Rising	Downloader.Seraph!8.111C6 (CLOUD)
Ad-Aware	Trojan.GenericKD.64092025
DrWeb	Trojan.DownLoaderNET.507
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan-Downloader.Agent (A)
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1253931
MAX	malware (ai score=99)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.SmokeLoader.bot
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	MSIL.Trojan-Downloader.Agent.BJU
Google	Detected
AhnLab-V3	Trojan/Win.MalwareX-gen.C5325393
McAfee	Artemis!B1171241B480
VBA32	Downloader.MSIL.gen.rexp
TrendMicro-HouseCall	TROJ_GEN.R002H0CL722
Tencent	Msil.Trojan-Downloader.Ader.Vmhl
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/Agent.OGH!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.36106.am0@aimErMn
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All