Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2023, 5:59 p.m.	April 21, 2023, 6:03 p.m.

Size	90.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f5deff8b2ecfc9a609c8e03c86c45e09`
SHA256	`2e0cf356012de3636858096f1966ca0c68a9a60f22f575d5035fdb953b90e909`
CRC32	`593E6655`
ssdeep	`384:2HePUh0bc0e35anUkLfKOeXw/gMlRt4hUh+3Bx8/qfmrAKcjdookCr4H444uruic:Ce8io045adiUF0i+p4H44447iD1l`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2023, 5:59 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Seraph.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
FireEye	Trojan.Generic.33485585
CAT-QuickHeal	TrojanDownloader.MSIL
McAfee	Artemis!F5DEFF8B2ECF
Malwarebytes	Trojan.MalPack
Sangfor	Downloader.Msil.Seraph.Vu6o
K7AntiVirus	Trojan-Downloader ( 005a013e1 )
Alibaba	TrojanDownloader:MSIL/Seraph.1bc53b37
K7GW	Trojan-Downloader ( 005a013e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D1FEF311
VirIT	Trojan.Win32.GenusT.EGJX
Cyren	W32/MSIL_Kryptik.IDH.gen!Eldorado
Symantec	MSIL.Downloader!gen7
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.OXE
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Trojan.Generic.33485585
MicroWorld-eScan	Trojan.Generic.33485585
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan-Downloader.Seraph.Vwhl
Emsisoft	Trojan.Generic.33485585 (B)
F-Secure	Trojan.TR/Redcap.rxock
VIPRE	Trojan.Generic.33485585
TrendMicro	TROJ_GEN.R002C0DDK23
McAfee-GW-Edition	RDN/Generic Downloader.x
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.MSIL.Agent
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.rxock
Antiy-AVL	Trojan[Downloader]/MSIL.Seraph
Gridinsoft	Trojan.Win32.Downloader.sa
Xcitium	Malware@#29bt6zzzp11ug
Microsoft	Trojan:MSIL/Seraph.RB!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Win32.Trojan.Agent.TMF57Z
Google	Detected
AhnLab-V3	Trojan/Win.Mardom.R573400
ALYac	Trojan.Generic.33485585
MAX	malware (ai score=85)
VBA32	Downloader.MSIL.gen.rexp
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DDK23
Rising	Downloader.Agent!8.B23 (CLOUD)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All