popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

brg.exe

UPX VMProtect Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 22, 2023, 8:08 a.m. Dec. 22, 2023, 8:13 a.m.
Size 5.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 dff334fa8d2c701dba4139875f14c9ff
SHA256 8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
CRC32 91BE4293
ssdeep 98304:XmQNg/7b+DOWjg5/3xxVAjls6CIcvA/ArCvxU3qthfzJ6FKLN+VzaN44KNPn83Cp:Xev+FkYJCjvWAKmIfzeKL8aNGNPn83Cp
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • VMProtect_Zero - VMProtect packed file
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
121.254.136.18 Active Moloch
94.103.94.153 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49162
94.103.94.153:7414 		C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=94.103.94.153: Self-signed certificate C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=94.103.94.153: Self-signed certificate 0e:ba:34:bb:fc:00:f7:80:44:7d:bf:2b:39:7d:f0:8f:2e:23:d4:1a
TLS 1.2
192.168.56.101:49164
94.103.94.153:7414 		C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=94.103.94.153: Self-signed certificate C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=94.103.94.153: Self-signed certificate 0e:ba:34:bb:fc:00:f7:80:44:7d:bf:2b:39:7d:f0:8f:2e:23:d4:1a

section .textbss
section .vmp0
section .vmp1
section .7z.\xe2\x97\x84\xe2
resource name DXSKINS
resource name USERLANG
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 61440
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03b50000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4132864
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03b5f000
process_handle: 0xffffffff
1 0 0
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a874b4 size 0x00000340
section {u'size_of_data': u'0x0059ea00', u'virtual_address': u'0x004d5000', u'entropy': 7.994682022626521, u'name': u'.7z.\\xe2\\x97\\x84\\xe2', u'virtual_size': u'0x0059e830'} entropy 7.99468202263 description A section with a high entropy has been found
entropy 0.968037681891 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
host 121.254.136.18
host 94.103.94.153
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Cylance unsafe
Cybereason malicious.58d1b1
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.VMProtect.BB suspicious
APEX Malicious
Avast FileRepMalware [Pws]
Kaspersky UDS:DangerousObject.Multi.Generic
Rising Trojan.Generic@AI.92 (RDML:oIf8traIkPa1q7F6UtNdxg)
Trapmine suspicious.low.ml.score
Sophos Generic ML PUA (PUA)
Gridinsoft Trojan.Heur!.01210201
Microsoft Program:Win32/Wacapew.C!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
BitDefenderTheta Gen:NN.ZexaF.36608.@R1@ayrMj1dj
DeepInstinct MALICIOUS
MaxSecure Trojan.Malware.300983.susgen
AVG FileRepMalware [Pws]
CrowdStrike win/malicious_confidence_90% (W)