Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2024, 9:58 a.m.	Nov. 11, 2024, 10:09 a.m.

Size	36.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4c899595ed9f2849d13ebff2e622a506`
SHA256	`64371330067ebbb2a29f3529fc83da014689db00c23fa3e4bad146c41536723a`
CRC32	`DC5ED3A7`
ssdeep	`768:uW4DbJt/AybAEdZ46kJi8S9LwkbK9pYq8HVPy+EzYmA9mQ:KJGybAEdZ4LJiB/bK9wVBQYmK`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

wbgjn.exe "C:\Users\test22\AppData\Local\Temp\wbgjn.exe"
2556

Name	Response	Post-Analysis Lookup
safe.ywxww.net		60.191.236.246

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (12 events)

Time & API	Arguments	Status
__exception__ Nov. 11, 2024, 9:58 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635908 registers.edi: 1636184 registers.eax: 1635908 registers.ebp: 1635988 registers.edx: 0 registers.ebx: 3178016 registers.esi: 1636184 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:58 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635908 registers.edi: 1636184 registers.eax: 1635908 registers.ebp: 1635988 registers.edx: 0 registers.ebx: 3178016 registers.esi: 1636184 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:58 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635908 registers.edi: 1636184 registers.eax: 1635908 registers.ebp: 1635988 registers.edx: 0 registers.ebx: 3178016 registers.esi: 1636184 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:58 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635908 registers.edi: 1636184 registers.eax: 1635908 registers.ebp: 1635988 registers.edx: 0 registers.ebx: 3178016 registers.esi: 1636184 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635860 registers.edi: 3178016 registers.eax: 1635860 registers.ebp: 1635940 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635572 registers.edi: 3178016 registers.eax: 1635572 registers.ebp: 1635652 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635588 registers.edi: 3178016 registers.eax: 1635588 registers.ebp: 1635668 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635588 registers.edi: 3178016 registers.eax: 1635588 registers.ebp: 1635668 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635588 registers.edi: 3178016 registers.eax: 1635588 registers.ebp: 1635668 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635588 registers.edi: 3178016 registers.eax: 1635588 registers.ebp: 1635668 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636064 registers.edi: 3178016 registers.eax: 1636064 registers.ebp: 1636144 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636064 registers.edi: 3178016 registers.eax: 1636064 registers.ebp: 1636144 registers.edx: 0 registers.ebx: 3178016 registers.esi: 3178016 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000080f0

size

0x00000208

Creates executable files on the filesystem (1 event)

file	c:\Windows\SysWOW64\wcbciyfp\wcbciyfp.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004f0000 process_handle: 0xffffffff	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Lionic	Trojan.Win32.Gofot.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Infected.nt
ALYac	Gen:Variant.Lazy.547037
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.547037
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Lazy.547037
K7GW	Trojan ( 00508f6f1 )
K7AntiVirus	Trojan ( 00508f6f1 )
Arcabit	Trojan.Lazy.D858DD
VirIT	Trojan.Win32.VBGenus.GVG
Paloalto	generic.ml
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/VB_AGen.MB
Avast	Win32:Trojan-gen
Kaspersky	Trojan.Win32.Gofot.pvf
Alibaba	TrojanDownloader:Win32/Gofot.8fa67e00
MicroWorld-eScan	Gen:Variant.Lazy.547037
Rising	Downloader.Small!8.B41 (CLOUD)
Emsisoft	Gen:Variant.Lazy.547037 (B)
F-Secure	Trojan.TR/Dldr.Agent.sqilt
DrWeb	Trojan.Siggen28.57751
Zillya	Trojan.VBAGen.Win32.597
TrendMicro	Mal_Banld-5
McAfeeD	ti!64371330067E
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.gofot
Sophos	Mal/Generic-S
FireEye	Generic.mg.4c899595ed9f2849
Jiangmin	Trojan.Gofot.bgu
Google	Detected
Avira	TR/Dldr.Agent.sqilt
Antiy-AVL	Trojan/Win32.Gofot
Kingsoft	Win32.Troj.Unknown.a
Xcitium	Malware@#2wk161kxme428
Microsoft	TrojanDownloader:Win32/Small.gen!F
ZoneAlarm	Trojan.Win32.Gofot.pvf
GData	Gen:Variant.Lazy.547037
AhnLab-V3	Malware/Win.Banld.R427983
McAfee	Artemis!4C899595ED9F
VBA32	BScope.Backdoor.VB
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.NewHeur_VB_Downloader
TrendMicro-HouseCall	Mal_Banld-5
Tencent	Win32.Trojan.Gofot.Qgil
huorong	HVM:TrojanDownloader/Small.Gen!D
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/Mal_Banld.5!tr

wbgjn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All