Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.09.19 10:47	Machine	s1_win7_x6402
Filename	vbc.exe
Type	PE32 executable (console) Intel 80386, for MS Windows
AI Score	4	Behavior Score	4.0
ZERO API	file : malware
VT API (file)	49 detected (AIDetect, malware2, Noon, malicious, high confidence, GenericKD, Unsafe, Kryptik, confidence, 100%, runner, ali1000123, ZexaF, AuW@a4NXnlgi, Eldorado, Attribute, HighConfidence, HMLW, Agensla, PWSX, HPGen, Swotter, ubzii, ASMalwS, PSWTroj, kcloud, Lokibot, FormBook, 3OKMJ2, score, R441406, BScope, ai score=88, AgentTesla, CLASSIC, Static AI, Suspicious PE, GenKryptik, FIBB)
md5	866d1aeb69daac5e6e4dda938edf8d26
sha256	a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
ssdeep	6144:/djoID05m/fkLNac4hxSuceQ9cj0/hPhQm5TViEPReg4u5FZwkXZtNdRE1EcyDog:yX5krHQ9O0hPS6J4u5vwkTNj0E7cSdB
imphash	b5f90103145ddd0d0ed4aa0e2fe63de8
impfuzzy	48:69D2Z0mSNuhmMYM9cSCtRIc9eqN3qIxQ4W:6p+wNQmXqcSCtRIcl3qIO

Network IP location

Signature (8cnts)

Level	Description
danger	File has been identified by 49 AntiVirus engines on VirusTotal as malicious
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (41cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.kedaiherbalalami.com/b6a4/?v4=AClaEyNViDSune13/YZUUjazMao4yP2qoW92J+V8GQKrmRmlM8SyMJgG/BS9WoJI+nFJwME4&Hp=V48HzvXX whois		5.181.216.107	clean
http://www.puffycannabis.com/b6a4/?v4=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&Hp=V48HzvXX whois	GOOGLE	34.102.136.180	clean
http://www.banban365.net/b6a4/?v4=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&Hp=V48HzvXX whois	GOOGLE	34.98.99.30	clean
http://www.skoba-plast.com/b6a4/?v4=p6ZBaKxeDGGGbWVKNL6LmfLe4qu41/ZuDkLfUQVsf5tarRyTEM8ysZ8aqSh2CwtwR2aIkrq6&Hp=V48HzvXX whois	Evo Cloud LLC	193.34.169.17	clean
http://www.helpmovingandstorage.com/b6a4/?v4=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&Hp=V48HzvXX whois	COGECO-PEER1	209.15.40.102	clean
http://www.mengzhanxy.com/b6a4/?v4=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&Hp=V48HzvXX whois	MULTA-ASN1	154.85.61.184	clean
http://www.shinebrightjournal.com/b6a4/?v4=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&Hp=V48HzvXX whois	BIZLAND-SD	66.96.162.247	clean
http://www.id-ers.com/b6a4/?v4=uH6EfKcepLhoITy038beys+pLFYYfex5cK/VvJ23mqODSQImeIcr0rdBhl7AYUs9qsPgSB01&Hp=V48HzvXX whois	GOOGLE	34.102.136.180	clean
http://www.rnerfrfw5z3ki.net/b6a4/?v4=855Z9vQ5XXc46/dVYdONeB9yi8X3cSgRKyshY/MEyACWaY62iqQ2QtSCUTEdj76PLZdbQSVg&Hp=V48HzvXX whois	AMAZON-02	54.65.172.3	clean
http://www.naughty0milf.today/b6a4/?v4=y3Ab41qY+IWzqUQ9j62fWmWTVEKi2r9ZDEGdaGq9wc7JzSC40q3Bki+eTJ19ahFkSaZblDBO&Hp=V48HzvXX whois	AMAZON-02	99.83.154.118	clean
http://www.maximumsale.com/b6a4/?v4=jUXSBmmEOkRVD/snHUZVGd++nKvIB5C3Qlbp0N4c/DnjLwT5QCEf4v32ZuriMDGEoBVryIv8&Hp=V48HzvXX whois	AMAZON-AES	3.223.115.185	clean
http://www.recargasasec.com/b6a4/?v4=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&Hp=V48HzvXX whois	DIGITALOCEAN-ASN	157.230.119.90	clean
http://www.mrtireshop.com/b6a4/?v4=1IxU2pCdzLjbc0WwjWEQ14t/h9IMUjYewkIb86Rsf7stw4Ydt/lwwX9QzcCR3qe4ia4DtzcM&Hp=V48HzvXX whois	GOOGLE	34.102.136.180	clean
http://www.avisdrummondhomes.com/b6a4/?v4=tgq8zJv4ZamsZtYNH8dbmFxJ3RcVgptpPUIUZanqqJHtnwqLeeTduXi6ZJW0PDdhmdVNmULh&Hp=V48HzvXX whois	AMAZON-AES	52.71.133.130	clean
www.naughty0milf.today whois	AMAZON-02	99.83.154.118	clean
www.mengzhanxy.com whois	MULTA-ASN1	154.85.61.184	clean
www.kedaiherbalalami.com whois		5.181.216.107	clean
www.shinebrightjournal.com whois	BIZLAND-SD	66.96.162.247	clean
www.helpmovingandstorage.com whois	COGECO-PEER1	209.15.40.102	clean
www.avisdrummondhomes.com whois	AMAZON-AES	52.71.133.130	clean
www.banban365.net whois	GOOGLE	34.98.99.30	clean
www.rnerfrfw5z3ki.net whois	AMAZON-02	54.65.172.3	clean
www.skoba-plast.com whois	Evo Cloud LLC	193.34.169.17	clean
www.id-ers.com whois	GOOGLE	34.102.136.180	clean
www.maximumsale.com whois	AMAZON-AES	3.223.115.185	clean
www.mrtireshop.com whois	GOOGLE	34.102.136.180	clean
www.puffycannabis.com whois	GOOGLE	34.102.136.180	clean
www.recargasasec.com whois	DIGITALOCEAN-ASN	157.230.119.90	clean
www.gr2future.com whois			clean
154.85.61.184 whois	MULTA-ASN1	154.85.61.184	clean
66.96.162.247 whois	BIZLAND-SD	66.96.162.247	clean
193.34.169.17 whois	Evo Cloud LLC	193.34.169.17	clean
209.15.40.102 whois	COGECO-PEER1	209.15.40.102	clean
5.181.216.107 whois		5.181.216.107	clean
157.230.119.90 whois	DIGITALOCEAN-ASN	157.230.119.90	clean
34.102.136.180 whois	GOOGLE	34.102.136.180	mailcious
99.83.154.118 whois	AMAZON-02	99.83.154.118	mailcious
52.71.133.130 whois	AMAZON-AES	52.71.133.130	mailcious
54.65.172.3 whois	AMAZON-02	54.65.172.3	clean
3.223.115.185 whois	AMAZON-AES	3.223.115.185	mailcious
34.98.99.30 whois	GOOGLE	34.98.99.30	phishing

Suricata ids

PE API

IAT(Import Address Table) Library

IMM32.dll
0x42c020 ImmDisableIME
0x42c024 ImmEscapeW
0x42c028 ImmGetRegisterWordStyleA
0x42c02c ImmNotifyIME
0x42c030 ImmSetCompositionFontW
KERNEL32.dll
0x42c038 VirtualProtect
0x42c03c CloseHandle
0x42c040 WriteConsoleW
0x42c044 SetFilePointerEx
0x42c048 SetStdHandle
0x42c04c GetConsoleMode
0x42c050 GetConsoleCP
0x42c054 FlushFileBuffers
0x42c058 EnumSystemLocalesW
0x42c05c GetUserDefaultLCID
0x42c060 IsValidLocale
0x42c064 GetLocaleInfoW
0x42c068 LCMapStringW
0x42c06c CompareStringW
0x42c070 GetTimeFormatW
0x42c074 GetDateFormatW
0x42c078 HeapSize
0x42c07c GetStringTypeW
0x42c080 HeapReAlloc
0x42c084 HeapAlloc
0x42c088 OutputDebugStringW
0x42c08c RtlUnwind
0x42c090 LoadLibraryExW
0x42c094 FreeLibrary
0x42c098 SetConsoleCtrlHandler
0x42c09c GetCommandLineA
0x42c0a0 GetLastError
0x42c0a4 SetLastError
0x42c0a8 GetCurrentThread
0x42c0ac GetCurrentThreadId
0x42c0b0 EncodePointer
0x42c0b4 DecodePointer
0x42c0b8 ExitProcess
0x42c0bc GetModuleHandleExW
0x42c0c0 GetProcAddress
0x42c0c4 AreFileApisANSI
0x42c0c8 MultiByteToWideChar
0x42c0cc WideCharToMultiByte
0x42c0d0 GetProcessHeap
0x42c0d4 GetStdHandle
0x42c0d8 GetFileType
0x42c0dc DeleteCriticalSection
0x42c0e0 GetStartupInfoW
0x42c0e4 GetModuleFileNameA
0x42c0e8 WriteFile
0x42c0ec GetModuleFileNameW
0x42c0f0 QueryPerformanceCounter
0x42c0f4 GetCurrentProcessId
0x42c0f8 GetSystemTimeAsFileTime
0x42c0fc GetEnvironmentStringsW
0x42c100 FreeEnvironmentStringsW
0x42c104 UnhandledExceptionFilter
0x42c108 SetUnhandledExceptionFilter
0x42c10c InitializeCriticalSectionAndSpinCount
0x42c110 CreateEventW
0x42c114 Sleep
0x42c118 GetCurrentProcess
0x42c11c TerminateProcess
0x42c120 TlsAlloc
0x42c124 TlsGetValue
0x42c128 TlsSetValue
0x42c12c TlsFree
0x42c130 GetTickCount
0x42c134 GetModuleHandleW
0x42c138 CreateSemaphoreW
0x42c13c EnterCriticalSection
0x42c140 LeaveCriticalSection
0x42c144 FatalAppExitA
0x42c148 HeapFree
0x42c14c IsValidCodePage
0x42c150 GetACP
0x42c154 GetOEMCP
0x42c158 GetCPInfo
0x42c15c IsDebuggerPresent
0x42c160 IsProcessorFeaturePresent
0x42c164 CreateFileW
GDI32.dll
0x42c000 GetLogColorSpaceW
0x42c004 SelectClipPath
0x42c008 GetLogColorSpaceA
0x42c00c Rectangle
0x42c010 SetTextCharacterExtra
0x42c014 GetViewportOrgEx
0x42c018 RemoveFontResourceExW
msi.dll
0x42c1ac None
0x42c1b0 None
0x42c1b4 None
0x42c1b8 None
0x42c1bc None
0x42c1c0 None
0x42c1c4 None
RPCRT4.dll
0x42c17c NdrServerContextNewMarshall
0x42c180 NDRSContextUnmarshall2
0x42c184 NdrByteCountPointerUnmarshall
0x42c188 NdrEncapsulatedUnionMemorySize
RESUTILS.dll
0x42c16c ResUtilSetDwordValue
0x42c170 ResUtilGetAllProperties
0x42c174 ResUtilFreeParameterBlock
SETUPAPI.dll
0x42c190 SetupInstallFileExA
0x42c194 SetupDiCreateDeviceInfoA
USER32.dll
0x42c19c GrayStringA
0x42c1a0 GetDC
0x42c1a4 MessageBoxW

EAT(Export Address Table) is none

Report - vbc.exe

Signature (8cnts)

Rules (4cnts)

Network (41cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure