Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.09.19 10:52	Machine	s1_win7_x6402
Filename	vbc.exe
Type	PE32 executable (console) Intel 80386, for MS Windows
AI Score	5	Behavior Score	5.6
ZERO API	file : malware
VT API (file)	49 detected (AIDetect, malware2, Noon, malicious, high confidence, Unsafe, Save, confidence, 100%, runner, ali1000123, Kryptik, Eldorado, Formbook, HMLP, PWSX, CLASSIC, HPGen, Static AI, Suspicious PE, Swotter, ufyds, kcloud, Lokibot, UF4WRE, score, R441406, Generic PWS, BScope, Auto, GenKryptik, FIBB, ZexaF, BuW@am5z, susgen)
md5	2a59d2396654692dc87a81df7554b608
sha256	04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
ssdeep	6144:1+j7ADL5mgPkQNac4hRyu+QO+IjNeiKFoESrDxBDs/t8zJJqxiu:4g5T47O+iN7KFoEMDxBol0Jqx
imphash	dcf2f9fcff3367bb9fab051bdc1c6f91
impfuzzy	48:0Z0msNMf8uhmMYxcSCtRH8x8Kb5tJiozGnRyK/T4FpX/g4+:0CNMftmXxcSCtRw55fanRlT4FpP4

Network IP location

Signature (10cnts)

Level	Description
danger	File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger	Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (36cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.mengzhanxy.com/b6a4/?pPc=FByqb+2LlROyngocgFCFAn+MKYV18123uhBB1I43VWvlV2IxG8Ov3otlIU6bOU/X6zRPLChJ&1b=W6RpsLRPH whois	MULTA-ASN1	154.85.61.184	clean
http://www.helpmovingandstorage.com/b6a4/?pPc=WCQPk6OV774AQmQZK5qr8VSUgSKsV6/gws8DuEwnniOEFY0oNuiFQFr5fT8XTvC//aYnyiLC&1b=W6RpsLRPH whois	COGECO-PEER1	209.15.40.102	clean
http://www.recargasasec.com/b6a4/?pPc=c8NarzWcEtsFm58gGwju3yDcr3OowVkzeYD4dTid6NZJZ29ZkeD+uwofnAuE7UyUZFTxuq8g&1b=W6RpsLRPH whois	DIGITALOCEAN-ASN	157.230.119.90	clean
http://www.asteroid.finance/b6a4/?pPc=qLtgNToSswb6CMFxrgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qGoaAQCzoAft52FbUOHw&1b=W6RpsLRPH whois	NAMECHEAP-NET	198.54.117.210	clean
http://www.comprarmiaspiradora.com/b6a4/?pPc=NgL62OvvJT139jumkr6yKdEzBj23Q8ZPX7pdh2JMf40EvGh1dAmibAZdYhuMGcMjCZsKMW8b&1b=W6RpsLRPH whois	SEDO GmbH	91.195.240.13	clean
http://www.findsmartvestorpro.com/b6a4/?pPc=2zUiPygWWhGhTTPt59aALdzubfJOZPfGYm8T4hMrtq8qpNxJkD0bejz9pJEVuH2VhcQLkVD+&1b=W6RpsLRPH whois	GOOGLE	34.98.99.30	clean
http://www.darenscape.com/b6a4/?pPc=/o8bd4Yn+5EYQl0+0B6vT8FOqtBFFV3vKtm6qVeMT3pPn9BnW0HxlU6BOHg8g2MYVqRIgKAb&1b=W6RpsLRPH whois	GOOGLE	34.102.136.180	clean
http://www.puffycannabis.com/b6a4/?pPc=oiYmmsgxC1YJtL/TalgnGFIXIV5LVOhJOFefMXwNyxWtYVBV9sv49gjiiwV97JT9vw/9+E/D&1b=W6RpsLRPH whois	GOOGLE	34.102.136.180	clean
http://www.shinebrightjournal.com/b6a4/?pPc=yia2y8Ozc6GenJUPAcroUvWGFTw2QMRRPIQzt/ZaZChJ1JNL+1MGl/E4CETm5UxneJuWJm8N&1b=W6RpsLRPH whois	BIZLAND-SD	66.96.162.247	clean
http://www.banban365.net/b6a4/?pPc=LB4TDSoOcfLfP6WEu4Xi7VJHqpSLlQ19KfcRHvNI1E0BJW4Tj/37f9F/v3DaWRHlsfthhSdO&1b=W6RpsLRPH whois	GOOGLE	34.98.99.30	clean
http://www.breathlessandinlove.com/b6a4/?pPc=L3jTl+qjmOLob/hwsT1R5L1wPHeQgqAvmmPpKYZw/Tvlatm9T0OvxocvGkGBA0MAck/qyoGi&1b=W6RpsLRPH whois	CLOUDFLARENET	172.67.155.190	clean
http://www.besthypee.com/b6a4/?pPc=Qns5Qsf7idreXcQcAn7ngAtcze6YDtPoIPtFsjnoPncdjMyZsXPG24zliSsXwtCsnKHDqpq8&1b=W6RpsLRPH whois	GOOGLE	34.98.99.30	clean
www.findsmartvestorpro.com whois	GOOGLE	34.98.99.30	clean
www.comprarmiaspiradora.com whois	SEDO GmbH	91.195.240.13	clean
www.mengzhanxy.com whois	MULTA-ASN1	154.85.61.184	clean
www.puffycannabis.com whois	GOOGLE	34.102.136.180	clean
www.shinebrightjournal.com whois	BIZLAND-SD	66.96.162.247	clean
www.helpmovingandstorage.com whois	COGECO-PEER1	209.15.40.102	clean
www.banban365.net whois	GOOGLE	34.98.99.30	clean
www.qipai039.com whois	Alibaba (US) Technology Co., Ltd.	47.91.170.222	clean
www.asteroid.finance whois	NAMECHEAP-NET	198.54.117.210	clean
www.darenscape.com whois	GOOGLE	34.102.136.180	clean
www.besthypee.com whois	GOOGLE	34.98.99.30	clean
www.breathlessandinlove.com whois	CLOUDFLARENET	104.21.40.174	clean
www.recargasasec.com whois	DIGITALOCEAN-ASN	157.230.119.90	clean
154.85.61.184 whois	MULTA-ASN1	154.85.61.184	clean
66.96.162.247 whois	BIZLAND-SD	66.96.162.247	clean
209.15.40.102 whois	COGECO-PEER1	209.15.40.102	clean
91.195.240.13 whois	SEDO GmbH	91.195.240.13	phishing
198.54.117.212 whois	NAMECHEAP-NET	198.54.117.212	mailcious
157.230.119.90 whois	DIGITALOCEAN-ASN	157.230.119.90	clean
34.102.136.180 whois	GOOGLE	34.102.136.180	mailcious
92.119.113.140 whois	Zomro B.V.	92.119.113.140	malware
47.91.170.222 whois	Alibaba (US) Technology Co., Ltd.	47.91.170.222	mailcious
34.98.99.30 whois	GOOGLE	34.98.99.30	phishing
172.67.155.190 whois	CLOUDFLARENET	172.67.155.190	clean

Suricata ids

PE API

IAT(Import Address Table) Library

SHLWAPI.dll
0x42c188 StrCmpNA
KERNEL32.dll
0x42c010 WriteConsoleW
0x42c014 SetFilePointerEx
0x42c018 SetStdHandle
0x42c01c GetConsoleMode
0x42c020 GetConsoleCP
0x42c024 FlushFileBuffers
0x42c028 EnumSystemLocalesW
0x42c02c GetUserDefaultLCID
0x42c030 IsValidLocale
0x42c034 GetLocaleInfoW
0x42c038 LCMapStringW
0x42c03c CompareStringW
0x42c040 GetTimeFormatW
0x42c044 GetDateFormatW
0x42c048 HeapSize
0x42c04c GetStringTypeW
0x42c050 HeapAlloc
0x42c054 OutputDebugStringW
0x42c058 RtlUnwind
0x42c05c LoadLibraryExW
0x42c060 FreeLibrary
0x42c064 SetConsoleCtrlHandler
0x42c068 IsProcessorFeaturePresent
0x42c06c IsDebuggerPresent
0x42c070 GetCPInfo
0x42c074 GetOEMCP
0x42c078 GetACP
0x42c07c IsValidCodePage
0x42c080 HeapFree
0x42c084 FatalAppExitA
0x42c088 LeaveCriticalSection
0x42c08c EnterCriticalSection
0x42c090 VirtualProtect
0x42c094 CloseHandle
0x42c098 HeapReAlloc
0x42c09c GetFileType
0x42c0a0 CreateSemaphoreW
0x42c0a4 GetModuleHandleW
0x42c0a8 GetTickCount
0x42c0ac TlsFree
0x42c0b0 GetCommandLineA
0x42c0b4 GetLastError
0x42c0b8 SetLastError
0x42c0bc GetCurrentThread
0x42c0c0 GetCurrentThreadId
0x42c0c4 EncodePointer
0x42c0c8 DecodePointer
0x42c0cc ExitProcess
0x42c0d0 GetModuleHandleExW
0x42c0d4 GetProcAddress
0x42c0d8 AreFileApisANSI
0x42c0dc MultiByteToWideChar
0x42c0e0 WideCharToMultiByte
0x42c0e4 GetProcessHeap
0x42c0e8 GetStdHandle
0x42c0ec CreateFileW
0x42c0f0 DeleteCriticalSection
0x42c0f4 GetStartupInfoW
0x42c0f8 GetModuleFileNameA
0x42c0fc WriteFile
0x42c100 GetModuleFileNameW
0x42c104 QueryPerformanceCounter
0x42c108 GetCurrentProcessId
0x42c10c GetSystemTimeAsFileTime
0x42c110 GetEnvironmentStringsW
0x42c114 FreeEnvironmentStringsW
0x42c118 UnhandledExceptionFilter
0x42c11c SetUnhandledExceptionFilter
0x42c120 InitializeCriticalSectionAndSpinCount
0x42c124 CreateEventW
0x42c128 Sleep
0x42c12c GetCurrentProcess
0x42c130 TerminateProcess
0x42c134 TlsAlloc
0x42c138 TlsGetValue
0x42c13c TlsSetValue
SHELL32.dll
0x42c174 SHEmptyRecycleBinW
0x42c178 SHInvokePrinterCommandA
0x42c17c DragQueryFileW
0x42c180 SHGetFileInfoA
WINMM.dll
0x42c1a0 joyGetPos
0x42c1a4 waveInGetNumDevs
0x42c1a8 mmioRenameW
0x42c1ac midiInGetErrorTextW
0x42c1b0 midiStreamOut
WINSPOOL.DRV
0x42c1b8 EnumPrintProcessorDatatypesA
0x42c1bc AddPrintProvidorW
0x42c1c0 DeletePrintProvidorA
0x42c1c4 DevicePropertySheets
RPCRT4.dll
0x42c15c NdrRpcSsDefaultAllocate
0x42c160 NdrByteCountPointerMarshall
0x42c164 NdrServerCall
0x42c168 NdrInterfacePointerFree
0x42c16c NdrConvert2
OLEAUT32.dll
0x42c144 VarI4FromCy
0x42c148 VarI4FromUI4
0x42c14c VariantChangeTypeEx
0x42c150 OleLoadPictureEx
0x42c154 VarBoolFromDec
rtm.dll
0x42c1cc RtmCloseEnumerationHandle
0x42c1d0 MgmDeInitialize
0x42c1d4 MgmTakeInterfaceOwnership
0x42c1d8 MgmGetFirstMfe
COMDLG32.dll
0x42c000 GetSaveFileNameW
0x42c004 GetOpenFileNameA
0x42c008 PrintDlgW
USER32.dll
0x42c190 MessageBoxW
0x42c194 GetDC
0x42c198 GrayStringA

EAT(Export Address Table) is none

Report - vbc.exe

Signature (10cnts)

Rules (4cnts)

Network (36cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure