Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.10.19 09:58	Machine	s1_win7_x6401
Filename	vbc.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	2.4
ZERO API	file : malware
VT API (file)	23 detected (AIDetect, malware1, malicious, high confidence, score, Save, confidence, Attribute, HighConfidence, EQII, FileRepMalware, Fareit, Outbreak, kcloud, Sabsik, Artemis, Static AI, Malicious PE, Unsafe, Kryptik, EPAP, ZevbaF, hm0@a04uTLhi, GdSda)
md5	70e9b753cb1f4f173c75c0d85f5e5a48
sha256	ed77b015d1ca486b1820727ec913ee0c42b3f622dae4ab25c9605f34ea13ba47
ssdeep	1536:kSXSFqLB1inqw8lIFhQZjPNTGYLEiNFVZ1Kefrg6roVU2hmhLB:VXSCOnEIF+PNCYwAbKejrF2E
imphash	fd2a350e6b9d34ec5cf88c61afb9d41f
impfuzzy	48:nh/wzQwgelwjTIgk7xtc3ueG3ewl91SdZ3dEdTTFNo6zp8hHw1U7gIkSi1RV3TSN:nh/GQfelsTIgk7x6+zOwl9wdZNEVTFN8

Network IP location

Signature (6cnts)

Level	Description
warning	File has been identified by 23 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (3cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010 __vbaFreeVar
0x401014 __vbaStrVarMove
0x401018 __vbaFreeVarList
0x40101c None
0x401020 __vbaEnd
0x401024 _adj_fdiv_m64
0x401028 __vbaFreeObjList
0x40102c None
0x401030 _adj_fprem1
0x401034 __vbaRecAnsiToUni
0x401038 None
0x40103c __vbaStrCat
0x401040 __vbaSetSystemError
0x401044 __vbaHresultCheckObj
0x401048 None
0x40104c _adj_fdiv_m32
0x401050 None
0x401054 __vbaAryDestruct
0x401058 None
0x40105c None
0x401060 __vbaObjSet
0x401064 __vbaOnError
0x401068 None
0x40106c _adj_fdiv_m16i
0x401070 None
0x401074 __vbaObjSetAddref
0x401078 _adj_fdivr_m16i
0x40107c None
0x401080 None
0x401084 None
0x401088 _CIsin
0x40108c __vbaErase
0x401090 None
0x401094 __vbaChkstk
0x401098 None
0x40109c EVENT_SINK_AddRef
0x4010a0 None
0x4010a4 __vbaStrCmp
0x4010a8 __vbaVarTstEq
0x4010ac __vbaI2I4
0x4010b0 __vbaObjVar
0x4010b4 DllFunctionCall
0x4010b8 None
0x4010bc _adj_fpatan
0x4010c0 __vbaRedim
0x4010c4 __vbaRecUniToAnsi
0x4010c8 EVENT_SINK_Release
0x4010cc _CIsqrt
0x4010d0 EVENT_SINK_QueryInterface
0x4010d4 __vbaExceptHandler
0x4010d8 None
0x4010dc _adj_fprem
0x4010e0 _adj_fdivr_m64
0x4010e4 None
0x4010e8 __vbaFPException
0x4010ec None
0x4010f0 __vbaDateVar
0x4010f4 None
0x4010f8 None
0x4010fc _CIlog
0x401100 None
0x401104 __vbaErrorOverflow
0x401108 __vbaFileOpen
0x40110c __vbaNew2
0x401110 None
0x401114 _adj_fdiv_m32i
0x401118 _adj_fdivr_m32i
0x40111c __vbaStrCopy
0x401120 __vbaI4Str
0x401124 __vbaFreeStrList
0x401128 __vbaDerefAry1
0x40112c _adj_fdivr_m32
0x401130 _adj_fdiv_r
0x401134 None
0x401138 None
0x40113c __vbaVarTstNe
0x401140 None
0x401144 __vbaLateMemCall
0x401148 __vbaStrToAnsi
0x40114c __vbaVarDup
0x401150 __vbaStrComp
0x401154 None
0x401158 None
0x40115c None
0x401160 __vbaVarCopy
0x401164 _CIatan
0x401168 __vbaStrMove
0x40116c None
0x401170 None
0x401174 _allmul
0x401178 None
0x40117c _CItan
0x401180 None
0x401184 _CIexp
0x401188 __vbaFreeObj
0x40118c __vbaFreeStr
0x401190 None

EAT(Export Address Table) is none

Report - vbc.exe

Signature (6cnts)

Rules (3cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure