Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.10.21 18:12	Machine	s1_win7_x6403
Filename	vbc.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	2.6
ZERO API	file : clean
VT API (file)	44 detected (AIDetect, malware1, GuLoader, malicious, high confidence, Razy, Unsafe, Save, confidence, 100%, Eldorado, Attribute, HighConfidence, EQII, FileRepMalware, Eehc, Fareit, vvxum, TrojDownloader, kcloud, Tnega, score, GenericRXAA, ai score=87, F0D1C00JK21, Static AI, Malicious PE, ZevbaF, hm0@a4AnQxai, GdSda)
md5	fd382a67a32410c901fe41f842abbf4b
sha256	c1ef994f31b0d0aae59985db47f85394ae12e0689385cf4a18cc0a4b8c2d8fee
ssdeep	1536:8EYORuly5OAk3A83fmjKTQYhvU0S2AG7Fru6mdWmhLB:VYOcl0OAkw8xTvbV7FrYdL
imphash	fd2a350e6b9d34ec5cf88c61afb9d41f
impfuzzy	48:nh/wzQwgelwjTIgk7xtc3ueG3ewl91SdZ3dEdTTFNo6zp8hHw1U7gIkSi1RV3TSN:nh/GQfelsTIgk7x6+zOwl9wdZNEVTFN8

Network IP location

Signature (5cnts)

Level	Description
danger	File has been identified by 44 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (5cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010 __vbaFreeVar
0x401014 __vbaStrVarMove
0x401018 __vbaFreeVarList
0x40101c None
0x401020 __vbaEnd
0x401024 _adj_fdiv_m64
0x401028 __vbaFreeObjList
0x40102c None
0x401030 _adj_fprem1
0x401034 __vbaRecAnsiToUni
0x401038 None
0x40103c __vbaStrCat
0x401040 __vbaSetSystemError
0x401044 __vbaHresultCheckObj
0x401048 None
0x40104c _adj_fdiv_m32
0x401050 None
0x401054 __vbaAryDestruct
0x401058 None
0x40105c None
0x401060 __vbaObjSet
0x401064 __vbaOnError
0x401068 None
0x40106c _adj_fdiv_m16i
0x401070 None
0x401074 __vbaObjSetAddref
0x401078 _adj_fdivr_m16i
0x40107c None
0x401080 None
0x401084 None
0x401088 _CIsin
0x40108c __vbaErase
0x401090 None
0x401094 __vbaChkstk
0x401098 None
0x40109c EVENT_SINK_AddRef
0x4010a0 None
0x4010a4 __vbaStrCmp
0x4010a8 __vbaVarTstEq
0x4010ac __vbaI2I4
0x4010b0 __vbaObjVar
0x4010b4 DllFunctionCall
0x4010b8 None
0x4010bc _adj_fpatan
0x4010c0 __vbaRedim
0x4010c4 __vbaRecUniToAnsi
0x4010c8 EVENT_SINK_Release
0x4010cc _CIsqrt
0x4010d0 EVENT_SINK_QueryInterface
0x4010d4 __vbaExceptHandler
0x4010d8 None
0x4010dc _adj_fprem
0x4010e0 _adj_fdivr_m64
0x4010e4 None
0x4010e8 __vbaFPException
0x4010ec None
0x4010f0 __vbaDateVar
0x4010f4 None
0x4010f8 None
0x4010fc _CIlog
0x401100 None
0x401104 __vbaErrorOverflow
0x401108 __vbaFileOpen
0x40110c __vbaNew2
0x401110 None
0x401114 _adj_fdiv_m32i
0x401118 _adj_fdivr_m32i
0x40111c __vbaStrCopy
0x401120 __vbaI4Str
0x401124 __vbaFreeStrList
0x401128 __vbaDerefAry1
0x40112c _adj_fdivr_m32
0x401130 _adj_fdiv_r
0x401134 None
0x401138 None
0x40113c __vbaVarTstNe
0x401140 None
0x401144 __vbaLateMemCall
0x401148 __vbaStrToAnsi
0x40114c __vbaVarDup
0x401150 __vbaStrComp
0x401154 None
0x401158 None
0x40115c None
0x401160 __vbaVarCopy
0x401164 _CIatan
0x401168 __vbaStrMove
0x40116c None
0x401170 None
0x401174 _allmul
0x401178 None
0x40117c _CItan
0x401180 None
0x401184 _CIexp
0x401188 __vbaFreeObj
0x40118c __vbaFreeStr
0x401190 None

EAT(Export Address Table) is none

Report - vbc.exe

Signature (5cnts)

Rules (5cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure