Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.10.21 18:45	Machine	s1_win7_x6403
Filename	vbc.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	9.8
ZERO API	file : clean
VT API (file)	19 detected (malicious, high confidence, score, Artemis, Unsafe, Formbook, FileRepMalware, AdwareDealPly, Generic ML PUA, Sabsik, ZelphiCO, 8KW@aCXAGQmi, Static AI, Suspicious PE, EQAC, susgen)
md5	43c4f31951dfaa67b56f438bc1454522
sha256	602b818b816dd421212e56f00c0f6ac807e1f01497601fcd49e1e081b8fdcb24
ssdeep	12288:fDug7DeIhyEzPsO4z+oxMOQWHphA3hHx8rkRZQ9XYBk9NAOe6k1+hO/O5N8DoQTh:rt7JhyEz0O4z+OQK79HHQT2ODA
imphash	ac55f6686b1348553fd9b5d485943699
impfuzzy	96:oO4nYU3Me0M4buu21xSUvK9eVsoWGXE7JXhpeU8LS1W+YdDwPOQCD:o13MDbuu0xSUvK9kso1XE7Jyg1O+POQk

Network IP location

Signature (20cnts)

Level	Description
danger	Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Allocates execute permission to another process indicative of possible code injection
watch	Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
watch	File has been identified by 19 AntiVirus engines on VirusTotal as malicious
watch	Installs itself for autorun at Windows startup
watch	Manipulates memory of a non-child process indicative of process injection
watch	Network activity contains more than one unique useragent
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Uses Sysinternals tools in order to add additional command line functionality
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	One or more processes crashed
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The executable uses a known packer

Rules (8cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (35cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.trashwasher.com/ht08/?jrQDrX=uW1sPHtGTFBUTkesgE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFTm+zdWq2zbODeL2N+lp&p0D=QfrDsny8j2kPE0s whois	FASTLY	151.101.66.159	clean
http://www.swisstradecenter.com/ht08/?jrQDrX=QSE46j0HNZ2QncZWLMtuNIJxO3VJtHj2iE4I7IkNciklA1BQH3YeyQjbp0g62VHrm1UWPSce&p0D=QfrDsny8j2kPE0s whois	Hostpoint AG	217.26.63.20	clean
http://www.kinmanpowerwashing.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=wJPYOBNPPe4q/AU39b/otaYCYPUa59MhN5lNfdB/7j2pgKnFe5P4sOF7ywpp0IQx2Nw/u5M7 whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	clean
http://www.cdgdentists.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=EXbQHeCb31o1gaBaR2ATYI6ExABbI7DKLBQ2CIR3ARrEXHsMlpnG7TJ7X1JozzLBrtTu60nh whois	GOOGLE	34.102.136.180	clean
http://www.oilelm.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=+MKoH/T1lSGBa8iWH91/ZquhTarcPNk/tfbZWgzq/IKlWL2S/ubFt9bqD7NQKtX6NP3pa9SI whois	CLOUDFLARENET	104.21.66.109	clean
http://www.amaroqadvisors.com/ht08/?jrQDrX=u/HH8oXplBhOFryswzp14fRHx2iZXqd5LlKZ1+of1fszA0QUqCsF/wVmyePk0HUmpsPYuBxx&p0D=QfrDsny8j2kPE0s whois	GOOGLE	34.102.136.180	clean
http://www.oooci.com/ht08/?jrQDrX=N3mp3TnmlmOVAV+GBSkbxeVJeF+TLCeopoFxOLndztPBPVOFElj2miXAPLJhlFBp52cue+7l&p0D=QfrDsny8j2kPE0s whois		101.35.123.80	clean
http://www.septemberstockevent200.com/ht08/?p0D=QfrDsny8j2kPE0s&jrQDrX=YVcVQnABcJsSl1vo8PwpXZC8MGRy3pUK9T1n+/sxD5UspzF5wJe0fyLK9odyh4hH5ST6BMWP whois	CLOUDFLARENET	104.21.65.66	clean
https://owfboa.dm.files.1drv.com/y4mmGEQ-1TDGWvA6srDdg7lIrn1Oc-IcieS9yK0yjEgqixnisRz1pHwTYHyXpmsBWdPtArgy7blgdempTtadNiVRcbinYKYCyletcXYWpE5khUcMHXWFto4eVdeTdAIrs0BatLzvepPG8tTU5ebW2mvg4zCaH1LHQxf_F95RdwjWiFbiFK28ZqFIaBN0iq15Gfi0vvbafd9LrWYvE6pJ7efIA/Ewzm whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	clean
https://owfboa.dm.files.1drv.com/y4mUfne4wayPOFatX-pbl6vWAtr619eHfZxjSq-Nz-7Vqg6l3ceiOlz0DebBFWCOW_3msvrTRqCAoBdhpjV1KeyTZ4XPy4CNzV-5M1Cq7oXAB8kGm9SPNgqXKQVg3qkcrWjuAv9rbUSvXX_Z34Ybr5jYUlszfdrxqFZhzKrUigROi5ITLXVl3DcbLodY3blfsCvabJpAY3zWSWxQMGIxQVszQ/Ewzm whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	clean
https://onedrive.live.com/download?cid=BCFBDC0738CBFF0F&resid=BCFBDC0738CBFF0F%21109&authkey=AONmXFICrRaoFt4 whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13	clean
onedrive.live.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13	mailcious
www.digipoint-entertainment.com whois			clean
www.swisstradecenter.com whois	Hostpoint AG	217.26.63.20	clean
www.oilelm.com whois	CLOUDFLARENET	172.67.159.113	clean
www.amaroqadvisors.com whois	GOOGLE	34.102.136.180	clean
www.septemberstockevent200.com whois	CLOUDFLARENET	172.67.188.247	clean
www.getjoyce.net whois			clean
www.curebase-test.com whois			clean
www.oooci.com whois		101.35.123.80	clean
www.kinmanpowerwashing.com whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	clean
owfboa.dm.files.1drv.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	clean
www.shangduli.space whois	China Telecom (Group)	114.95.162.70	clean
www.cdgdentists.com whois	GOOGLE	34.102.136.180	clean
www.trashwasher.com whois	FASTLY	151.101.66.159	clean
13.107.42.13 whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13	mailcious
13.107.42.12 whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	malware
217.26.63.20 whois	Hostpoint AG	217.26.63.20	clean
34.102.136.180 whois	GOOGLE	34.102.136.180	mailcious
172.67.188.247 whois	CLOUDFLARENET	172.67.188.247	clean
182.50.132.242 whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	mailcious
114.95.162.70 whois	China Telecom (Group)	114.95.162.70	clean
101.35.123.80 whois		101.35.123.80	clean
104.21.66.109 whois	CLOUDFLARENET	104.21.66.109	clean
151.101.66.159 whois	FASTLY	151.101.66.159	mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

oleaut32.dll
0x4ea6d4 SysFreeString
0x4ea6d8 SysReAllocStringLen
0x4ea6dc SysAllocStringLen
advapi32.dll
0x4ea6e4 RegQueryValueExA
0x4ea6e8 RegOpenKeyExA
0x4ea6ec RegCloseKey
user32.dll
0x4ea6f4 GetKeyboardType
0x4ea6f8 DestroyWindow
0x4ea6fc LoadStringA
0x4ea700 MessageBoxA
0x4ea704 CharNextA
kernel32.dll
0x4ea70c GetACP
0x4ea710 Sleep
0x4ea714 VirtualFree
0x4ea718 VirtualAlloc
0x4ea71c GetCurrentThreadId
0x4ea720 InterlockedDecrement
0x4ea724 InterlockedIncrement
0x4ea728 VirtualQuery
0x4ea72c WideCharToMultiByte
0x4ea730 MultiByteToWideChar
0x4ea734 lstrlenA
0x4ea738 lstrcpynA
0x4ea73c LoadLibraryExA
0x4ea740 GetThreadLocale
0x4ea744 GetStartupInfoA
0x4ea748 GetProcAddress
0x4ea74c GetModuleHandleA
0x4ea750 GetModuleFileNameA
0x4ea754 GetLocaleInfoA
0x4ea758 GetCommandLineA
0x4ea75c FreeLibrary
0x4ea760 FindFirstFileA
0x4ea764 FindClose
0x4ea768 ExitProcess
0x4ea76c CompareStringA
0x4ea770 WriteFile
0x4ea774 UnhandledExceptionFilter
0x4ea778 RtlUnwind
0x4ea77c RaiseException
0x4ea780 GetStdHandle
kernel32.dll
0x4ea788 TlsSetValue
0x4ea78c TlsGetValue
0x4ea790 LocalAlloc
0x4ea794 GetModuleHandleA
user32.dll
0x4ea79c CreateWindowExA
0x4ea7a0 WindowFromPoint
0x4ea7a4 WaitMessage
0x4ea7a8 UpdateWindow
0x4ea7ac UnregisterClassA
0x4ea7b0 UnhookWindowsHookEx
0x4ea7b4 TranslateMessage
0x4ea7b8 TranslateMDISysAccel
0x4ea7bc TrackPopupMenu
0x4ea7c0 SystemParametersInfoA
0x4ea7c4 ShowWindow
0x4ea7c8 ShowScrollBar
0x4ea7cc ShowOwnedPopups
0x4ea7d0 SetWindowsHookExA
0x4ea7d4 SetWindowPos
0x4ea7d8 SetWindowPlacement
0x4ea7dc SetWindowLongW
0x4ea7e0 SetWindowLongA
0x4ea7e4 SetTimer
0x4ea7e8 SetScrollRange
0x4ea7ec SetScrollPos
0x4ea7f0 SetScrollInfo
0x4ea7f4 SetRect
0x4ea7f8 SetPropA
0x4ea7fc SetParent
0x4ea800 SetMenuItemInfoA
0x4ea804 SetMenu
0x4ea808 SetForegroundWindow
0x4ea80c SetFocus
0x4ea810 SetCursor
0x4ea814 SetClassLongA
0x4ea818 SetCapture
0x4ea81c SetActiveWindow
0x4ea820 SendMessageW
0x4ea824 SendMessageA
0x4ea828 ScrollWindow
0x4ea82c ScreenToClient
0x4ea830 RemovePropA
0x4ea834 RemoveMenu
0x4ea838 ReleaseDC
0x4ea83c ReleaseCapture
0x4ea840 RegisterWindowMessageA
0x4ea844 RegisterClipboardFormatA
0x4ea848 RegisterClassA
0x4ea84c RedrawWindow
0x4ea850 PtInRect
0x4ea854 PostQuitMessage
0x4ea858 PostMessageA
0x4ea85c PeekMessageW
0x4ea860 PeekMessageA
0x4ea864 OffsetRect
0x4ea868 OemToCharA
0x4ea86c MessageBoxA
0x4ea870 MapWindowPoints
0x4ea874 MapVirtualKeyA
0x4ea878 LoadStringA
0x4ea87c LoadKeyboardLayoutA
0x4ea880 LoadIconA
0x4ea884 LoadCursorA
0x4ea888 LoadBitmapA
0x4ea88c KillTimer
0x4ea890 IsZoomed
0x4ea894 IsWindowVisible
0x4ea898 IsWindowUnicode
0x4ea89c IsWindowEnabled
0x4ea8a0 IsWindow
0x4ea8a4 IsRectEmpty
0x4ea8a8 IsIconic
0x4ea8ac IsDialogMessageW
0x4ea8b0 IsDialogMessageA
0x4ea8b4 IsChild
0x4ea8b8 InvalidateRect
0x4ea8bc IntersectRect
0x4ea8c0 InsertMenuItemA
0x4ea8c4 InsertMenuA
0x4ea8c8 InflateRect
0x4ea8cc GetWindowThreadProcessId
0x4ea8d0 GetWindowTextA
0x4ea8d4 GetWindowRect
0x4ea8d8 GetWindowPlacement
0x4ea8dc GetWindowLongW
0x4ea8e0 GetWindowLongA
0x4ea8e4 GetWindowDC
0x4ea8e8 GetTopWindow
0x4ea8ec GetSystemMetrics
0x4ea8f0 GetSystemMenu
0x4ea8f4 GetSysColorBrush
0x4ea8f8 GetSysColor
0x4ea8fc GetSubMenu
0x4ea900 GetScrollRange
0x4ea904 GetScrollPos
0x4ea908 GetScrollInfo
0x4ea90c GetPropA
0x4ea910 GetParent
0x4ea914 GetWindow
0x4ea918 GetMessagePos
0x4ea91c GetMenuStringA
0x4ea920 GetMenuState
0x4ea924 GetMenuItemInfoA
0x4ea928 GetMenuItemID
0x4ea92c GetMenuItemCount
0x4ea930 GetMenu
0x4ea934 GetLastActivePopup
0x4ea938 GetKeyboardState
0x4ea93c GetKeyboardLayoutNameA
0x4ea940 GetKeyboardLayoutList
0x4ea944 GetKeyboardLayout
0x4ea948 GetKeyState
0x4ea94c GetKeyNameTextA
0x4ea950 GetIconInfo
0x4ea954 GetForegroundWindow
0x4ea958 GetFocus
0x4ea95c GetDesktopWindow
0x4ea960 GetDCEx
0x4ea964 GetDC
0x4ea968 GetCursorPos
0x4ea96c GetCursor
0x4ea970 GetClientRect
0x4ea974 GetClassLongA
0x4ea978 GetClassInfoA
0x4ea97c GetCapture
0x4ea980 GetActiveWindow
0x4ea984 FrameRect
0x4ea988 FindWindowA
0x4ea98c FillRect
0x4ea990 EqualRect
0x4ea994 EnumWindows
0x4ea998 EnumThreadWindows
0x4ea99c EnumChildWindows
0x4ea9a0 EndPaint
0x4ea9a4 EnableWindow
0x4ea9a8 EnableScrollBar
0x4ea9ac EnableMenuItem
0x4ea9b0 DrawTextA
0x4ea9b4 DrawMenuBar
0x4ea9b8 DrawIconEx
0x4ea9bc DrawIcon
0x4ea9c0 DrawFrameControl
0x4ea9c4 DrawEdge
0x4ea9c8 DispatchMessageW
0x4ea9cc DispatchMessageA
0x4ea9d0 DestroyWindow
0x4ea9d4 DestroyMenu
0x4ea9d8 DestroyIcon
0x4ea9dc DestroyCursor
0x4ea9e0 DeleteMenu
0x4ea9e4 DefWindowProcA
0x4ea9e8 DefMDIChildProcA
0x4ea9ec DefFrameProcA
0x4ea9f0 CreatePopupMenu
0x4ea9f4 CreateMenu
0x4ea9f8 CreateIcon
0x4ea9fc ClientToScreen
0x4eaa00 CheckMenuItem
0x4eaa04 CallWindowProcA
0x4eaa08 CallNextHookEx
0x4eaa0c BeginPaint
0x4eaa10 CharNextA
0x4eaa14 CharLowerA
0x4eaa18 CharToOemA
0x4eaa1c AdjustWindowRectEx
0x4eaa20 ActivateKeyboardLayout
gdi32.dll
0x4eaa28 UnrealizeObject
0x4eaa2c StretchBlt
0x4eaa30 SetWindowOrgEx
0x4eaa34 SetViewportOrgEx
0x4eaa38 SetTextColor
0x4eaa3c SetStretchBltMode
0x4eaa40 SetROP2
0x4eaa44 SetPixel
0x4eaa48 SetDIBColorTable
0x4eaa4c SetBrushOrgEx
0x4eaa50 SetBkMode
0x4eaa54 SetBkColor
0x4eaa58 SelectPalette
0x4eaa5c SelectObject
0x4eaa60 SaveDC
0x4eaa64 RestoreDC
0x4eaa68 RectVisible
0x4eaa6c RealizePalette
0x4eaa70 PatBlt
0x4eaa74 MoveToEx
0x4eaa78 MaskBlt
0x4eaa7c LineTo
0x4eaa80 IntersectClipRect
0x4eaa84 GetWindowOrgEx
0x4eaa88 GetTextMetricsA
0x4eaa8c GetTextExtentPoint32A
0x4eaa90 GetSystemPaletteEntries
0x4eaa94 GetStockObject
0x4eaa98 GetRgnBox
0x4eaa9c GetPixel
0x4eaaa0 GetPaletteEntries
0x4eaaa4 GetObjectA
0x4eaaa8 GetDeviceCaps
0x4eaaac GetDIBits
0x4eaab0 GetDIBColorTable
0x4eaab4 GetDCOrgEx
0x4eaab8 GetCurrentPositionEx
0x4eaabc GetClipBox
0x4eaac0 GetBrushOrgEx
0x4eaac4 GetBitmapBits
0x4eaac8 GdiFlush
0x4eaacc ExcludeClipRect
0x4eaad0 DeleteObject
0x4eaad4 DeleteDC
0x4eaad8 CreateSolidBrush
0x4eaadc CreatePenIndirect
0x4eaae0 CreatePalette
0x4eaae4 CreateHalftonePalette
0x4eaae8 CreateFontIndirectA
0x4eaaec CreateDIBitmap
0x4eaaf0 CreateDIBSection
0x4eaaf4 CreateCompatibleDC
0x4eaaf8 CreateCompatibleBitmap
0x4eaafc CreateBrushIndirect
0x4eab00 CreateBitmap
0x4eab04 BitBlt
version.dll
0x4eab0c VerQueryValueA
0x4eab10 GetFileVersionInfoSizeA
0x4eab14 GetFileVersionInfoA
kernel32.dll
0x4eab1c lstrcpyA
0x4eab20 WriteFile
0x4eab24 WaitForSingleObject
0x4eab28 VirtualQuery
0x4eab2c VirtualProtect
0x4eab30 VirtualAlloc
0x4eab34 SizeofResource
0x4eab38 SetThreadLocale
0x4eab3c SetFilePointer
0x4eab40 SetEvent
0x4eab44 SetErrorMode
0x4eab48 SetEndOfFile
0x4eab4c ResetEvent
0x4eab50 ReadFile
0x4eab54 MulDiv
0x4eab58 LockResource
0x4eab5c LoadResource
0x4eab60 LoadLibraryA
0x4eab64 LeaveCriticalSection
0x4eab68 InitializeCriticalSection
0x4eab6c GlobalFindAtomA
0x4eab70 GlobalDeleteAtom
0x4eab74 GlobalAddAtomA
0x4eab78 GetVersionExA
0x4eab7c GetVersion
0x4eab80 GetTickCount
0x4eab84 GetThreadLocale
0x4eab88 GetStdHandle
0x4eab8c GetProcAddress
0x4eab90 GetModuleHandleA
0x4eab94 GetModuleFileNameA
0x4eab98 GetLocaleInfoA
0x4eab9c GetLocalTime
0x4eaba0 GetLastError
0x4eaba4 GetFullPathNameA
0x4eaba8 GetDiskFreeSpaceA
0x4eabac GetDateFormatA
0x4eabb0 GetCurrentThreadId
0x4eabb4 GetCurrentProcessId
0x4eabb8 GetCurrentProcess
0x4eabbc GetCPInfo
0x4eabc0 FreeResource
0x4eabc4 InterlockedExchange
0x4eabc8 FreeLibrary
0x4eabcc FormatMessageA
0x4eabd0 FlushInstructionCache
0x4eabd4 FindResourceA
0x4eabd8 EnumCalendarInfoA
0x4eabdc EnterCriticalSection
0x4eabe0 DeleteCriticalSection
0x4eabe4 CreateThread
0x4eabe8 CreateFileA
0x4eabec CreateEventA
0x4eabf0 CompareStringA
0x4eabf4 CloseHandle
advapi32.dll
0x4eabfc RegQueryValueExA
0x4eac00 RegOpenKeyExA
0x4eac04 RegFlushKey
0x4eac08 RegCloseKey
kernel32.dll
0x4eac10 Sleep
oleaut32.dll
0x4eac18 SafeArrayPtrOfIndex
0x4eac1c SafeArrayGetUBound
0x4eac20 SafeArrayGetLBound
0x4eac24 SafeArrayCreate
0x4eac28 VariantChangeType
0x4eac2c VariantCopy
0x4eac30 VariantClear
0x4eac34 VariantInit
comctl32.dll
0x4eac3c _TrackMouseEvent
0x4eac40 ImageList_SetIconSize
0x4eac44 ImageList_GetIconSize
0x4eac48 ImageList_Write
0x4eac4c ImageList_Read
0x4eac50 ImageList_DragShowNolock
0x4eac54 ImageList_DragMove
0x4eac58 ImageList_DragLeave
0x4eac5c ImageList_DragEnter
0x4eac60 ImageList_EndDrag
0x4eac64 ImageList_BeginDrag
0x4eac68 ImageList_Remove
0x4eac6c ImageList_DrawEx
0x4eac70 ImageList_Draw
0x4eac74 ImageList_GetBkColor
0x4eac78 ImageList_SetBkColor
0x4eac7c ImageList_Add
0x4eac80 ImageList_GetImageCount
0x4eac84 ImageList_Destroy
0x4eac88 ImageList_Create

EAT(Export Address Table) is none

Report - vbc.exe

Signature (20cnts)

Rules (8cnts)

Network (35cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure