Summary | ZeroBOX

vbc.exe

PE32 PE File DLL
Category Machine Started Completed
FILE s1_win7_x6401 June 23, 2021, 4:31 p.m. June 23, 2021, 4:33 p.m.
Size 134.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7847f6a1330398c7ca2252a78b6eac35
SHA256 2eeff837091b7d78f534e717e171890b69d22317d39760b91292203901bfca68
CRC32 5154C56C
ssdeep 3072:QBynOpL12rioceMmwJgKo6osaS3GaTUSoFNt/673esVI9WE:QBlL/fEK/kMPgl/IO19X
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
bnbrokenhead.cf 104.21.2.166
IP Address Status Action
104.21.2.166 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53 2025107 ET INFO DNS Query for Suspicious .cf Domain Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 104.21.2.166:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49202 -> 104.21.2.166:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 104.21.2.166:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49202 -> 104.21.2.166:80 2025103 ET INFO HTTP POST Request to Suspicious *.cf Domain Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 104.21.2.166:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49206 -> 104.21.2.166:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 104.21.2.166:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 104.21.2.166:80 2025103 ET INFO HTTP POST Request to Suspicious *.cf Domain Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 104.21.2.166:80 2025103 ET INFO HTTP POST Request to Suspicious *.cf Domain Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 104.21.2.166:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 104.21.2.166:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 104.21.2.166:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 104.21.2.166:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.21.2.166:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 104.21.2.166:80 -> 192.168.56.101:49206 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 192.168.56.101:49204 -> 104.21.2.166:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 104.21.2.166:80 -> 192.168.56.101:49207 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 192.168.56.101:49204 -> 104.21.2.166:80 2025103 ET INFO HTTP POST Request to Suspicious *.cf Domain Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 104.21.2.166:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.101:49204 -> 104.21.2.166:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.101:49202 -> 104.21.2.166:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.101:49202 -> 104.21.2.166:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://bnbrokenhead.cf/Bn4/fre.php
request POST http://bnbrokenhead.cf/Bn4/fre.php
request POST http://bnbrokenhead.cf/Bn4/fre.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10004000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10004000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
file C:\Users\test22\AppData\Local\Temp\nsd6338.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nsd6338.tmp\System.dll
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\test22\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Process injection Process 732 called NtSetContextThread to modify thread in remote process 2076
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 2076
1 0 0
FireEye Generic.mg.7847f6a1330398c7
McAfee Artemis!7847F6A13303
Sangfor Spyware.Win32.Noon.gen
CrowdStrike win/malicious_confidence_60% (W)
Cyren W32/Ninjector.J.gen!Camelot
Symantec Trojan.Gen.2
ESET-NOD32 NSIS/Injector.AMW
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:Backdoor.Win32.Androm.gen
AegisLab Trojan.Win32.Noon.l!c
Avast FileRepMalware
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Dropper.cc
SentinelOne Static AI - Malicious PE
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Trojan:Win32/Tnega!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
Cynet Malicious (score: 100)
Cylance Unsafe
Fortinet W32/Kryptik.J!tr
AVG FileRepMalware