Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 28, 2021, 7:46 a.m.	June 28, 2021, 7:49 a.m.

Size	544.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4472f82c006f5df5b1be9b9d1106c511`
SHA256	`ba4b9940cd35373193bc3a26f56d71dd5eebf6acf01f1c7c34a645128452d730`
CRC32	`24692CF0`
ssdeep	`6144:k9CqZ9/jctn4K2dp2d7kw2Wzoajo0vSbSbBAhl5VoTeJHOKlcUNc+eBd:AJcBafw2IjX6+A5VCCHOK9O+eb`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1116
- vbc.exe "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
  2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 28, 2021, 7:46 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 28, 2021, 7:46 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 vbc+0x1236 @ 0x401236 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: f3 a5 0b ca 75 05 5f 5e c2 0c 00 f3 a4 5f 5e c2 exception.symbol: RtlMoveMemory+0x1b RtlFindActivationContextSectionGuid-0x270 ntdll+0x63c5b exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 408667 exception.address: 0x77403c5b registers.esp: 1636692 registers.edi: 42991616 registers.eax: 2000698432 registers.ebp: 1636896 registers.edx: 0 registers.ebx: 6389734 registers.esi: 1399069687 registers.ecx: 62	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 28, 2021, 7:46 a.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
vbc+0x1236 @ 0x401236
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: f3 a5 0b ca 75 05 5f 5e c2 0c 00 f3 a4 5f 5e c2
exception.symbol: RtlMoveMemory+0x1b RtlFindActivationContextSectionGuid-0x270 ntdll+0x63c5b
exception.instruction: movsd dword ptr es:[edi], dword ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 408667
exception.address: 0x77403c5b
registers.esp: 1636692
registers.edi: 42991616
registers.eax: 2000698432
registers.ebp: 1636896
registers.edx: 0
registers.ebx: 6389734
registers.esi: 1399069687
registers.ecx: 62

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 120 events)

file	C:\Program Files (x86)\Microsoft Office\Office12\DSSM.EXE
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateCore.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\REGFORM.EXE
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ODSERV.EXE
file	C:\Python27\Scripts\easy_install.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\SELFCERT.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\PPTVIEW.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file	C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateComRegisterShell64.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
file	C:\util\TCPView\Tcpvcon.exe
file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Installer\chrmstp.exe
file	C:\Program Files (x86)\Hnc\Common80\HncReporter.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\1042\ONELEV.EXE
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HncPUAConverter.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORE.EXE
file	C:\Program Files (x86)\Hnc\HncDic80\HncDic.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORDB.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACECNFLT.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdate.exe
file	C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file	C:\Program Files (x86)\Hnc\HncUtils\KeyLayout\KeyLayout.exe
file	C:\util\dotnet4.5.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\INFOPATH.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\GrooveMigrator.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Program Files (x86)\Hnc\Common80\him\HJIMESV.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateOnDemand.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\OINFOP12.EXE
file	C:\Program Files (x86)\Hnc\Common80\OdfConverter.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\IME12\SHARED\IMEPADSV.EXE

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 28, 2021, 7:46 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003b0000 process_handle: 0xffffffff	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

reg_value

C:\Windows\svchost.com "%1" %*

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.NeshtaB.PE
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.Neshta.A
FireEye	Generic.mg.4472f82c006f5df5
CAT-QuickHeal	W32.Neshta.C8
McAfee	W32/HLLP.41472.e
Cylance	Unsafe
VIPRE	Virus.Win32.Neshta.a (v)
Sangfor	Win.Trojan.Neshuta-1
K7AntiVirus	Virus ( 00556e571 )
BitDefender	Win32.Neshta.A
K7GW	Virus ( 00556e571 )
Cybereason	malicious.c006f5
BitDefenderTheta	AI:FileInfector.D5C3B0640E
Cyren	W32/Neshta.OBIX-2981
Symantec	W32.Neshuta
ESET-NOD32	Win32/Neshta.A
Baidu	Win32.Virus.Neshta.a
APEX	Malicious
Avast	Win32:Apanas [Trj]
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
Alibaba	Virus:Win32/Neshta.3bb
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
ViRobot	Win32.Neshta.Gen.A
Tencent	Virus.Win32.Neshta.a
Ad-Aware	Win32.Neshta.A
Emsisoft	Win32.Neshta.A (B)
Comodo	Win32.Neshta.A@3ypg
DrWeb	Win32.HLLP.Neshta
Zillya	Virus.Neshta.Win32.1
TrendMicro	PE_NESHTA.A
McAfee-GW-Edition	BehavesLike.Win32.HLLP.hh
Sophos	ML/PE-A + W32/Neshta-D
Ikarus	Virus.Win32.Neshta
Jiangmin	Virus.Neshta.a
Avira	W32/Neshta.A
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Generic.ASVirus.20D
Microsoft	Virus:Win32/Neshta.A
Gridinsoft	Virus.Win32.Neshta.oa
GData	Win32.Virus.Neshta.D
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Neshta
Acronis	suspicious
TACHYON	Virus/W32.Neshta
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	W32/Neshta.A
Zoner	Virus.Win32.19514
TrendMicro-HouseCall	PE_NESHTA.A

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All