popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 17, 2021, 9:53 a.m. Aug. 17, 2021, 10 a.m.
Size 827.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2e11cb22fcff3e1fbf803fea30380e75
SHA256 fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70
CRC32 8F5F790A
ssdeep 12288:WhxUck0fyI/Xv94r0umLKC+pvbIAsrxPz+o8wccO:WhGdkF4r0uvnDIFpP6
Yara
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
cdn.discordapp.com
A 162.159.135.233
A 162.159.134.233
A 162.159.129.233
A 162.159.130.233
A 162.159.133.233
162.159.133.233
IP Address Status Action
162.159.129.233 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49165 -> 162.159.129.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49166 -> 162.159.129.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49165
162.159.129.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.102:49166
162.159.129.233:443 		None None None

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
resource name RXXA
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x5541d2
0x554260
DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x74cb3af0
timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x74cba535
timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x74cba434
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 40 50 50 6a 00 e8 c4 2d ff ff a3 94 68 55 00
exception.instruction: mov eax, dword ptr [eax + 0x50]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x553751
registers.esp: 61537808
registers.edi: 5597352
registers.eax: 1104169518
registers.ebp: 61537860
registers.edx: 0
registers.ebx: 5738312
registers.esi: 5597348
registers.ecx: 0
1 0 0
request GET https://cdn.discordapp.com/attachments/872498603363536989/876731431555059753/Zmlkqojaxmhcbtpljtjnfjssfmlwqrp
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00500000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f22000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0003a800', u'virtual_address': u'0x0009a000', u'entropy': 7.3227813066554805, u'name': u'.rsrc', u'virtual_size': u'0x0003a7f8'} entropy 7.32278130666 description A section with a high entropy has been found
entropy 0.283292978208 description Overall entropy of this PE file is high
process vbc.exe useragent zipo
process vbc.exe useragent aswe
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Remcos.m!c
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Banker1.36771
MicroWorld-eScan Trojan.GenericKD.46808468
FireEye Generic.mg.2e11cb22fcff3e1f
Sangfor Backdoor.Win32.Remcos.gen
Cybereason malicious.3e9d80
Arcabit Trojan.Generic.D2CA3D94
BitDefenderTheta Gen:NN.ZelphiF.34088.ZGX@aqrmlhfi
Cyren W32/Delf.EZVQ-4415
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EPYM
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
BitDefender Trojan.GenericKD.46808468
Avast Win32:RATX-gen [Trj]
Tencent Win32.Backdoor.Remcos.Hroz
Ad-Aware Trojan.GenericKD.46808468
Sophos Mal/Generic-S
F-Secure Trojan.TR/Injector.whmsn
McAfee-GW-Edition BehavesLike.Win32.Fareit.cc
Emsisoft Trojan.GenericKD.46808468 (B)
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_100%
Avira TR/Injector.whmsn
MAX malware (ai score=83)
Gridinsoft Trojan.Win32.Downloader.oa
Microsoft Trojan:Win32/Fareit!ml
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Win32.Trojan.Agent.WL4XDQ
Cynet Malicious (score: 100)
McAfee GenericRXAA-AA!2E11CB22FCFF
VBA32 TrojanDownloader.Agent
Malwarebytes Trojan.MalPack.DLF
TrendMicro-HouseCall TROJ_GEN.R06CH07HG21
Rising Trojan.Generic@ML.95 (RDML:GAkzn9YQV6JqBROYqbS6Qg)
Ikarus Win32.Outbreak
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Remcos!tr.bdr
Webroot W32.Backdoor.Remcos
AVG Win32:RATX-gen [Trj]
CrowdStrike win/malicious_confidence_60% (W)
Qihoo-360 Win32/Backdoor.Remcos.HwUBTlsA