popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 18, 2021, 11:19 a.m. Aug. 18, 2021, 11:41 a.m.
Size 450.8KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 e52bb3fd16b1b414bfef8462c4091b3b
SHA256 33bfe1bb962c7e2fb6653cad9a0826c87931d2faa8c1d05f8d2ff4a7dfa339ce
CRC32 24EBD3FB
ssdeep 6144:EdzkwTata6GOw94Jl/e5I7wjmzCcOeHt6OOwAHT+pATwyElL5DbyGowb1U3V8r61:WPT0m4G5I7wjmn6KHp8wVLBy3US18xSL
PDB Path C:\wxpqw\udydgq\jvpx\7817c7225f414072962fb8b86b2bceb7\ewuezd\xsrrfsxy\Release\xsrrfsxy.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path C:\wxpqw\udydgq\jvpx\7817c7225f414072962fb8b86b2bceb7\ewuezd\xsrrfsxy\Release\xsrrfsxy.pdb
section .00cfg
section .voltbl
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2972
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00300000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2972
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2428
process_handle: 0x00000098
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2428
process_handle: 0x00000098
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.909235
McAfee Artemis!E52BB3FD16B1
Cylance Unsafe
Cyren W32/Stealer.J.gen!Eldorado
ESET-NOD32 a variant of Win32/Kryptik.HMCV
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Gen:Variant.Razy.909235
Avast FileRepMetagen [Malware]
Rising Trojan.Kryptik!1.D84E (CLASSIC)
Ad-Aware Gen:Variant.Razy.909235
Sophos Mal/Generic-S
DrWeb Trojan.DownLoader41.14593
McAfee-GW-Edition BehavesLike.Win32.Dropper.gc
FireEye Generic.mg.e52bb3fd16b1b414
Emsisoft Gen:Variant.Razy.909235 (B)
Kingsoft Win32.Troj.Undef.(kcloud)
GData Gen:Variant.Razy.909235
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C4594815
BitDefenderTheta Gen:NN.ZexaF.34088.CCZ@am@wUAni
MAX malware (ai score=80)
VBA32 BScope.Trojan-Dropper.Injector
AVG FileRepMetagen [Malware]
Qihoo-360 HEUR/QVM20.1.549F.Malware.Gen