popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

NSIS UPX Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 14, 2021, 3:17 p.m. Oct. 14, 2021, 3:21 p.m.
Size 247.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 31ce7d8522a4ee3ba72ed934e7ffd70b
SHA256 c04a6522c272316586333bdd0e1c78427b3dd04976d77e45d937fe763bea101f
CRC32 F904BC59
ssdeep 6144:wBlL/cImhOSmCgu1lf7zDQ5kwNJ7wdsVZrXe9ajPjIRNz+U5OO:CeIcQA5UbrXeYsRcU5x
Yara
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49204 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 89.31.143.1:80 2221045 SURICATA HTTP Unexpected Request body Generic Protocol Command Decode
TCP 192.168.56.101:49221 -> 184.164.70.9:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 184.164.70.9:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 184.164.70.9:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 208.91.197.91:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 208.91.197.91:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 208.91.197.91:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 35.214.244.56:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 35.214.244.56:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 35.214.244.56:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 185.53.179.94:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 185.53.179.94:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 185.53.179.94:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.208.173.49:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.208.173.49:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 154.208.173.49:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 118.27.122.218:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 118.27.122.218:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 118.27.122.218:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.redherring.agency/hr8n/?MZg8=Msb0E+nHxXTk+kRHU817jyd7jk0ZtYL78GCylVtt06iZTpAscdQZhKi5jYPsypr0fRcRxBIc&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.libbybruce.space/hr8n/?MZg8=tvOOJymLPTo+u55ddd5JgP/eYwawdK1IFhff86iTT/s0UFVHuQ3vbuf5ifvAKeBftP33/qgK&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.bercatv.com/hr8n/?MZg8=/yRRgDSwLMsWxKA4f5KuELmjy/mqUWJqcFQmTFbv5od3MFYL2Xoy8Nze6PPGHjgxg3JBbnV1&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.suvsangebotguenstigdeorg.com/hr8n/?MZg8=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.chatelab.network/hr8n/?MZg8=3oN9XgLBJtDXNs2zngQn2dVK6Uxi1QAVFf1LLML5AQ9srmgBfwUts4HpZdFn/GyEF4+HDuxo&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.pochi-owarai.com/hr8n/?MZg8=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.mudatstudio.com/hr8n/?MZg8=gUaQ/+3s/kFGf10Bdd8lj7WBkIz9GsQxMveD/qPqZzJE0ReW2q5Df9vdRW11VznkrH2iE1ue&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.secure01bchslogin.com/hr8n/?MZg8=/xCQRyoVMWVnh23tRG8vfAMo2MFBA+pRIDM06yAvE/Fg6D1CIShQVBVEbqNYVVAHcuTqles7&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.baumer-instruments.com/hr8n/?MZg8=q42LDbLer29Q12jt65bKw12quuQGKu9GNRKcDfylwoI+Av0krotLDNZCIm4LxOiWVzWcVna9&uTxXo=ojOPdxR8gB
suspicious_features GET method with no useragent header suspicious_request GET http://www.apnagas.com/hr8n/?MZg8=pMGdtUWSDrqidj5eJ3dEayK/o6OFfDVrqiV5PnaA2tMYsbhRHtR8TpoDkey3LlwoIKw9ab9x&uTxXo=ojOPdxR8gB
request POST http://www.redherring.agency/hr8n/
request GET http://www.redherring.agency/hr8n/?MZg8=Msb0E+nHxXTk+kRHU817jyd7jk0ZtYL78GCylVtt06iZTpAscdQZhKi5jYPsypr0fRcRxBIc&uTxXo=ojOPdxR8gB
request POST http://www.libbybruce.space/hr8n/
request GET http://www.libbybruce.space/hr8n/?MZg8=tvOOJymLPTo+u55ddd5JgP/eYwawdK1IFhff86iTT/s0UFVHuQ3vbuf5ifvAKeBftP33/qgK&uTxXo=ojOPdxR8gB
request POST http://www.bercatv.com/hr8n/
request GET http://www.bercatv.com/hr8n/?MZg8=/yRRgDSwLMsWxKA4f5KuELmjy/mqUWJqcFQmTFbv5od3MFYL2Xoy8Nze6PPGHjgxg3JBbnV1&uTxXo=ojOPdxR8gB
request POST http://www.suvsangebotguenstigdeorg.com/hr8n/
request GET http://www.suvsangebotguenstigdeorg.com/hr8n/?MZg8=0uz0Q17Sfx93I9QMDgfv2FcHKGK5h9rfNO4V9s+zrmjnR/7GYJXF1g44bJEkuz64Y6KiX6Qm&uTxXo=ojOPdxR8gB
request POST http://www.chatelab.network/hr8n/
request GET http://www.chatelab.network/hr8n/?MZg8=3oN9XgLBJtDXNs2zngQn2dVK6Uxi1QAVFf1LLML5AQ9srmgBfwUts4HpZdFn/GyEF4+HDuxo&uTxXo=ojOPdxR8gB
request POST http://www.pochi-owarai.com/hr8n/
request GET http://www.pochi-owarai.com/hr8n/?MZg8=wgLDzEI7JM5HW3UGruAf3rNm8/j8NE+Zr86Wwng2vxqt30foW8WvIulUjY9BDwGT0AcSiOsT&uTxXo=ojOPdxR8gB
request POST http://www.saamcoheir.quest/hr8n/
request POST http://www.mudatstudio.com/hr8n/
request GET http://www.mudatstudio.com/hr8n/?MZg8=gUaQ/+3s/kFGf10Bdd8lj7WBkIz9GsQxMveD/qPqZzJE0ReW2q5Df9vdRW11VznkrH2iE1ue&uTxXo=ojOPdxR8gB
request POST http://www.secure01bchslogin.com/hr8n/
request GET http://www.secure01bchslogin.com/hr8n/?MZg8=/xCQRyoVMWVnh23tRG8vfAMo2MFBA+pRIDM06yAvE/Fg6D1CIShQVBVEbqNYVVAHcuTqles7&uTxXo=ojOPdxR8gB
request POST http://www.baumer-instruments.com/hr8n/
request GET http://www.baumer-instruments.com/hr8n/?MZg8=q42LDbLer29Q12jt65bKw12quuQGKu9GNRKcDfylwoI+Av0krotLDNZCIm4LxOiWVzWcVna9&uTxXo=ojOPdxR8gB
request POST http://www.apnagas.com/hr8n/
request GET http://www.apnagas.com/hr8n/?MZg8=pMGdtUWSDrqidj5eJ3dEayK/o6OFfDVrqiV5PnaA2tMYsbhRHtR8TpoDkey3LlwoIKw9ab9x&uTxXo=ojOPdxR8gB
request POST http://www.redherring.agency/hr8n/
request POST http://www.libbybruce.space/hr8n/
request POST http://www.bercatv.com/hr8n/
request POST http://www.suvsangebotguenstigdeorg.com/hr8n/
request POST http://www.chatelab.network/hr8n/
request POST http://www.pochi-owarai.com/hr8n/
request POST http://www.saamcoheir.quest/hr8n/
request POST http://www.mudatstudio.com/hr8n/
request POST http://www.secure01bchslogin.com/hr8n/
request POST http://www.baumer-instruments.com/hr8n/
request POST http://www.apnagas.com/hr8n/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsw649F.tmp\olzh.dll
file C:\Users\test22\AppData\Local\Temp\nsw649F.tmp\olzh.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0
Process injection Process 2388 called NtSetContextThread to modify thread in remote process 2228
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314240
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2228
1 0 0
dead_host 192.168.56.101:49209
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2240
thread_handle: 0x00000200
process_identifier: 2228
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000204
1 1 0

NtGetContextThread

 thread_handle: 0x00000200
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314240
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2228
1 0 0
Elastic malicious (high confidence)
DrWeb Trojan.Packed2.43499
MicroWorld-eScan Trojan.GenericKD.37781474
FireEye Generic.mg.31ce7d8522a4ee3b
Cylance Unsafe
Sangfor Spyware.Win32.Noon.gen
Alibaba TrojanSpy:Win32/Injector.7632d343
K7GW Riskware ( 00584baa1 )
Cyren W32/Injector.ANC.gen!Eldorado
ESET-NOD32 a variant of Win32/Injector.EQHK
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.GenericKD.37781474
Avast FileRepMalware
Ad-Aware Trojan.GenericKD.37781474
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.ICLoader.dc
Emsisoft Trojan.GenericKD.37781474 (B)
SentinelOne Static AI - Malicious PE
GData Trojan.GenericKD.37781474
Avira TR/AD.Swotter.dcjlo
MAX malware (ai score=100)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Formbook.AT!MTB
Cynet Malicious (score: 100)
McAfee RDN/Generic
Malwarebytes Trojan.Injector.DL
TrendMicro-HouseCall TROJ_GEN.R002H0DJD21
Ikarus Trojan.NSIS.Agent
Fortinet W32/Injector.ANC!tr
Webroot W32.Malware.Gen
AVG FileRepMalware
Panda Trj/CI.A