Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 21, 2021, 6:22 p.m.	Oct. 21, 2021, 6:26 p.m.

Size	245.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d4a99da8dad738056893d74202045a0a`
SHA256	`96d98cb124bae466e84cad1325dc8fbcbefb44c83efb67231c886a4f0cf6bbaf`
CRC32	`E029DE79`
ssdeep	`6144:wBlL/cdaM2wjhuXQCOkWOogkgX3sXfa1fzHPyFt8q92:CeLcXQCpf0gMofzvI8q2`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1336
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2620

Name	Response	Post-Analysis Lookup
74f26d34ffff049368a6cff8812f86ee.ml	A 172.67.205.83 A 104.21.22.146	104.21.22.146

IP Address	Status	Action
172.67.188.154	Active	Moloch
164.124.101.2	Active	Moloch
172.67.205.83	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:63128 -> 164.124.101.2:53	2025106	ET INFO DNS Query for Suspicious .ml Domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 172.67.205.83:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 172.67.205.83:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 172.67.205.83:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 172.67.205.83:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 172.67.205.83:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.67.205.83:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 172.67.205.83:80	2025102	ET INFO HTTP POST Request to Suspicious *.ml Domain	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 172.67.205.83:80	2025102	ET INFO HTTP POST Request to Suspicious *.ml Domain	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 172.67.205.83:80	2025102	ET INFO HTTP POST Request to Suspicious *.ml Domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 172.67.205.83:80	2032988	ET INFO HTTP Request to a *.ml domain	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 172.67.205.83:80	2032988	ET INFO HTTP Request to a *.ml domain	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 172.67.205.83:80	2032988	ET INFO HTTP Request to a *.ml domain	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 172.67.205.83:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 172.67.205.83:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 172.67.205.83:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 172.67.205.83:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.67.205.83:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 172.67.205.83:80 -> 192.168.56.103:49173	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 172.67.205.83:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 172.67.205.83:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 172.67.205.83:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 172.67.205.83:80	2025102	ET INFO HTTP POST Request to Suspicious *.ml Domain	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 172.67.205.83:80	2032988	ET INFO HTTP Request to a *.ml domain	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 172.67.205.83:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 172.67.205.83:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 172.67.205.83:80 -> 192.168.56.103:49174	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 21, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 21, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 21, 2021, 6:22 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used

suspicious_request

POST http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php

Performs some HTTP requests (1 event)

request

POST http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 21, 2021, 6:22 p.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Oct. 21, 2021, 6:22 p.m.	number_of_free_clusters: 2499557 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Oct. 21, 2021, 6:22 p.m.	number_of_free_clusters: 2499557 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsiC21.tmp\brkecgut.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsiC21.tmp\brkecgut.dll

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Oct. 21, 2021, 6:22 p.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\vbc.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 21, 2021, 6:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.67.188.154

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 21, 2021, 6:22 p.m.	process_identifier: 2620 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0	0

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1336 called NtSetContextThread to modify thread in remote process 2620
NtSetContextThread Oct. 21, 2021, 6:22 p.m.	registers.eip: 2002059716 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 2620	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 21, 2021, 6:22 p.m.	thread_identifier: 200 thread_handle: 0x00000204 process_identifier: 2620 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000208	1	1
NtGetContextThread Oct. 21, 2021, 6:22 p.m.	thread_handle: 0x00000204	1	0
NtAllocateVirtualMemory Oct. 21, 2021, 6:22 p.m.	process_identifier: 2620 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0
NtSetContextThread Oct. 21, 2021, 6:22 p.m.	registers.eip: 2002059716 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 2620	1	0
NtResumeThread Oct. 21, 2021, 6:22 p.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2620	1	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Arcabit	Trojan.NSISX.Spy.Gen.2
Cyren	W32/Injector.ANR.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Injector.EQIX
APEX	Malicious
Avast	FileRepMetagen [Malware]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.NSISX.Spy.Gen.2
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.2
Emsisoft	Trojan.NSISX.Spy.Gen.2 (B)
F-Secure	Heuristic.HEUR/AGEN.1101565
McAfee-GW-Edition	BehavesLike.Win32.Vopak.dc
FireEye	Generic.mg.d4a99da8dad73805
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1101565
Microsoft	Trojan:Win32/Pwsteal.Q!bit
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Zum.Androm.1
MAX	malware (ai score=94)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.EQGK!tr
AVG	FileRepMetagen [Malware]
Cybereason	malicious.8dad73
Paloalto	generic.ml

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All