Summary | ZeroBOX

vbc.exe

NSIS Malicious Library UPX PE File DLL PE32
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 25, 2021, 1:25 p.m. Oct. 25, 2021, 1:27 p.m.
Size 245.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 db0086d6c41fea58417b589f20de1b52
SHA256 ed5e8ff7e2e5e830e2265ab6d76a5889a656444e157237426c0504a21a517471
CRC32 F5627020
ssdeep 6144:wBlL/c3OeNyv4fEHPol4kfzyvM0Sh9vIc9m5SeTicN4o:CedJfwZvpShq0Pcuo
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

IP Address Status Action
164.124.101.2 Active Moloch
172.67.205.83 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:61479 -> 8.8.8.8:53 2025106 ET INFO DNS Query for Suspicious .ml Domain Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 172.67.205.83:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49205 -> 172.67.205.83:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 172.67.205.83:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49205 -> 172.67.205.83:80 2025102 ET INFO HTTP POST Request to Suspicious *.ml Domain Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 172.67.205.83:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 172.67.205.83:80 2032988 ET INFO HTTP Request to a *.ml domain Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 172.67.205.83:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49206 -> 172.67.205.83:80 2025102 ET INFO HTTP POST Request to Suspicious *.ml Domain Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 172.67.205.83:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 172.67.205.83:80 2032988 ET INFO HTTP Request to a *.ml domain Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 172.67.205.83:80 2025102 ET INFO HTTP POST Request to Suspicious *.ml Domain Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 172.67.205.83:80 2032988 ET INFO HTTP Request to a *.ml domain Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 172.67.205.83:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 172.67.205.83:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.101:49202 -> 172.67.205.83:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.101:49206 -> 172.67.205.83:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 172.67.205.83:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.101:49202 -> 172.67.205.83:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 172.67.205.83:80 -> 192.168.56.101:49206 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 192.168.56.101:49209 -> 172.67.205.83:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.101:49209 -> 172.67.205.83:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 172.67.205.83:80 2025102 ET INFO HTTP POST Request to Suspicious *.ml Domain Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 172.67.205.83:80 2032988 ET INFO HTTP Request to a *.ml domain Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 172.67.205.83:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 172.67.205.83:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 172.67.205.83:80 -> 192.168.56.101:49209 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
request POST http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
request POST http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10008000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
file C:\Users\test22\AppData\Local\Temp\nsz6480.tmp\sogqjgayoly.dll
file C:\Users\test22\AppData\Local\Temp\nsz6480.tmp\sogqjgayoly.dll
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 1160
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000228
1 0 0
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\test22\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Process injection Process 1896 called NtSetContextThread to modify thread in remote process 1160
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000224
process_identifier: 1160
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

thread_identifier: 2076
thread_handle: 0x00000224
process_identifier: 1160
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000228
1 1 0

NtGetContextThread

thread_handle: 0x00000224
1 0 0

NtAllocateVirtualMemory

process_identifier: 1160
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000228
1 0 0

NtSetContextThread

registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000224
process_identifier: 1160
1 0 0

NtResumeThread

thread_handle: 0x00000110
suspend_count: 1
process_identifier: 1160
1 0 0
Lionic Trojan.Win32.Androm.m!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37837911
CAT-QuickHeal Backdoor.Androm
ALYac Backdoor.Androm.gen
Cylance Unsafe
Sangfor Backdoor.Win32.Androm.gen
K7AntiVirus Trojan ( 005893791 )
Alibaba Backdoor:Win32/Androm.11f819e3
K7GW Trojan ( 005893791 )
Cybereason malicious.6c41fe
Arcabit Trojan.Generic.D2415C57
BitDefenderTheta Gen:NN.ZedlaF.34236.cq4@aeSaJ0ki
Cyren W32/Injector.ANT.gen!Eldorado
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/Injector.EQIS
TrendMicro-HouseCall TROJ_FRS.VSNW15J21
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Trojan.GenericKD.37837911
Avast Win32:PWSX-gen [Trj]
Ad-Aware Trojan.GenericKD.37837911
Emsisoft Trojan.GenericKD.37837911 (B)
Comodo Malware@#2jwi13zjd1d8q
DrWeb Trojan.Siggen15.29051
McAfee-GW-Edition BehavesLike.Win32.Vopak.dc
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.db0086d6c41fea58
Sophos Mal/Generic-S + Troj/Fareit-LYC
APEX Malicious
Avira TR/Injector.knbks
Kingsoft Win32.Hack.Undef.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Injector!MSR
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Trojan.GenericKD.37837911
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C4714162
McAfee RDN/Generic PWS.y
MAX malware (ai score=100)
VBA32 Backdoor.Androm
Malwarebytes Trojan.Injector
Yandex Trojan.Injector!mhGj0IiXs2U
Ikarus Trojan.Win32.Injector
Fortinet W32/Injector_AGen.AW!tr
Webroot W32.Malware.Gen
AVG Win32:PWSX-gen [Trj]