popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

NSIS Generic Malware Malicious Library UPX PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 28, 2021, 11:05 a.m. Oct. 28, 2021, 11:14 a.m.
Size 230.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 df330ab2a2e5aa4ac947315ee3f93992
SHA256 99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
CRC32 688F5F68
ssdeep 6144:wBlL/c2HMSZ54elOp0S4jfEpGibIsdpwBQ:Ce2HMSZWeO0S4Mh0gS6
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73795000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsu620F.tmp\oxtrp.dll
file C:\Users\test22\AppData\Local\Temp\nsu620F.tmp\oxtrp.dll
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1160
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0
Process injection Process 2972 created a remote thread in non-child process 1160
Time & API Arguments Status Return Repeated

CreateRemoteThread

 thread_identifier: 0
process_identifier: 1160
function_address: 0x001f8178
flags: 4
stack_size: 0
parameter: 0x00000000
process_handle: 0x00000230
1 568 0
Process injection Process 2972 manipulating memory of non-child process 1160
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1160
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Nemesis.1814
FireEye Generic.mg.df330ab2a2e5aa4a
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
Cybereason malicious.2a2e5a
Cyren W32/Injector.ANV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EQKC
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky UDS:Trojan.Win32.Inject.gen
BitDefender Gen:Variant.Nemesis.1814
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.Vopak.dc
Emsisoft Gen:Variant.Nemesis.1814 (B)
Microsoft Trojan:Script/Phonzy.C!ml
GData Zum.Androm.1
MAX malware (ai score=88)
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector_AGen.AW!tr