popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

NSIS Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 29, 2021, 6:19 p.m. Oct. 29, 2021, 6:28 p.m.
Size 341.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 ca3406debaf00a3dda67a24153c4b2a8
SHA256 fd09789949b53a44f9f8d85655b64174379bdc05096bf649cc20bd0758cd0a06
CRC32 67587BAD
ssdeep 6144:wBlL/cT4K2M04dRwAdGcdqPgvbIrD/eKGSnkjeKPe2tDM3VOZOaSKC3KkWK:CeT69swHcpvbMGLfzx59OowKkWK
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
ControllerFinallineballinglove33.webredirect.org
A 79.134.225.9
79.134.225.9
IP Address Status Action
164.124.101.2 Active Moloch
79.134.225.9 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49203 -> 79.134.225.9:7719 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49203
79.134.225.9:7719 		CN=AsyncRAT CN=AsyncRAT fd:3a:76:f4:19:1c:47:8f:7d:e0:14:91:b4:31:4f:bd:98:b2:e8:ce

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73797000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsi6163.tmp\rqupbyd.dll
file C:\Users\test22\AppData\Local\Temp\nsi6163.tmp\rqupbyd.dll
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000023c
1 0 0
Process injection Process 2088 manipulating memory of non-child process 2852
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000023c
1 0 0
Process injection Process 2088 called NtSetContextThread to modify thread in remote process 2852
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4200587
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000238
process_identifier: 2852
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2228
thread_handle: 0x00000238
process_identifier: 2852
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000023c
1 1 0

NtGetContextThread

 thread_handle: 0x00000238
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000023c
1 0 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4200587
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000238
process_identifier: 2852
1 0 0
Elastic malicious (high confidence)
DrWeb Trojan.Packed2.43584
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.ca3406debaf00a3d
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7GW Trojan ( 005899611 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Injector.AOJ.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Injector.EQKK
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.2
Avast FileRepMalware
Tencent Win32.Trojan.Zapchast.Syho
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
McAfee-GW-Edition BehavesLike.Win32.Vopak.fc
Sophos Mal/Generic-S
Ikarus Trojan.NSIS.Agent
Microsoft Backdoor:MSIL/AsyncRAT.GG!MTB
GData Zum.Androm.1
Cynet Malicious (score: 100)
McAfee Artemis!CA3406DEBAF0
MAX malware (ai score=85)
Malwarebytes Trojan.Injector
TrendMicro-HouseCall TROJ_GEN.R002H0DJS21
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.EQKA!tr
AVG FileRepMalware
Cybereason malicious.ebaf00