Summary | ZeroBOX

vbc.exe

Formbook Emotet Gen1 NSIS Generic Malware ASPack Antivirus UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PWS Anti_VM OS Processor Check PE File PE32 DLL
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 1, 2021, 10:28 a.m. Nov. 1, 2021, 10:49 a.m.
Size 275.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 931568b982ac42dd2edc68ff203ec101
SHA256 16f75019c7de5d79c259d4b1f1003938bd6449ce3c49b28d6320bb43dd6bd82a
CRC32 D42B2677
ssdeep 6144:Pu/vLdNnaLNu0ELLFUH50QsVMxi6KjwBsG14ugTqi77cBlL/cw2:6RNv0iZ80Qhxis14Jqi7KeL
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section CODE
section DATA
section BSS
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e77000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\OLicenseHeartbeat.exe
file C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file C:\Program Files (x86)\Microsoft Office\Office15\ACCICONS.EXE
file C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file C:\Program Files (x86)\Microsoft Office\Office15\PDFREFLOW.EXE
file C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
file C:\Program Files (x86)\Microsoft Office\Office15\WORDICON.EXE
file C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdate.exe
file C:\Program Files (x86)\Microsoft Office\Office15\GROOVE.EXE
file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
file C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssvagent.exe
file C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
file C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdateBroker.exe
file C:\Windows\svchost.com
file C:\Python27\Scripts\easy_install.exe
file C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\ose.exe
file C:\ProgramData\Oracle\Java\javapath\java.exe
file C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe
file C:\Program Files (x86)\Microsoft Office\Office15\CNFNOT32.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\MSOICONS.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\ODeploy.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\LICLUA.EXE
file C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleCrashHandler64.exe
file C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file C:\Program Files (x86)\Java\jre1.8.0_131\bin\unpack200.exe
file C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
file C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file C:\Program Files (x86)\Hnc\HncUtils\HncInfo.exe
file C:\Program Files (x86)\EditPlus\editplus.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE
file C:\Program Files (x86)\Microsoft Office\Office15\DCF\DATABASECOMPARE.EXE
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.exe
file C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\FLTLDR.EXE
file C:\Program Files (x86)\Common Files\Adobe\__ARM\1.0\AdobeARM.exe
file C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file C:\Program Files (x86)\Google\Update\Install\{9946EF02-26CF-4F0D-BC28-8677420F30DD}\GoogleUpdateSetup.exe
file C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
file C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe
file C:\Program Files (x86)\Microsoft Office\Office15\OcPubMgr.exe
file C:\Program Files (x86)\Microsoft Office\Office15\misc.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe
file C:\tmpirrayb\bin\Procmon.exe
file C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
file C:\Users\test22\AppData\Local\Temp\nszBA4.tmp\vskgzcgvn.dll
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000238
1 0 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) reg_value C:\Windows\svchost.com "%1" %*
Process injection Process 2480 created a remote thread in non-child process 2544
Time & API Arguments Status Return Repeated

CreateRemoteThread

thread_identifier: 0
process_identifier: 2544
function_address: 0x001f8178
flags: 4
stack_size: 0
parameter: 0x00000000
process_handle: 0x00000238
1 576 0
Process injection Process 2480 manipulating memory of non-child process 2544
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000238
1 0 0
Bkav W32.HanGu.PE
Elastic malicious (high confidence)
DrWeb Win32.HLLP.Neshta
MicroWorld-eScan Win32.Nestha.C
FireEye Generic.mg.931568b982ac42dd
CAT-QuickHeal W32.Neshta.B
McAfee W32/HLLP.41472
Cylance Unsafe
Zillya Virus.Neshta.Win32.2
Sangfor Virus.Win32.Neshta.a
K7AntiVirus Virus ( 00556e571 )
K7GW Virus ( 00556e571 )
Cybereason malicious.982ac4
Arcabit Win32.Nestha.C
BitDefenderTheta AI:FileInfector.841243EC0E
Cyren W32/HLLP.EPJG-6217
Symantec W32.Neshuta
ESET-NOD32 Win32/Neshta.B
APEX Malicious
ClamAV Win.Trojan.Neshta-157
Kaspersky Virus.Win32.Neshta.b
BitDefender Win32.Nestha.C
NANO-Antivirus Virus.Win32.Neshta.fnxshx
Avast Win32:Apanas [Trj]
Tencent Virus.Win32.Neshta.a
Ad-Aware Win32.Nestha.C
Sophos ML/PE-A + W32/Neshta-D
Comodo Win32.Neshta.B@3z07
Baidu Win32.Virus.Neshta.a
VIPRE Virus.Win32.Neshta.a (v)
TrendMicro PE_NESHTA.A
McAfee-GW-Edition BehavesLike.Win32.HLLP.dc
Emsisoft Win32.Nestha.C (B)
SentinelOne Static AI - Malicious PE
Jiangmin Virus.Neshta.b
eGambit Unsafe.AI_Score_100%
Avira W32/Delf.I
Antiy-AVL Trojan/Generic.ASVirus.19F
Gridinsoft Virus.Win32.Neshta.zv!s1
Microsoft Virus:Win32/Neshta.B
ViRobot Win32.Neshta.Gen.A
GData Win32.Nestha.C
Cynet Malicious (score: 100)
AhnLab-V3 Win32/Neshta
Acronis suspicious
VBA32 Virus.Win32.Neshta.b
ALYac Win32.Nestha.C
MAX malware (ai score=89)
Malwarebytes MachineLearning/Anomalous.96%
Zoner Virus.Win32.19514