popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 4, 2021, 10:03 p.m. Dec. 4, 2021, 10:38 p.m.
Size 475.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 09d7555b0e3264fb7b8b8e18c9d6bd84
SHA256 558470db798ec71e380a908adaf33e8d39850165e623bdb129196b79919f4248
CRC32 8493D52E
ssdeep 12288:gPKtOSEYqT4LV8lHh1vbhSctbymTfVUA2:gqtfVahtbEctumbVj2
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.xn--o39a00am61aa311e3tj68d.com
www.fillthegap.site
www.hatdieuhoanglinhlinh.com
A 103.90.233.128
103.90.233.128
www.horrycountyrealtor.com
www.8wngeu.icu
A 156.234.12.236
156.234.12.236
IP Address Status Action
103.90.233.128 Active Moloch
156.234.12.236 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49164 -> 103.90.233.128:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 103.90.233.128:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 103.90.233.128:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
UDP 192.168.56.103:51958 -> 164.124.101.2:53 2026888 ET INFO DNS Query for Suspicious .icu Domain Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 156.234.12.236:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 156.234.12.236:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 156.234.12.236:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.hatdieuhoanglinhlinh.com/c1h5/?GVIp=U1bVErOKBwq0/qne9ly802VYsrPYaU3lSfk76VAFrq7s7GMJ2bTuzd8ISZ8Jn1imiGtcYMHa&uzu4=jjIDZjg0D0EpUr
suspicious_features GET method with no useragent header suspicious_request GET http://www.8wngeu.icu/c1h5/?GVIp=zDGZ3vEmxGxSOsZI9fS37WtkChyhZfEo+Gn4TKgK29zc6+ut9iheeJAGbC/eRZmilZa7E+2d&uzu4=jjIDZjg0D0EpUr
request GET http://www.hatdieuhoanglinhlinh.com/c1h5/?GVIp=U1bVErOKBwq0/qne9ly802VYsrPYaU3lSfk76VAFrq7s7GMJ2bTuzd8ISZ8Jn1imiGtcYMHa&uzu4=jjIDZjg0D0EpUr
request GET http://www.8wngeu.icu/c1h5/?GVIp=zDGZ3vEmxGxSOsZI9fS37WtkChyhZfEo+Gn4TKgK29zc6+ut9iheeJAGbC/eRZmilZa7E+2d&uzu4=jjIDZjg0D0EpUr
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2304
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2428
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00840000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsf8A10.tmp\igabfsyqm.dll
file C:\Users\test22\AppData\Local\Temp\nsf8A10.tmp\igabfsyqm.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2428
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000022c
1 0 0
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Trojan.NSISX.Spy.Gen.2
Cylance Unsafe
Symantec Packed.Generic.606
ESET-NOD32 a variant of Win32/Injector.EQRN
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.2
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
APEX Malicious
MAX malware (ai score=85)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Arcabit Zum.Androm.1
GData Zum.Androm.1
Cynet Malicious (score: 100)
Malwarebytes Malware.AI.4134841244
Fortinet W32/Kryptik.EQRK!tr
Cybereason malicious.b0e326
Process injection Process 2304 called NtSetContextThread to modify thread in remote process 2428
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321568
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000228
process_identifier: 2428
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2432
thread_handle: 0x00000228
process_identifier: 2428
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000022c
1 1 0

NtGetContextThread

 thread_handle: 0x00000228
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2428
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000022c
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321568
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000228
process_identifier: 2428
1 0 0