popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

AgentTesla info stealer browser Google Downloader Chrome User Data Code injection Socket Escalate priviledges Create Service KeyLogger Sniff Audio AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 19, 2022, 11:39 a.m. March 19, 2022, 12:14 p.m.
Size 1.4MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 86eaf435f35e874faa7067031edbda31
SHA256 51b5925e1b6b13f15c65d944a658a8f020ab87bda9cda80634c0d1c021eaac58
CRC32 A24DBE54
ssdeep 12288:EE0qDGco/G2l28gBVnJGD921Yh6gHs+1AM44KiHMnMQlDMBDlB:P0qzBVn4U1YUcsMAMyiHMplDMZlB
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
cato.iownyour.org
A 91.193.75.227
91.193.75.227
IP Address Status Action
146.70.76.43 Active Moloch
164.124.101.2 Active Moloch
91.193.75.227 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name EDPENLIGHTENEDAPPINFOID
resource name EDPPERMISSIVEAPPINFOID
resource name GOOGLEUPDATEAPPLICATIONCOMMANDS
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00740000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00740000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00545000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007fe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00921000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00926000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02200000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02201000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02207000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00931000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00936000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00940000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00941000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00946000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0094b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02230000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02231000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02237000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02210000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02211000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02216000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0221b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0051a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0221c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00537000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00536000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0221d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0221e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description vbc.exe tried to sleep 199 seconds, actually delayed analysis time by 199 seconds
section {u'size_of_data': u'0x000be000', u'virtual_address': u'0x00002000', u'entropy': 7.1998246290932295, u'name': u'.text', u'virtual_size': u'0x000bdf44'} entropy 7.19982462909 description A section with a high entropy has been found
entropy 0.534082923401 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Record Audio rule Sniff_Audio
description Run a KeyLogger rule KeyLogger
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description browser info stealer rule infoStealer_browser_Zero
host 146.70.76.43
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2340
region_size: 495616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000358
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $…IýÓÁ(“€Á(“€Á(“€u´b€Ó(“€u´`€a(“€u´a€ß(“€’ Š€Ã(“€Œ Ž€À(“€_ˆT€Ã(“€úvÛ(“€úv–û(“€úv—ã(“€ÈP€Ò(“€Á(’€Ý)“€Vvšœ(“€Svl€À(“€Vv‘À(“€RichÁ(“€PELvDË`à uð0@€؆Ü0IP,8ðk8„l(l@0l.textÌ `.rdata"o0p@@.dataD= †@À.tls à”@À.gfids0ð–@@.rsrc0IJš@@.reloc,8P:ä@B
base_address: 0x00400000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¤tE¨wE¢tE..€¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F„¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶Fˆ¡Fÿÿÿÿ¨wE¨¢F¨¢F¨¢F¨¢F¨¢Fˆ¡F(zE¨{EŠEè¡F€§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€§Fþÿÿÿþÿÿÿu˜0Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ$6E.?AVtype_info@@$6E.?AVbad_alloc@std@@$6E.?AVbad_array_new_length@std@@$6E.?AVlogic_error@std@@$6E.?AVlength_error@std@@$6E.?AVout_of_range@std@@$6E.?AV_Facet_base@std@@$6E.?AV_Locimp@locale@std@@$6E.?AVfacet@locale@std@@$6E.?AU_Crt_new_delete@std@@$6E.?AVcodecvt_base@std@@$6E.?AUctype_base@std@@$6E.?AV?$ctype@D@std@@$6E.?AV?$codecvt@DDU_Mbstatet@@@std@@$6E.?AVbad_exception@std@@$6E.H$6E.?AVfailure@ios_base@std@@$6E.?AVruntime_error@std@@$6E.?AVsystem_error@std@@$6E.?AVbad_cast@std@@$6E.?AV_System_error@std@@$6E.?AVexception@std@@
base_address: 0x0046a000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0046e000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: ZÀ?Àd?´ÄÎÄd?Åd?‰^d?:aˆ!2!§ { ÅŽi}i…Ý-Ýd?d?ÌÖÄ¢Ä~Ux0t<â,á,á] Íb¥cU'˼…¦ˆóŽC‘׌î®*Æ,ú b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0046f000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2340
process_handle: 0x00000358
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $…IýÓÁ(“€Á(“€Á(“€u´b€Ó(“€u´`€a(“€u´a€ß(“€’ Š€Ã(“€Œ Ž€À(“€_ˆT€Ã(“€úvÛ(“€úv–û(“€úv—ã(“€ÈP€Ò(“€Á(’€Ý)“€Vvšœ(“€Svl€À(“€Vv‘À(“€RichÁ(“€PELvDË`à uð0@€؆Ü0IP,8ðk8„l(l@0l.textÌ `.rdata"o0p@@.dataD= †@À.tls à”@À.gfids0ð–@@.rsrc0IJš@@.reloc,8P:ä@B
base_address: 0x00400000
process_identifier: 2340
process_handle: 0x00000358
1 1 0
Process injection Process 2776 called NtSetContextThread to modify thread in remote process 2340
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4386933
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000354
process_identifier: 2340
1 0 0
Process injection Process 2776 resumed a thread in remote process 2340
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000354
suspend_count: 1
process_identifier: 2340
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2776
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2776
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2776
1 0 0

NtResumeThread

 thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2776
1 0 0

NtResumeThread

 thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 2776
1 0 0

CreateProcessInternalW

 thread_identifier: 2384
thread_handle: 0x00000354
process_identifier: 2340
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000358
1 1 0

NtGetContextThread

 thread_handle: 0x00000354
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2340
region_size: 495616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000358
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $…IýÓÁ(“€Á(“€Á(“€u´b€Ó(“€u´`€a(“€u´a€ß(“€’ Š€Ã(“€Œ Ž€À(“€_ˆT€Ã(“€úvÛ(“€úv–û(“€úv—ã(“€ÈP€Ò(“€Á(’€Ý)“€Vvšœ(“€Svl€À(“€Vv‘À(“€RichÁ(“€PELvDË`à uð0@€؆Ü0IP,8ðk8„l(l@0l.textÌ `.rdata"o0p@@.dataD= †@À.tls à”@À.gfids0ð–@@.rsrc0IJš@@.reloc,8P:ä@B
base_address: 0x00400000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00453000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¤tE¨wE¢tE..€¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F„¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶Fˆ¡Fÿÿÿÿ¨wE¨¢F¨¢F¨¢F¨¢F¨¢Fˆ¡F(zE¨{EŠEè¡F€§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€§Fþÿÿÿþÿÿÿu˜0Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ$6E.?AVtype_info@@$6E.?AVbad_alloc@std@@$6E.?AVbad_array_new_length@std@@$6E.?AVlogic_error@std@@$6E.?AVlength_error@std@@$6E.?AVout_of_range@std@@$6E.?AV_Facet_base@std@@$6E.?AV_Locimp@locale@std@@$6E.?AVfacet@locale@std@@$6E.?AU_Crt_new_delete@std@@$6E.?AVcodecvt_base@std@@$6E.?AUctype_base@std@@$6E.?AV?$ctype@D@std@@$6E.?AV?$codecvt@DDU_Mbstatet@@@std@@$6E.?AVbad_exception@std@@$6E.H$6E.?AVfailure@ios_base@std@@$6E.?AVruntime_error@std@@$6E.?AVsystem_error@std@@$6E.?AVbad_cast@std@@$6E.?AV_System_error@std@@$6E.?AVexception@std@@
base_address: 0x0046a000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0046e000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: ZÀ?Àd?´ÄÎÄd?Åd?‰^d?:aˆ!2!§ { ÅŽi}i…Ý-Ýd?d?ÌÖÄ¢Ä~Ux0t<â,á,á] Íb¥cU'˼…¦ˆóŽC‘׌î®*Æ,ú b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0046f000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00470000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00475000
process_identifier: 2340
process_handle: 0x00000358
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2340
process_handle: 0x00000358
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4386933
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000354
process_identifier: 2340
1 0 0

NtResumeThread

 thread_handle: 0x00000354
suspend_count: 1
process_identifier: 2340
1 0 0
Lionic Trojan.Win32.Strictor.4!c
MicroWorld-eScan Gen:Variant.Strictor.266168
FireEye Generic.mg.86eaf435f35e874f
ALYac Gen:Variant.Strictor.266168
Cylance Unsafe
Sangfor Trojan.MSIL.AgentTesla.NMM
K7AntiVirus Trojan ( 00581a8a1 )
Alibaba Trojan:MSIL/AgentTesla.6419b876
K7GW Trojan ( 00581a8a1 )
Cybereason malicious.5f35e8
Arcabit Trojan.Strictor.D40FB8
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/Injector.VRN
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.MSIL.Remcos.gen
BitDefender Gen:Variant.Strictor.266168
Avast Win32:PWSX-gen [Trj]
Tencent Win32.Trojan.Strictor.Edeg
Ad-Aware Gen:Variant.Strictor.266168
Emsisoft Gen:Variant.Strictor.266168 (B)
TrendMicro TROJ_GEN.R002C0DCG22
McAfee-GW-Edition GenericRXRU-WN!86EAF435F35E
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Krypt
Avira TR/Injector.krpkb
Antiy-AVL Trojan/Generic.ASMalwS.3544B12
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:MSIL/AgentTesla.NMM!MTB
GData Gen:Variant.Strictor.266168
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.WN.C5013001
McAfee GenericRXRU-WN!86EAF435F35E
MAX malware (ai score=88)
Malwarebytes Backdoor.Remcos
TrendMicro-HouseCall TROJ_GEN.R002C0DCG22
Rising Trojan.Generic/MSIL@AI.100 (RDM.MSIL:gp/wiqgpUiALNcuppbQgmw)
Yandex Trojan.Injector!agr5zYiqdvI
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Injector.VRI!tr
BitDefenderTheta AI:Packer.50EE25B120
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49180
dead_host 192.168.56.101:49171
dead_host 192.168.56.101:49178
dead_host 192.168.56.101:49167
dead_host 192.168.56.101:49169
dead_host 192.168.56.101:49179
dead_host 192.168.56.101:49168
dead_host 91.193.75.227:6609
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49176
dead_host 192.168.56.101:49173
dead_host 192.168.56.101:49172
dead_host 192.168.56.101:49182