popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 20, 2022, 10:33 a.m. May 20, 2022, 10:51 a.m.
Size 231.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 e2af2968f48cda473f9d64b989c4e2da
SHA256 fac38a1ed4a0089d5143f4a2b3a0b967cddbff6ab94614d9e9113505c359643b
CRC32 565AF1C0
ssdeep 6144:ZYa6VlHTiZ3x2tl/fRQYBDdj5ll6IqNPCyTBjOt:ZYDlSqlXRrBZF6IgPdTBjOt
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49167 -> 104.21.30.184:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 173.201.181.53:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 104.21.30.184:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 104.21.30.184:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 162.0.230.89:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 162.0.230.89:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 162.0.230.89:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 172.67.133.98:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 139.162.7.23:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 139.162.7.23:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 139.162.7.23:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.mitrachocloud.com/ud5f/?NXeTz=dvPOeeOMFyRe5DlDhcEIH/wWv29SUESn2RfxJ6FzLkAlPBveMi7awguc7ngn9aDQsIqt875z&UlSp=GVgT1hYhBj_tmD
suspicious_features GET method with no useragent header suspicious_request GET http://www.trinityhomesolutionsok.com/ud5f/?NXeTz=d4rw7sxjDzEtx0cWy9KhsrAKz6NcO/dyweSsDbp+XQjURwGxqf7SQIXUSnVgZkPR6XcgGAI2&UlSp=GVgT1hYhBj_tmD
suspicious_features GET method with no useragent header suspicious_request GET http://www.topings33.com/ud5f/?NXeTz=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&UlSp=GVgT1hYhBj_tmD
suspicious_features GET method with no useragent header suspicious_request GET http://www.bupabii.site/ud5f/?NXeTz=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&UlSp=GVgT1hYhBj_tmD&TYIw=2deHz4Lp
suspicious_features GET method with no useragent header suspicious_request GET http://www.beam-birds.com/ud5f/?NXeTz=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&UlSp=GVgT1hYhBj_tmD&Ab0L=OVODAhqH
request GET http://www.mitrachocloud.com/ud5f/?NXeTz=dvPOeeOMFyRe5DlDhcEIH/wWv29SUESn2RfxJ6FzLkAlPBveMi7awguc7ngn9aDQsIqt875z&UlSp=GVgT1hYhBj_tmD
request GET http://www.trinityhomesolutionsok.com/ud5f/?NXeTz=d4rw7sxjDzEtx0cWy9KhsrAKz6NcO/dyweSsDbp+XQjURwGxqf7SQIXUSnVgZkPR6XcgGAI2&UlSp=GVgT1hYhBj_tmD
request GET http://www.topings33.com/ud5f/?NXeTz=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&UlSp=GVgT1hYhBj_tmD
request POST http://www.bupabii.site/ud5f/
request GET http://www.bupabii.site/ud5f/?NXeTz=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&UlSp=GVgT1hYhBj_tmD&TYIw=2deHz4Lp
request POST http://www.beam-birds.com/ud5f/
request GET http://www.beam-birds.com/ud5f/?NXeTz=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&UlSp=GVgT1hYhBj_tmD&Ab0L=OVODAhqH
request POST http://www.bupabii.site/ud5f/
request POST http://www.beam-birds.com/ud5f/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cb0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\rzopgh.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000f8
1 0 0
Process injection Process 2400 called NtSetContextThread to modify thread in remote process 2472
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321872
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f4
process_identifier: 2472
1 0 0
dead_host 49.0.246.21:80
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2404
thread_handle: 0x000001f8
process_identifier: 2400
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\rzopgh.exe C:\Users\test22\AppData\Local\Temp\ujuuvnnqw
filepath_r:
stack_pivoted: 0
creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE)
inherit_handles: 0
process_handle: 0x000001f0
1 1 0

CreateProcessInternalW

 thread_identifier: 2476
thread_handle: 0x000000f4
process_identifier: 2472
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\rzopgh.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\rzopgh.exe C:\Users\test22\AppData\Local\Temp\ujuuvnnqw
filepath_r: C:\Users\test22\AppData\Local\Temp\rzopgh.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000f8
1 1 0

NtGetContextThread

 thread_handle: 0x000000f4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2472
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000f8
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321872
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f4
process_identifier: 2472
1 0 0
Lionic Trojan.Multi.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.1
FireEye Generic.mg.e2af2968f48cda47
ALYac Trojan.GenericKD.50299726
Cylance Unsafe
Sangfor [NULLSOFT PIMP INSTALL SYSTEM2]
K7AntiVirus Trojan ( 00592e741 )
BitDefender Trojan.NSISX.Spy.Gen.1
K7GW Trojan ( 00592e741 )
Cybereason malicious.d61778
Cyren W32/Trojan.QQUK-5462
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ERQK
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
Alibaba Trojan:Win32/Injector.40783d77
Rising Trojan.Injector!8.C4 (CLOUD)
Sophos Mal/Generic-S
DrWeb Trojan.Siggen17.52482
McAfee-GW-Edition BehavesLike.Win32.ICLoader.dc
Emsisoft Trojan.NSISX.Spy.Gen.1 (B)
Ikarus Trojan-Spy.Agent
Avira TR/AD.Swotter.ucgwi
Gridinsoft Ransom.Win32.Sabsik.sa
ViRobot Trojan.Win32.Z.Injector.236534
GData Trojan.GenericKD.50299726
AhnLab-V3 Trojan/Win.NSISInject.R492809
McAfee RDN/Generic PWS.y
MAX malware (ai score=87)
Malwarebytes Trojan.Injector
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.ERQA!tr
CrowdStrike win/malicious_confidence_100% (W)