popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 23, 2022, 7:40 a.m. May 23, 2022, 8:07 a.m.
Size 193.8KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f6f4429e20b9926d303588a31653453a
SHA256 9f72653c6d0d21058dcc6dd9abba18630ff76b15856c9bc163aac90fe1192f65
CRC32 CC2281F5
ssdeep 6144:B0YA05WmkB4/6J2wFnh7xkFq2tnNbhdIsA:tvkm6RnVxGtFgH
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 103.224.182.210:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 66.96.160.152:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49187 -> 62.149.128.45:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 66.96.162.146:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 210.188.240.5:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 173.201.181.53:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 162.0.230.89:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 162.0.230.89:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 162.0.230.89:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 172.255.36.136:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 104.21.5.119:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.topings33.com/ud5f/?inz0rV1h=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&SP=cnxTbjA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.bupabii.site/ud5f/?inz0rV1h=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&SP=cnxTbjA0&TYIw=rpdlONf8
suspicious_features GET method with no useragent header suspicious_request GET http://www.freerenoadvice.com/ud5f/?inz0rV1h=/TToMDCW2ncgJ5LJRlT2wMaIAe2sglICrt5t2dOu5wDbuzlS1GgQ+Leahz1eY796FlJ1opun&SP=cnxTbjA0&WJ3E=oZND1hW0
suspicious_features GET method with no useragent header suspicious_request GET http://www.animefnix.com/ud5f/?inz0rV1h=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&SP=cnxTbjA0&U4mX=N8uT8DAX
suspicious_features GET method with no useragent header suspicious_request GET http://www.theboemia.net/ud5f/?inz0rV1h=vNc4qngUhMPfsLhaAtSRbB5tdicAwtCMMZptOOPPQtFj7cp5P6Xrt98T3jq+QQVFaJGPuwgy&SP=cnxTbjA0&qUDS=VPNpdVLh
suspicious_features GET method with no useragent header suspicious_request GET http://www.tripnii.com/ud5f/?inz0rV1h=N/pZwD3ciGRaBalB/st9KLrJwOHrAZcHEe9LScJkFQBh3cF/5u3uILtBrpiUdDWYV9t+nT9+&SP=cnxTbjA0&2CUR=pBZ0_xbH
suspicious_features GET method with no useragent header suspicious_request GET http://www.spaceokara.com/ud5f/?inz0rV1h=9CmrMn0GGtbXxXIdiJK6yWXZmlYii/OvswjFNfGMD5AzzaTP0I9tRoOX3ga04w9g87gTygof&SP=cnxTbjA0&JwlX=xvm4fvGX
suspicious_features GET method with no useragent header suspicious_request GET http://www.beam-birds.com/ud5f/?inz0rV1h=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&SP=cnxTbjA0&Ab0L=afGp2vvx
suspicious_features GET method with no useragent header suspicious_request GET http://www.venerems.com/ud5f/?inz0rV1h=K9u45/YQVGyEc9geHpEqgOMQoavn+DquAoSlVotvwrnEr+O2nsnegj4yqkliPvOpIqD7rz2g&SP=cnxTbjA0&nrzA=4hvtwR70
request GET http://www.topings33.com/ud5f/?inz0rV1h=P+kGyZmw/z1ZAcm1xeipQpdUp3lv0Y7Tq/O4l4d0IAxx4Y1WARDjicwyInmPULGK5Gjn0H9W&SP=cnxTbjA0
request POST http://www.bupabii.site/ud5f/
request GET http://www.bupabii.site/ud5f/?inz0rV1h=ALfx5VHPAmLJvR2PmDqxYgHynhZL+44fq/2dYcj3tIi9cyGy7ldYS7x5wMMPmf8J2NKK6TeT&SP=cnxTbjA0&TYIw=rpdlONf8
request POST http://www.freerenoadvice.com/ud5f/
request GET http://www.freerenoadvice.com/ud5f/?inz0rV1h=/TToMDCW2ncgJ5LJRlT2wMaIAe2sglICrt5t2dOu5wDbuzlS1GgQ+Leahz1eY796FlJ1opun&SP=cnxTbjA0&WJ3E=oZND1hW0
request POST http://www.animefnix.com/ud5f/
request GET http://www.animefnix.com/ud5f/?inz0rV1h=pYnsP4TjgnW1+o0bXQyX3o5D0burLT7omwvH8WaVCOfXXYLrtXboQfHSoV7j4k06LzvKDu0l&SP=cnxTbjA0&U4mX=N8uT8DAX
request POST http://www.theboemia.net/ud5f/
request GET http://www.theboemia.net/ud5f/?inz0rV1h=vNc4qngUhMPfsLhaAtSRbB5tdicAwtCMMZptOOPPQtFj7cp5P6Xrt98T3jq+QQVFaJGPuwgy&SP=cnxTbjA0&qUDS=VPNpdVLh
request POST http://www.tripnii.com/ud5f/
request GET http://www.tripnii.com/ud5f/?inz0rV1h=N/pZwD3ciGRaBalB/st9KLrJwOHrAZcHEe9LScJkFQBh3cF/5u3uILtBrpiUdDWYV9t+nT9+&SP=cnxTbjA0&2CUR=pBZ0_xbH
request POST http://www.spaceokara.com/ud5f/
request GET http://www.spaceokara.com/ud5f/?inz0rV1h=9CmrMn0GGtbXxXIdiJK6yWXZmlYii/OvswjFNfGMD5AzzaTP0I9tRoOX3ga04w9g87gTygof&SP=cnxTbjA0&JwlX=xvm4fvGX
request POST http://www.beam-birds.com/ud5f/
request GET http://www.beam-birds.com/ud5f/?inz0rV1h=ncbEUbCk5kXcAL9fRpg+ceSXdryDB81gU2FCCsNIW8XHrZFrTQ1tXPDPVckwIBJ0r5CrHMmR&SP=cnxTbjA0&Ab0L=afGp2vvx
request POST http://www.venerems.com/ud5f/
request GET http://www.venerems.com/ud5f/?inz0rV1h=K9u45/YQVGyEc9geHpEqgOMQoavn+DquAoSlVotvwrnEr+O2nsnegj4yqkliPvOpIqD7rz2g&SP=cnxTbjA0&nrzA=4hvtwR70
request POST http://www.bupabii.site/ud5f/
request POST http://www.freerenoadvice.com/ud5f/
request POST http://www.animefnix.com/ud5f/
request POST http://www.theboemia.net/ud5f/
request POST http://www.tripnii.com/ud5f/
request POST http://www.spaceokara.com/ud5f/
request POST http://www.beam-birds.com/ud5f/
request POST http://www.venerems.com/ud5f/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2516
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ejwun.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000d4
1 0 0
Process injection Process 2516 called NtSetContextThread to modify thread in remote process 2560
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321872
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d0
process_identifier: 2560
1 0 0
dead_host 76.164.193.180:80
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2520
thread_handle: 0x000001ec
process_identifier: 2516
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ejwun.exe C:\Users\test22\AppData\Local\Temp\zzibob
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001f0
1 1 0

CreateProcessInternalW

 thread_identifier: 2564
thread_handle: 0x000000d0
process_identifier: 2560
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\ejwun.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ejwun.exe C:\Users\test22\AppData\Local\Temp\zzibob
filepath_r: C:\Users\test22\AppData\Local\Temp\ejwun.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000d4
1 1 0

NtGetContextThread

 thread_handle: 0x000000d0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000d4
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321872
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d0
process_identifier: 2560
1 0 0
Lionic Trojan.Multi.Generic.4!c
FireEye Generic.mg.f6f4429e20b9926d
ALYac Trojan.GenericKD.49047896
Cylance Unsafe
Sangfor [NULLSOFT PIMP INSTALL SYSTEM2]
K7AntiVirus Trojan ( 005931ba1 )
Alibaba Trojan:Win32/Injector.6839dd66
K7GW Trojan ( 005931ba1 )
Cybereason malicious.be5dcb
Cyren W32/Ninjector.BF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ERRF
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.GenericKD.49047896
MicroWorld-eScan Trojan.GenericKD.49047896
Avast Win32:PWSX-gen [Trj]
Tencent Win32.Trojan-spy.Noon.Egee
Ad-Aware Trojan.GenericKD.49047896
Emsisoft Trojan.GenericKD.49047896 (B)
DrWeb Trojan.Siggen17.54758
McAfee-GW-Edition RDN/GenericTLSH
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Avira TR/Injector.rbzkk
MAX malware (ai score=88)
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/NSISInject.ETC!MTB
GData Trojan.GenericKD.49047896
McAfee RDN/Formbook
Malwarebytes Trojan.Injector
TrendMicro-HouseCall TROJ_GEN.R002H0DEK22
Rising Trojan.Generic@AI.91 (RDML:MURvZJfGaV0nyam9p/uDaw)
Ikarus Trojan.Win32.Injector
Fortinet W32/Injector.ERQY!tr
AVG Win32:PWSX-gen [Trj]
CrowdStrike win/malicious_confidence_100% (W)