popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 23, 2022, 7:40 a.m. May 23, 2022, 8:14 a.m.
Size 208.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 fe367da5cd1fe1f4c49b36ca398aca5d
SHA256 90aec48e38e07e7fbc7aa7a453ebb7ca83a0ffb3198052b551db515086cdae20
CRC32 85ECCA70
ssdeep 6144:B0YZX0+piHYAaZFGJR9lXpsWOYglFszshwu:pk+aYAGOfSWOPlFszRu
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
www.desertcleanpro.com
A 76.164.207.115
76.164.207.115
www.lamsaradio.net
A 34.102.136.180
CNAME lamsaradio.net
34.102.136.180
www.neorevolution.ltd
A 198.54.115.235
CNAME neorevolution.ltd
198.54.115.235
www.backiptv.com
A 204.11.56.48
204.11.56.48
IP Address Status Action
164.124.101.2 Active Moloch
198.54.115.235 Active Moloch
204.11.56.48 Active Moloch
34.102.136.180 Active Moloch
76.164.207.115 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 204.11.56.48:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 204.11.56.48:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 204.11.56.48:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.54.115.235:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.54.115.235:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.54.115.235:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.backiptv.com/f43e/?9rQl7b=24S3EpNKtPSo1+L2NnW9QyM/FVEEB96HuWxixUoloH6PyIRJddc/Kz/9yBNDsxh0ygkLBhO0&EhU4Nv=gdD0Lxbh0V
suspicious_features GET method with no useragent header suspicious_request GET http://www.neorevolution.ltd/f43e/?9rQl7b=SK4uEzjPcQwE4UJZgRiqgZrfV+PU8ZTadtSar3snkapDCl8mY0JmCaxJm8o8pqCsczLM8WXc&EhU4Nv=gdD0Lxbh0V
suspicious_features GET method with no useragent header suspicious_request GET http://www.desertcleanpro.com/f43e/?9rQl7b=4JAYsd9c494aW2aZIy0QpkxezkaG8OS+75vJESeprQJfGTYJfYiaN5kwF8bsPBjgwZ9Wy35M&EhU4Nv=gdD0Lxbh0V
suspicious_features GET method with no useragent header suspicious_request GET http://www.lamsaradio.net/f43e/?9rQl7b=kgDLBiyuuBnO2O36ADskMafCW2d4/71y72t0y+FMqtNKvm12Bpjcy1rzQh34k72SWgO54B5F&EhU4Nv=gdD0Lxbh0V
request GET http://www.backiptv.com/f43e/?9rQl7b=24S3EpNKtPSo1+L2NnW9QyM/FVEEB96HuWxixUoloH6PyIRJddc/Kz/9yBNDsxh0ygkLBhO0&EhU4Nv=gdD0Lxbh0V
request GET http://www.neorevolution.ltd/f43e/?9rQl7b=SK4uEzjPcQwE4UJZgRiqgZrfV+PU8ZTadtSar3snkapDCl8mY0JmCaxJm8o8pqCsczLM8WXc&EhU4Nv=gdD0Lxbh0V
request GET http://www.desertcleanpro.com/f43e/?9rQl7b=4JAYsd9c494aW2aZIy0QpkxezkaG8OS+75vJESeprQJfGTYJfYiaN5kwF8bsPBjgwZ9Wy35M&EhU4Nv=gdD0Lxbh0V
request GET http://www.lamsaradio.net/f43e/?9rQl7b=kgDLBiyuuBnO2O36ADskMafCW2d4/71y72t0y+FMqtNKvm12Bpjcy1rzQh34k72SWgO54B5F&EhU4Nv=gdD0Lxbh0V
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00450000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2440
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ockaden.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2440
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000d4
1 0 0
Process injection Process 2396 called NtSetContextThread to modify thread in remote process 2440
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d0
process_identifier: 2440
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2400
thread_handle: 0x000001f0
process_identifier: 2396
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ockaden.exe C:\Users\test22\AppData\Local\Temp\glukyp
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001f4
1 1 0

CreateProcessInternalW

 thread_identifier: 2444
thread_handle: 0x000000d0
process_identifier: 2440
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\ockaden.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ockaden.exe C:\Users\test22\AppData\Local\Temp\glukyp
filepath_r: C:\Users\test22\AppData\Local\Temp\ockaden.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000d4
1 1 0

NtGetContextThread

 thread_handle: 0x000000d0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2440
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000d4
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d0
process_identifier: 2440
1 0 0
Lionic Trojan.Multi.Generic.4!c
Elastic malicious (moderate confidence)
Cynet Malicious (score: 100)
McAfee Artemis!FE367DA5CD1F
Cylance Unsafe
Sangfor [NULLSOFT PIMP INSTALL SYSTEM2]
Alibaba Trojan:Win32/Injector.f6e73255
K7GW Trojan ( 005931ba1 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Ninjector.BF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ERRF
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.1
MicroWorld-eScan Trojan.NSISX.Spy.Gen.1
Avast Win32:PWSX-gen [Trj]
Rising Trojan.Generic@AI.91 (RDML:lr4lABEASYfdP+jeqIVDPA)
FireEye Trojan.NSISX.Spy.Gen.1
Emsisoft Trojan.NSISX.Spy.Gen.1 (B)
SentinelOne Static AI - Suspicious PE
MAX malware (ai score=84)
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:Win32/Formbook!MTB
GData Gen:Variant.Jaik.75091
ALYac Gen:Variant.Jaik.75091
Fortinet W32/Injector.ERQY!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/RnkBend.A