popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 25, 2022, 9:39 a.m. May 25, 2022, 9:42 a.m.
Size 254.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 4a29481bcff7afa8eba55c66ea729833
SHA256 b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2
CRC32 58558D33
ssdeep 6144:B0Y04LVRyZXRYRW66VAkjLSAXqlZQ0XfuEL7uve:EgRyZhJvVrkg0Xm4N
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 216.58.220.147:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 216.58.220.147:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 216.58.220.147:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 34.102.136.180:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 34.102.136.180:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 31.187.72.243:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 31.187.72.243:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 31.187.72.243:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 51.79.17.60:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 51.79.17.60:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 51.79.17.60:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 209.17.116.163:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.nobodylikesbrettmoist.com/pvgu/?LL0=nvz2XLJKHrVEvwOOvqMo23cnB7GA3CSZgzM7NGrnKp2ptYqPI5p79IP3SkhePjy4TC8rMuEe&APcPAD=dhItCFUXjf9x
suspicious_features GET method with no useragent header suspicious_request GET http://www.nefitegroup.com/pvgu/?LL0=k+QTDRHdnEtUsHLGQg6Iw1al4pyCYwcayg85U4DqAbua8ytHfL/skunEScp6nz+x3Wk9MXim&APcPAD=dhItCFUXjf9x
suspicious_features GET method with no useragent header suspicious_request GET http://www.greks33.com/pvgu/?LL0=ACUuPc1zMBKrdYIrvbcsob0MIhlsilEmDfnJzxGy9WftQ1gsfW8KLuvYNpwg7uiSXw2KvQ9G&APcPAD=dhItCFUXjf9x
suspicious_features GET method with no useragent header suspicious_request GET http://www.bigboyd.xyz/pvgu/?LL0=tP0Q3eoZ8OB0n/ihtNtVt/i+uXyKbed/w9CnT/COaGWr+INWB84o8XFICAu+hOQ8GaOP7mYw&APcPAD=dhItCFUXjf9x&24PD=i4MDkZJ8
suspicious_features GET method with no useragent header suspicious_request GET http://www.macralace.online/pvgu/?LL0=/TZCjQ47umXByn9Km9kdV8rm5zZ9DN+jmfPnLSP70xRBJX7BCcRCEsQ/uYWqAXXlHiTQYyrd&APcPAD=dhItCFUXjf9x&JEx-=RdoHsb2X
request GET http://www.nobodylikesbrettmoist.com/pvgu/?LL0=nvz2XLJKHrVEvwOOvqMo23cnB7GA3CSZgzM7NGrnKp2ptYqPI5p79IP3SkhePjy4TC8rMuEe&APcPAD=dhItCFUXjf9x
request GET http://www.nefitegroup.com/pvgu/?LL0=k+QTDRHdnEtUsHLGQg6Iw1al4pyCYwcayg85U4DqAbua8ytHfL/skunEScp6nz+x3Wk9MXim&APcPAD=dhItCFUXjf9x
request GET http://www.greks33.com/pvgu/?LL0=ACUuPc1zMBKrdYIrvbcsob0MIhlsilEmDfnJzxGy9WftQ1gsfW8KLuvYNpwg7uiSXw2KvQ9G&APcPAD=dhItCFUXjf9x
request POST http://www.bigboyd.xyz/pvgu/
request GET http://www.bigboyd.xyz/pvgu/?LL0=tP0Q3eoZ8OB0n/ihtNtVt/i+uXyKbed/w9CnT/COaGWr+INWB84o8XFICAu+hOQ8GaOP7mYw&APcPAD=dhItCFUXjf9x&24PD=i4MDkZJ8
request POST http://www.macralace.online/pvgu/
request GET http://www.macralace.online/pvgu/?LL0=/TZCjQ47umXByn9Km9kdV8rm5zZ9DN+jmfPnLSP70xRBJX7BCcRCEsQ/uYWqAXXlHiTQYyrd&APcPAD=dhItCFUXjf9x&JEx-=RdoHsb2X
request POST http://www.45069.email/pvgu/
request POST http://www.bigboyd.xyz/pvgu/
request POST http://www.macralace.online/pvgu/
request POST http://www.45069.email/pvgu/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2480
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00940000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\xhmmdm.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2480
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000108
1 0 0
Process injection Process 2436 called NtSetContextThread to modify thread in remote process 2480
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321984
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000104
process_identifier: 2480
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.1
ALYac Trojan.NSISX.Spy.Gen.1
Sangfor [NULLSOFT PIMP INSTALL SYSTEM2]
BitDefender Trojan.NSISX.Spy.Gen.1
Cybereason malicious.9e2cd4
Cyren W32/Injector.AXL.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ERRO
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
Rising Trojan.Generic@AI.88 (RDML:GBYTzDuXDDEpk6PIO3Outw)
FireEye Trojan.NSISX.Spy.Gen.1
Emsisoft Trojan.NSISX.Spy.Gen.1 (B)
SentinelOne Static AI - Suspicious PE
GData Trojan.NSISX.Spy.Gen.1
MAX malware (ai score=82)
Arcabit Trojan.NSISX.Spy.Gen.1
Microsoft Trojan:Win32/Formbook!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.NSISInject.R493993
Fortinet W32/Injector.ERQA!tr
BitDefenderTheta Gen:NN.ZexaF.34682.imW@a4!dHDd
AVG Win32:InjectorX-gen [Trj]
Avast Win32:InjectorX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2440
thread_handle: 0x000001ec
process_identifier: 2436
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\xhmmdm.exe C:\Users\test22\AppData\Local\Temp\ifrkstg
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001f0
1 1 0

CreateProcessInternalW

 thread_identifier: 2484
thread_handle: 0x00000104
process_identifier: 2480
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\xhmmdm.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\xhmmdm.exe C:\Users\test22\AppData\Local\Temp\ifrkstg
filepath_r: C:\Users\test22\AppData\Local\Temp\xhmmdm.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000108
1 1 0

NtGetContextThread

 thread_handle: 0x00000104
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2480
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000108
1 0 0

NtSetContextThread

 registers.eip: 1999372740
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321984
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000104
process_identifier: 2480
1 0 0