popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

UPX Socket DNS AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 16, 2023, 10:27 a.m. March 16, 2023, 10:40 a.m.
Size 778.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 493798b24ab2433b6d96c2d82ade8ab8
SHA256 8b9dd904f48f9fe976d2c008e3db6de405ef45d55f3ac28fd7843cfb6d006c38
CRC32 A543C824
ssdeep 24576:rsMSz4oqtmGoAHP6gVXzfwSd79iHyqLN/mRyc:ligVjL79iSqLNeR
Yara
  • UPX_Zero - UPX packed file
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.246.220.60 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.103:49168 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.246.220.60:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.246.220.60:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 185.246.220.60:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.246.220.60:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.246.220.60:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 185.246.220.60:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 185.246.220.60:80 -> 192.168.56.103:49168 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 185.246.220.60:80 -> 192.168.56.103:49169 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 185.246.220.60:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.246.220.60:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, HTTP version 1.0 used, Connection to IP address suspicious_request POST http://185.246.220.60/chang/five/fre.php
request POST http://185.246.220.60/chang/five/fre.php
request POST http://185.246.220.60/chang/five/fre.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00680000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00740000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00730000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00731000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00734000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00736000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0488f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ae000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00738000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00739000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0073f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1156
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 2425874
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425874
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
1 1 0
section {u'size_of_data': u'0x000bda00', u'virtual_address': u'0x00002000', u'entropy': 7.629667200934377, u'name': u'.text', u'virtual_size': u'0x000bd8d8'} entropy 7.62966720093 description A section with a high entropy has been found
section {u'size_of_data': u'0x00004a00', u'virtual_address': u'0x000c0000', u'entropy': 7.618398899097996, u'name': u'.rsrc', u'virtual_size': u'0x00004914'} entropy 7.6183988991 description A section with a high entropy has been found
entropy 0.999356913183 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.ibsensoftware.com/
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description PWS Memory rule Generic_PWS_Memory_Zero
description Win32 PWS Loki rule Win32_PWS_Loki_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 185.246.220.60
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2628
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b8
1 0 0
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\test22\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
base_address: 0x00400000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
base_address: 0x0041a000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2628
process_handle: 0x000002b8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
base_address: 0x00400000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
Process injection Process 1156 called NtSetContextThread to modify thread in remote process 2628
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002c0
process_identifier: 2628
1 0 0
Process injection Process 1156 resumed a thread in remote process 2628
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002c0
suspend_count: 1
process_identifier: 2628
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1156
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1156
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 1156
1 0 0

NtResumeThread

 thread_handle: 0x00000244
suspend_count: 1
process_identifier: 1156
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1156
1 0 0

CreateProcessInternalW

 thread_identifier: 2632
thread_handle: 0x000002c0
process_identifier: 2628
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002b8
1 1 0

NtGetContextThread

 thread_handle: 0x000002c0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2628
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
base_address: 0x00400000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00415000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
base_address: 0x0041a000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004a0000
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2628
process_handle: 0x000002b8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002c0
process_identifier: 2628
1 0 0

NtResumeThread

 thread_handle: 0x000002c0
suspend_count: 1
process_identifier: 2628
1 0 0

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2628
1 0 0
Bkav W32.AIDetectNet.01
tehtris Generic.Malware
MicroWorld-eScan Gen:Variant.Lazy.312565
Malwarebytes Trojan.MalPack.PNG.Generic
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Lazy.D4C4F5
Cyren W32/MSIL_Kryptik.JBC.gen!Eldorado
Symantec MSIL.Packed.31
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/Kryptik.AIIJ
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender Gen:Variant.Lazy.312565
Avast Win32:PWSX-gen [Trj]
Sophos Troj/Krypt-VV
DrWeb Trojan.PackedNET.738
McAfee-GW-Edition BehavesLike.Win32.Generic.bc
Trapmine suspicious.low.ml.score
FireEye Generic.mg.493798b24ab2433b
Emsisoft Gen:Variant.Lazy.312565 (B)
Ikarus Trojan.MSIL.Inject
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Gen:Variant.Lazy.312565
Google Detected
AhnLab-V3 Trojan/Win.PWSX-gen.C5394848
McAfee AgentTesla-FDAV!493798B24AB2
MAX malware (ai score=84)
Rising Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:lKhTbE/R6/jwEU96F7ritw)
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.AIIN!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A