popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Malicious Packer Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 16, 2023, 9:50 a.m. March 16, 2023, 9:52 a.m.
Size 562.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 78bfa5db909ad9e080b957dd9acd4f6b
SHA256 35c61b3a8d73aaaa5bbd428586d0423ed99d4f63efd84cb2adedb6207666929c
CRC32 F2C86D3C
ssdeep 12288:zYjp2x2Aa5lX8oKRmPR9Vr/wpEZtsNJR2FHXWPvr0nnJId:zYjsx2Aa5lXbKRmPvugjHwvr0nw
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
vcv.mastercoa.co
A 192.30.89.27
192.30.89.27
IP Address Status Action
164.124.101.2 Active Moloch
192.30.89.27 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00582000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description ilexnnxlng.exe tried to sleep 354 seconds, actually delayed analysis time by 354 seconds
file C:\Users\test22\AppData\Local\Temp\ilexnnxlng.exe
file C:\Users\test22\AppData\Local\Temp\ilexnnxlng.exe
file C:\Users\test22\AppData\Local\Temp\ilexnnxlng.exe
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x004098a7
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 328137 0
Process injection Process 2672 called NtSetContextThread to modify thread in remote process 2716
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3276144
registers.edi: 0
registers.eax: 4402771
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f0
process_identifier: 2716
1 0 0
dead_host 192.30.89.27:8489
Bkav W32.AIDetectNet.01
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Babar.172047
FireEye Generic.mg.78bfa5db909ad9e0
ALYac Gen:Variant.Babar.172047
VIPRE Gen:Variant.Babar.172047
Sangfor Trojan.Win32.Agent.Vhs5
CrowdStrike win/malicious_confidence_100% (D)
BitDefender Gen:Variant.Babar.172047
BitDefenderTheta Gen:NN.ZexaCO.36344.dqW@aKYnNud
Cyren W32/Injector.SZDO-0098
Symantec Trojan.Gen.2
ESET-NOD32 Win32/Rescoms.S
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:Backdoor.Win32.Remcos.gen
Rising Trojan.Generic@AI.87 (RDML:BlpMf0/pa79IWI8d/dofCA)
DrWeb Trojan.Loader.1342
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Emsisoft Gen:Variant.Babar.172047 (B)
Ikarus Trojan-Spy.FormBook
Webroot W32.Injector.Gen
MAX malware (ai score=84)
Microsoft Trojan:Win32/Wacatac.B!ml
Arcabit Trojan.Babar.D2A00F
ZoneAlarm UDS:Backdoor.Win32.Remcos.gen
GData Gen:Variant.Babar.172047
Google Detected
McAfee Artemis!78BFA5DB909A
Cylance unsafe
Panda Trj/Chgt.AD
SentinelOne Static AI - Suspicious PE
Fortinet W32/Injector.ESTE!tr
AVG Win32:InjectorX-gen [Trj]
Avast Win32:InjectorX-gen [Trj]