popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Formbook Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 20, 2023, 5:31 p.m. April 20, 2023, 5:35 p.m.
Size 285.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 6242a5f710c22a75e71aa48b4e195e6d
SHA256 64a9ebea1d08d0cf23193822e9a2ec86eaab22981c88492e685a76744c23c934
CRC32 35F8C86B
ssdeep 6144:/Ya6xkl/8vjwMEguFPlGc6PiLTUsGyGBkF6sLRmJmsONEZ+Swc:/YjZ7uFNGc6a8hnkFVLRmAdY+Swc
Yara
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49183 -> 45.56.79.23:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 78.141.192.145:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 213.145.228.111:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 192.187.111.222:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 199.192.30.147:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 161.97.163.8:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 91.195.240.94:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 91.195.240.94:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 94.176.104.86:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 91.195.240.94:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 94.176.104.86:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 94.176.104.86:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 45.56.79.23:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 45.56.79.23:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 45.56.79.23:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 85.187.128.34:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 78.141.192.145:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 78.141.192.145:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 78.141.192.145:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 213.145.228.111:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 213.145.228.111:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 213.145.228.111:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 161.97.163.8:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 161.97.163.8:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 161.97.163.8:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 85.187.128.34:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 85.187.128.34:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 85.187.128.34:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 199.192.30.147:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 199.192.30.147:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 199.192.30.147:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 199.192.30.147:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 192.187.111.222:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 192.187.111.222:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 192.187.111.222:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.white-hat.uk/u2kb/?Ul=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.gritslab.com/u2kb/?Ul=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.bitservicesltd.com/u2kb/?Ul=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.222ambking.org/u2kb/?Ul=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.energyservicestation.com/u2kb/?Ul=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.younrock.com/u2kb/?Ul=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.thewildphotographer.co.uk/u2kb/?Ul=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.shapshit.xyz/u2kb/?Ul=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&Zort=BWokrMw18vT
suspicious_features GET method with no useragent header suspicious_request GET http://www.thedivinerudraksha.com/u2kb/?Ul=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&Zort=BWokrMw18vT
request GET http://www.white-hat.uk/u2kb/?Ul=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&Zort=BWokrMw18vT
request GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
request POST http://www.gritslab.com/u2kb/
request GET http://www.gritslab.com/u2kb/?Ul=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&Zort=BWokrMw18vT
request POST http://www.bitservicesltd.com/u2kb/
request GET http://www.bitservicesltd.com/u2kb/?Ul=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&Zort=BWokrMw18vT
request POST http://www.222ambking.org/u2kb/
request GET http://www.222ambking.org/u2kb/?Ul=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&Zort=BWokrMw18vT
request POST http://www.energyservicestation.com/u2kb/
request GET http://www.energyservicestation.com/u2kb/?Ul=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&Zort=BWokrMw18vT
request POST http://www.younrock.com/u2kb/
request GET http://www.younrock.com/u2kb/?Ul=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&Zort=BWokrMw18vT
request POST http://www.thewildphotographer.co.uk/u2kb/
request GET http://www.thewildphotographer.co.uk/u2kb/?Ul=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&Zort=BWokrMw18vT
request POST http://www.shapshit.xyz/u2kb/
request GET http://www.shapshit.xyz/u2kb/?Ul=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&Zort=BWokrMw18vT
request POST http://www.thedivinerudraksha.com/u2kb/
request GET http://www.thedivinerudraksha.com/u2kb/?Ul=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&Zort=BWokrMw18vT
request POST http://www.gritslab.com/u2kb/
request POST http://www.bitservicesltd.com/u2kb/
request POST http://www.222ambking.org/u2kb/
request POST http://www.energyservicestation.com/u2kb/
request POST http://www.younrock.com/u2kb/
request POST http://www.thewildphotographer.co.uk/u2kb/
request POST http://www.shapshit.xyz/u2kb/
request POST http://www.thedivinerudraksha.com/u2kb/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2108
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\mbqro.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2064 called NtSetContextThread to modify thread in remote process 2108
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000104
process_identifier: 2108
1 0 0
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
FireEye Generic.mg.6242a5f710c22a75
CAT-QuickHeal Trojan.Sabsik
ALYac Gen:Variant.Zusy.459353
Malwarebytes Generic.Malware/Suspicious
Sangfor Suspicious.Win32.Save.ins
K7AntiVirus Trojan ( 005a3be01 )
Alibaba TrojanSpy:Win32/Injector.942086e8
K7GW Trojan ( 005a3be01 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZexaF.36164.fqW@aKVOZXki
VirIT Trojan.Win32.GenusT.EGKA
Cyren W32/Agent.FXN.gen!Eldorado
Symantec Packed.NSISPacker!g14
ESET-NOD32 a variant of Win32/Injector.ESWH
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.NSISX.Spy.Gen.24
ViRobot Trojan.Win.Z.Spy.292770
Avast Win32:TrojanX-gen [Trj]
Tencent Win32.Trojan-Spy.Noon.Qgil
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
F-Secure Heuristic.HEUR/AGEN.1319168
VIPRE Trojan.NSISX.Spy.Gen.24
TrendMicro TROJ_GEN.R002C0PDJ23
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.NSISX.Spy
Avira HEUR/AGEN.1319168
MAX malware (ai score=83)
Antiy-AVL Trojan/Win32.Injector
Gridinsoft Ransom.Win32.Sabsik.sa
Xcitium Malware@#188fv0h0o3pqs
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
GData Win32.Trojan.PSE.1STSJMG
Google Detected
AhnLab-V3 Malware/Win.Generic.C4960456
VBA32 BScope.Trojan.Wacatac
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002C0PDJ23
Rising Trojan.Injector!8.C4 (TFE:5:JGbZbzhlVxJ)
Ikarus Trojan-Spy.FormBook
Fortinet W32/Injector.ESWG!tr