popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Formbook NSIS UPX Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 22, 2023, 4:15 p.m. May 22, 2023, 4:23 p.m.
Size 248.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f4fb22b77def98b9cc1231ab69a98f58
SHA256 e3afde7d787a34ec4480bc68be8f7b49ff2f9684bb3ac43cbeeb0b24c2ebdaca
CRC32 CB987B60
ssdeep 6144:PYa6fVqq8WYLW+L7VMcjl8yGZbtYQ9/sF74ACya:PYdVnY3L5M2lsZd0F74Dya
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49168 -> 103.42.108.46:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.42.108.46:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.42.108.46:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.42.108.46:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 66.29.131.66:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 37.220.1.68:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 37.220.1.68:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 37.220.1.68:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 95.130.17.35:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 95.130.17.35:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 95.130.17.35:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 184.168.113.29:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 184.168.113.29:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 184.168.113.29:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 66.29.131.66:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 66.29.131.66:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 66.29.131.66:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 66.29.131.66:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 62.77.152.57:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 62.77.152.57:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 62.77.152.57:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.amateurshow.online/hjdr/?sQ51n=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&O-G=Y-3P
suspicious_features GET method with no useragent header suspicious_request GET http://www.howtrue.info/hjdr/?sQ51n=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&O-G=Y-3P
suspicious_features GET method with no useragent header suspicious_request GET http://www.tugrow.top/hjdr/?sQ51n=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&O-G=Y-3P
suspicious_features GET method with no useragent header suspicious_request GET http://www.xn--pdotrychler-l8a.ch/hjdr/?sQ51n=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&O-G=Y-3P
suspicious_features GET method with no useragent header suspicious_request GET http://www.moneyflowplant.com/hjdr/?sQ51n=eyJcKPxcHEkYOgBJ9ZZ9cit4y5B++Dvl/uOHalw31nGSIs778X+Kd1FjwZjeX1NbjiHN6FVudnpl9UmJEcwgNYvdeBiOQHW6RccTTCs=&O-G=Y-3P
request GET http://www.amateurshow.online/hjdr/?sQ51n=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&O-G=Y-3P
request GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
request POST http://www.zservers.xyz/hjdr/
request POST http://www.howtrue.info/hjdr/
request GET http://www.howtrue.info/hjdr/?sQ51n=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&O-G=Y-3P
request POST http://www.tugrow.top/hjdr/
request GET http://www.tugrow.top/hjdr/?sQ51n=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&O-G=Y-3P
request POST http://www.xn--pdotrychler-l8a.ch/hjdr/
request GET http://www.xn--pdotrychler-l8a.ch/hjdr/?sQ51n=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&O-G=Y-3P
request POST http://www.moneyflowplant.com/hjdr/
request GET http://www.moneyflowplant.com/hjdr/?sQ51n=eyJcKPxcHEkYOgBJ9ZZ9cit4y5B++Dvl/uOHalw31nGSIs778X+Kd1FjwZjeX1NbjiHN6FVudnpl9UmJEcwgNYvdeBiOQHW6RccTTCs=&O-G=Y-3P
request POST http://www.zservers.xyz/hjdr/
request POST http://www.howtrue.info/hjdr/
request POST http://www.tugrow.top/hjdr/
request POST http://www.xn--pdotrychler-l8a.ch/hjdr/
request POST http://www.moneyflowplant.com/hjdr/
domain www.tugrow.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03330000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2664
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nseEF92.tmp\ekzjofb.dll
file C:\Users\test22\AppData\Local\Temp\nseEF92.tmp\ekzjofb.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2560 called NtSetContextThread to modify thread in remote process 2664
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 2664
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Generic.33731746
FireEye Generic.mg.f4fb22b77def98b9
ALYac Trojan.Generic.33731746
Malwarebytes Trojan.Loader
VIPRE Trojan.Generic.33731746
Sangfor Trojan.Win32.Injector.Vmgn
K7AntiVirus Trojan ( 005a581e1 )
Alibaba Trojan:Win32/Loader.19fc47f9
K7GW Trojan ( 005a581e1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D202B4A2
VirIT Trojan.Win32.Genus.QIX
Cyren W32/Injector.ALX.gen!Eldorado
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/Injector.ESYF
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:Trojan.Win32.Loader.gen
BitDefender Trojan.Generic.33731746
Avast Win32:InjectorX-gen [Trj]
Tencent Win32.Trojan.Loader.Psmw
Sophos Mal/Generic-R
F-Secure Trojan.TR/Injector.bzxyo
DrWeb Trojan.Loader.1487
TrendMicro TROJ_GEN.R002C0DEE23
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.moderate.ml.score
Emsisoft Trojan.Generic.33731746 (B)
Ikarus Trojan-Spy.FormBook
Webroot W32.Trojan.Gen
Avira TR/Injector.bzxyo
Gridinsoft Ransom.Win32.Sabsik.sa
Xcitium Malware@#13p6krnix3v6x
Microsoft Trojan:Win32/Formbook!MTB
ZoneAlarm UDS:Trojan.Win32.Loader.gen
GData Trojan.Generic.33731746
Google Detected
AhnLab-V3 Trojan/Win.VecStealer.R577387
McAfee RDN/Generic.dx
MAX malware (ai score=80)
VBA32 Trojan.Loader
Cylance unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall TROJ_GEN.R03BH0CED23
Rising Trojan.VecStealer!8.180E7 (TFE:5:NWaMQ5f9J5U)
SentinelOne Static AI - Suspicious PE
Fortinet W32/Injector.WK!tr