popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Admin Tool (Sysinternals etc ...) UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 17, 2024, 9:50 a.m. March 17, 2024, 9:52 a.m.
Size 297.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 d7e7cdf137c9d5dfa8d07a6e99d40e98
SHA256 943d859455cd8c6b02eba13b400d2d475e25128e68c5630a4498f047d9c79cdf
CRC32 3D78CECE
ssdeep 6144:rGi+A8HnqjxnFD+CxmL0h3q76nNsbf0YFlLxgH/TTRfvfuA3AlSM1g:qvHCR+Azc6nuj0ULxgfTTRvfvAli
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
sempersim.su
A 104.237.252.28
104.237.252.28
IP Address Status Action
104.237.252.28 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
domain sempersim.su description Soviet Union domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 400003072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02020000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00960000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 2425367
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425367
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
file C:\Users\test22\AppData\Local\Temp\copjlgqx.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000dc
1 0 0
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\test22\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
Process injection Process 2052 called NtSetContextThread to modify thread in remote process 2136
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2816732
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d8
process_identifier: 2136
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2056
thread_handle: 0x000001e8
process_identifier: 2052
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\copjlgqx.exe C:\Users\test22\AppData\Local\Temp\znwhn
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2140
thread_handle: 0x000000d8
process_identifier: 2136
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\copjlgqx.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\copjlgqx.exe C:\Users\test22\AppData\Local\Temp\znwhn
filepath_r: C:\Users\test22\AppData\Local\Temp\copjlgqx.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000dc
1 1 0

NtGetContextThread

 thread_handle: 0x000000d8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000dc
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2816732
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d8
process_identifier: 2136
1 0 0

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2136
1 0 0
Bkav W32.AIDetect.malware2
Lionic Trojan.Multi.GenericML.4!c
Elastic malicious (high confidence)
ClamAV Win.Trojan.Trojanx-9942394-0
ALYac Trojan.GenericKD.39345569
Cylance Unsafe
K7AntiVirus Trojan ( 00590d7c1 )
BitDefender Trojan.GenericKD.39345569
K7GW Trojan ( 00590d7c1 )
Arcabit Trojan.Generic.D2585DA1
Cyren W32/Trojan.MUAF-8214
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Injector.ERIP
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Cynet Malicious (score: 100)
Kaspersky UDS:Trojan.Multi.GenericML.xnet
Alibaba Backdoor:Win32/Tnega.df031205
SUPERAntiSpyware Trojan.Agent/Gen-Siggen
MicroWorld-eScan Trojan.GenericKD.39345569
Rising Trojan.Injector!8.C4 (CLOUD)
Ad-Aware Trojan.GenericKD.39345569
Emsisoft Trojan.GenericKD.39345569 (B)
Comodo Malware@#1isw9z6qv36q1
DrWeb Trojan.Siggen17.30027
BitDefenderTheta Gen:NN.ZexaF.34666.gmW@amfZ9!k
TrendMicro TROJ_GEN.R002C0PCP22
McAfee-GW-Edition GenericRXSG-FS!7FCBF2F00F40
FireEye Trojan.GenericKD.39345569
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Injector
Jiangmin Trojan.Multi.ise
Webroot W32.Trojan.Gen
Avira TR/AD.LokiBot.ooibi
MAX malware (ai score=82)
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Trojan:Win32/Tnega.RVAN!MTB
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Win32.Trojan.PSE.1EP9IXH
AhnLab-V3 Dropper/Win.Agent.C5028095
McAfee Artemis!D7E7CDF137C9
VBA32 Trojan.Sdum
Malwarebytes Malware.AI.4264460529
TrendMicro-HouseCall TROJ_GEN.R002C0PCP22
Tencent Win32.Backdoor.Androm.Wuhb
Yandex Trojan.Injector!MPa33SFYHqs
MaxSecure Trojan.Malware.121218.susgen
Fortinet W32/Injector.ERKP!tr
AVG Win32:TrojanX-gen [Trj]
Paloalto generic.ml
dead_host 192.168.56.103:49171
dead_host 192.168.56.103:49170
dead_host 192.168.56.103:49175
dead_host 192.168.56.103:49176
dead_host 192.168.56.103:49165
dead_host 104.237.252.28:80
dead_host 192.168.56.103:49169
dead_host 192.168.56.103:49168
dead_host 192.168.56.103:49166