Jump to content
Tuts 4 You

Edit History

UniqueLegend

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet.

Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run or debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

UniqueLegend

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

By the way, the VC runtime library and .NET environment are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet.

Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run or debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

UniqueLegend

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

By the way, the VC runtime library and .NET environment are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet.

Can someone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run or debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

UniqueLegend

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

By the way, the VC runtime library and .NET environment are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet.

Can someone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run and debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

UniqueLegend

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

By the way, the VC runtime library and .NET environment are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by using Process Monitor yet.

Can someone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run and debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

UniqueLegend

UniqueLegend

Hi all:

Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86)  and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.

Can someone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...

The password of the sample zip package is "infected". Do not run and debug on the real machine!

ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/

Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120

 

VB_Injector_password_infected.zip

×
×
  • Create New...