Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server.
By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet.
Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot...
The password of the sample zip package is "infected". Do not run or debug on the real machine!
ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/