Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 1, 2021, 9:40 a.m.	May 1, 2021, 9:43 a.m.

Size	15.9MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`4ea2c49920dfc1dbcc1ffb5a7300c441`
SHA256	`6ef0e93b9e0ddd5e3bbe36c5fdefa2dfd7a8d985fe36af2af5670b3671a1bd26`
CRC32	`784F8F88`
ssdeep	`196608:hJ7In8fJaw8k9pDGOVSNatSyk8uwBtNf7lGGlswN27OZO5pBn:h+8fampDdshyk8hLG0gsOp`
Yara	IsPE64 - (no description) IsDLL - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,Fi0KUsFNBsfDy53hFM5ulsq62
872
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,Fi0KUsFNBsfDy53hFM5ulsq62
  2648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,TMethodImplementationIntercept
2264
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,TMethodImplementationIntercept
  2080
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,
1316
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,dbk_fcall_wrapper
2664
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,dbk_fcall_wrapper
  2344
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,dbkFCallWrapperAddr
2040
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,dbkFCallWrapperAddr
  604
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\AazrkIaOnf.dll,
2312

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 1, 2021, 9:33 a.m.			0	0
IsDebuggerPresent May 1, 2021, 9:33 a.m.			0	0
IsDebuggerPresent May 1, 2021, 9:33 a.m.			0	0
IsDebuggerPresent May 1, 2021, 9:33 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (13 events)

section	p\18XVd!
section	\x1f`.E@9%\x1c
section	ZG<.aII+
section	m@FI,i-!
section	A+f7Uco6
section	6\x1fhp#;k7
section	=ifQtp[,
section	=5+RP\\x1eV
section	m:I\x1e2m@4
section	.`0dZed'
section	=b2^tF86
section	/;MX5YN\
section	g_["QQ\x1ca

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ May 1, 2021, 9:33 a.m.	stacktrace: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d @ 0x2ac234d dbkFCallWrapperAddr+0x6a8f39 aazrkiaonf+0xd4a1d1 @ 0x29fa1d1 RtlInitializeCriticalSectionEx+0x83a _strcmpi-0x9c2 ntdll+0x3bc2a @ 0x771fbc2a RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x771e784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x771e7b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7442f9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefd6da05c rundll32+0x2b50 @ 0xff9d2b50 rundll32+0x2e6a @ 0xff9d2e6a rundll32+0x3b7a @ 0xff9d3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 90 68 3e 55 70 71 e8 d1 e8 0c 00 68 06 b9 19 08 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d exception.address: 0x2ac234d registers.r14: 0 registers.r15: 0 registers.rcx: 3735929054 registers.rsi: 0 registers.r10: -1951643033 registers.rbx: 0 registers.rsp: 2292752 registers.r11: 84 registers.r8: 655420 registers.r9: 43840 registers.rdx: 361 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3185161486 registers.r13: 0	1
__exception__ May 1, 2021, 9:33 a.m.	stacktrace: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d @ 0x2b0234d dbkFCallWrapperAddr+0x6a8f39 aazrkiaonf+0xd4a1d1 @ 0x2a3a1d1 RtlInitializeCriticalSectionEx+0x83a _strcmpi-0x9c2 ntdll+0x3bc2a @ 0x771fbc2a RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x771e784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x771e7b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7442f9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefd6da05c rundll32+0x2b50 @ 0xff9d2b50 rundll32+0x2e6a @ 0xff9d2e6a rundll32+0x3b7a @ 0xff9d3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 90 68 3e 55 70 71 e8 d1 e8 0c 00 68 06 b9 19 08 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d exception.address: 0x2b0234d registers.r14: 0 registers.r15: 0 registers.rcx: 3735929054 registers.rsi: 0 registers.r10: -1951380889 registers.rbx: 0 registers.rsp: 1769328 registers.r11: 84 registers.r8: 655420 registers.r9: 43840 registers.rdx: 361 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3085633824 registers.r13: 0	1
__exception__ May 1, 2021, 9:33 a.m.	stacktrace: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d @ 0x2ba234d dbkFCallWrapperAddr+0x6a8f39 aazrkiaonf+0xd4a1d1 @ 0x2ada1d1 RtlInitializeCriticalSectionEx+0x83a _strcmpi-0x9c2 ntdll+0x3bc2a @ 0x771fbc2a RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x771e784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x771e7b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7442f9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefd6da05c rundll32+0x2b50 @ 0xff9d2b50 rundll32+0x2e6a @ 0xff9d2e6a rundll32+0x3b7a @ 0xff9d3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 90 68 3e 55 70 71 e8 d1 e8 0c 00 68 06 b9 19 08 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d exception.address: 0x2ba234d registers.r14: 0 registers.r15: 0 registers.rcx: 3735929054 registers.rsi: 0 registers.r10: -1950725529 registers.rbx: 0 registers.rsp: 1178480 registers.r11: 84 registers.r8: 655420 registers.r9: 43840 registers.rdx: 361 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3442262252 registers.r13: 0	1
__exception__ May 1, 2021, 9:33 a.m.	stacktrace: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d @ 0x2ae234d dbkFCallWrapperAddr+0x6a8f39 aazrkiaonf+0xd4a1d1 @ 0x2a1a1d1 RtlInitializeCriticalSectionEx+0x83a _strcmpi-0x9c2 ntdll+0x3bc2a @ 0x771fbc2a RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x771e784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x771e7b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7442f9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefd6da05c rundll32+0x2b50 @ 0xff9d2b50 rundll32+0x2e6a @ 0xff9d2e6a rundll32+0x3b7a @ 0xff9d3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 90 68 3e 55 70 71 e8 d1 e8 0c 00 68 06 b9 19 08 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: dbkFCallWrapperAddr+0x7710b5 aazrkiaonf+0xe1234d exception.address: 0x2ae234d registers.r14: 0 registers.r15: 0 registers.rcx: 3735929054 registers.rsi: 0 registers.r10: -1951511961 registers.rbx: 0 registers.rsp: 2030384 registers.r11: 84 registers.r8: 655420 registers.r9: 43840 registers.rdx: 361 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3358519313 registers.r13: 0	1

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00048a00', u'virtual_address': u'0x006b3000', u'entropy': 7.9992284151107045, u'name': u'=5+RP\\\\x1eV', u'virtual_size': u'0x00048904'}

entropy

7.99922841511

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00050400', u'virtual_address': u'0x006fc000', u'entropy': 7.997153726215477, u'name': u'm:I\\x1e2m@4', u'virtual_size': u'0x00050220'}

entropy

7.99715372622

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00579200', u'virtual_address': u'0x0074d000', u'entropy': 7.866781138206522, u'name': u".`0dZed'", u'virtual_size': u'0x00579042'}

entropy

7.86678113821

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x002eb800', u'virtual_address': u'0x00cc7000', u'entropy': 7.624904621612691, u'name': u'=b2^tF86', u'virtual_size': u'0x002eb764'}

entropy

7.62490462161

description

A section with a high entropy has been found

entropy

0.56537493091

description

Overall entropy of this PE file is high

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Mekotio.23
MicroWorld-eScan	Trojan.Agent.FGHR
ALYac	Trojan.Agent.FGHR
Alibaba	TrojanSpy:Win64/Mekotio.4d347b49
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W64/Mekotio.H.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/Spy.Mekotio.P
APEX	Malicious
BitDefender	Trojan.Agent.FGHR
Rising	Spyware.Mekotio!8.F5DF (CLOUD)
Ad-Aware	Trojan.Agent.FGHR
McAfee-GW-Edition	BehavesLike.Win64.Softcnapp.wc
FireEye	Generic.mg.4ea2c49920dfc1db
Emsisoft	Trojan.Agent.FGHR (B)
MAX	malware (ai score=85)
Gridinsoft	Trojan.Heur!.02296222
GData	Trojan.Agent.FGHR
AhnLab-V3	Trojan/Win.Agent.R418241
McAfee	Artemis!4EA2C49920DF
Malwarebytes	Malware.AI.4211687409
Ikarus	Trojan.Win64.Spy
Fortinet	W64/Mekotio.P!tr.spy

AazrkIaOnf.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All