Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 10, 2021, 12:18 p.m.	May 10, 2021, 12:20 p.m.

Size	222.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`8fb5cc19a4b3784c602be19efe34555c`
SHA256	`3a7809920592be114483fe7f764f4ce9c48f6c7bc1ed578f7b8a5f2130488810`
CRC32	`3A94D143`
ssdeep	`6144:SJ+WK/pvT7arfwKFzDTsv5oaTh45CjBscX9TJLN:JJpb7Y7vf5i5X9TVN`
Yara	IsDLL - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Amadey_Zero - Amadey bot

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\scr.dll,Main
5032
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\scr.dll,
5292

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
45.155.205.172	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.155.205.172:80 -> 192.168.56.102:49806	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 10, 2021, 12:18 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://45.155.205.172//4dcYcWsw3/index.php?scr=up

Performs some HTTP requests (1 event)

request

POST http://45.155.205.172//4dcYcWsw3/index.php?scr=up

Sends data using the HTTP POST Method (1 event)

request

POST http://45.155.205.172//4dcYcWsw3/index.php?scr=up

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 10, 2021, 12:18 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	45.155.205.172

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Stealer.29417
MicroWorld-eScan	Gen:Variant.Doina.2666
FireEye	Generic.mg.8fb5cc19a4b3784c
CAT-QuickHeal	Trojanspy.Bobik
ALYac	Gen:Variant.Doina.2666
Malwarebytes	Spyware.PasswordStealer
Zillya	Trojan.Delf.Win32.130455
Sangfor	Trojan.Win32.EmotetCrypt.PEF
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	TrojanSpy:Win32/EmotetCrypt.7ff3ed1f
K7GW	Spyware ( 005722971 )
K7AntiVirus	Spyware ( 005722971 )
Cyren	W32/Trojan.PREC-8918
Symantec	Trojan.Amadey
ESET-NOD32	Win32/Spy.Delf.QYF
TrendMicro-HouseCall	TrojanSpy.Win32.AMADEY.SMYAAA-A
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Malware.Zusy-9770522-0
Kaspersky	HEUR:Trojan-Spy.Win32.Bobik.gen
BitDefender	Gen:Variant.Doina.2666
NANO-Antivirus	Trojan.Win32.Plodor.iaklyz
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Delf.227328.ASQ
Rising	Stealer.Agent!1.D216 (CLASSIC)
Ad-Aware	Gen:Variant.Doina.2666
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.AMADEY.SMYAAA-A
McAfee-GW-Edition	BehavesLike.Win32.Worm.dh
Emsisoft	Trojan-Spy.Delf (A)
Ikarus	Trojan-Spy.Agent
Jiangmin	Trojan.Plodor.h
Avira	HEUR/AGEN.1136939
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.3036F4A
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/EmotetCrypt.PEF!MTB
AegisLab	Trojan.Win32.Bobik.l!c
GData	Gen:Variant.Doina.2666
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C4077593
McAfee	GenericRXAA-AA!8FB5CC19A4B3
VBA32	TScope.Trojan.Delf
APEX	Malicious
Tencent	Malware.Win32.Gencirc.10ce384c
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/Delf.QYF!tr.spy
Webroot	W32.Infostealer.Gen
AVG	Win32:TrojanX-gen [Trj]

scr.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All