Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 23, 2021, 10:03 a.m.	May 23, 2021, 10:15 a.m.

Size	222.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`7a77bc3281be4a356defa637d2d70014`
SHA256	`a41175f62e9f034436a594ae29a0b293d3e88698740fc1e3949809ab76c7dff4`
CRC32	`DDBC0B0F`
ssdeep	`6144:SJ+WK/pvT7arfwKFzDTsv5oaTh45CjBscX9TeLN:JJpb7Y7vf5i5X9TgN`
Yara	IsDLL - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Amadey_Zero - Amadey bot

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\scr.dll,Main
2772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\scr.dll,
3056

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.57:80 -> 192.168.56.101:49200	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2021, 10:03 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://185.215.113.57//1dEr2nYffd/index.php?scr=up

Performs some HTTP requests (1 event)

request

POST http://185.215.113.57//1dEr2nYffd/index.php?scr=up

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.57//1dEr2nYffd/index.php?scr=up

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:03 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.57

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.2666
FireEye	Generic.mg.7a77bc3281be4a35
McAfee	GenericRXAA-AA!7A77BC3281BE
Cylance	Unsafe
Zillya	Trojan.Delf.Win32.130455
Arcabit	Trojan.Doina.DA6A
Symantec	Trojan.Amadey
ESET-NOD32	Win32/Spy.Delf.QYF
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Malware.Zusy-9770522-0
Kaspersky	HEUR:Trojan-Spy.Win32.Bobik.gen
BitDefender	Gen:Variant.Doina.2666
NANO-Antivirus	Trojan.Win32.Plodor.iaklyz
Tencent	Malware.Win32.Gencirc.10ce384c
Ad-Aware	Gen:Variant.Doina.2666
Sophos	ML/PE-A
DrWeb	Trojan.PWS.Stealer.29417
TrendMicro	TrojanSpy.Win32.AMADEY.SMYAAA-A
Emsisoft	Trojan-Spy.Delf (A)
Jiangmin	Trojan.Plodor.h
Avira	HEUR/AGEN.1136939
MAX	malware (ai score=83)
Microsoft	Trojan:Win32/EmotetCrypt.PEF!MTB
GData	Gen:Variant.Doina.2666
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C4077593
ALYac	Gen:Variant.Doina.2666
VBA32	TScope.Trojan.Delf
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	TrojanSpy.Win32.AMADEY.SMYAAA-A
Rising	Stealer.Agent!1.D216 (CLASSIC)
Fortinet	W32/Delf.QYF!tr.spy
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A

scr.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All