Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 8, 2021, 9:17 a.m.	July 8, 2021, 9:32 a.m.

Size	62.4KB
Type	PE32+ executable (DLL) (native) x86-64, for MS Windows
MD5	`3ddeea156606b2e5d19c86cedf3dec30`
SHA256	`33cc3816f98fa22354559711326a5ce1352d819c180be4328a72618d20a78632`
CRC32	`17B7A7A5`
ssdeep	`768:2qLODVjNPDZUEix9i3Mb/pvj5ZzbQJbTfHUdV8VTkj7DjpqZMRQ:2DDVjqx9RZjvbQJPfEA4/DEZMRQ`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DfcidmAgqxxIybvoovbd
912
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DfcidmAgqxxIybvoovbd
  2016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllGetClassObject
3028
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllGetClassObject
  2820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllRegisterServer
2396
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllRegisterServer
  2780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,FbyouxodmaAmblxtzonyr
256
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,FbyouxodmaAmblxtzonyr
  1812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,GhjrgreaggXyoydphfea
1496
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,GhjrgreaggXyoydphfea
  1212
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,NrmqrpckejMlzraxTtfncwsvfmhs
2740
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,NrmqrpckejMlzraxTtfncwsvfmhs
  2732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,PluginInit
2468
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,PluginInit
  3068
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,
2136

Name	Response	Post-Analysis Lookup
revedanstvy.bid	A 172.67.152.66 A 104.21.1.144	104.21.1.144
aws.amazon.com	CNAME dr49lng3n1n2s.cloudfront.net CNAME tp.8e49140c2-frontier.amazon.com A 54.230.166.70	54.230.166.70

IP Address	Status	Action
104.21.19.200	Active	Moloch
104.21.1.144	Active	Moloch
164.124.101.2	Active	Moloch
54.230.166.70	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0
IsDebuggerPresent July 8, 2021, 9:10 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2021, 9:10 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://revedanstvy.bid/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://aws.amazon.com/

Performs some HTTP requests (2 events)

request	GET http://revedanstvy.bid/
request	GET https://aws.amazon.com/

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 2016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 2820 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 1812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 2780 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001df0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaff7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 8, 2021, 9:10 a.m.	process_identifier: 3068 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 536 seconds, actually delayed analysis time by 536 seconds

Communicates with host for which no DNS query was performed (1 event)

host

104.21.19.200

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

DrWeb	Trojan.PWS.Stealer.30701
CrowdStrike	win/malicious_confidence_60% (W)
ESET-NOD32	a variant of Win64/Agent.AQO
Avast	Win64:DangerousSig [Trj]
Emsisoft	MalCert-S.KV (A)
Sophos	Troj/IcedID-Z
Avira	HEUR/AGEN.1143234
Microsoft	TrojanSpy:Win32/Stelega.STA
Cynet	Malicious (score: 99)
AVG	Win64:DangerousSig [Trj]

crv.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All