Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 9, 2021, 9:33 a.m.	July 9, 2021, 9:36 a.m.

Size	62.4KB
Type	PE32+ executable (DLL) (native) x86-64, for MS Windows
MD5	`3ddeea156606b2e5d19c86cedf3dec30`
SHA256	`33cc3816f98fa22354559711326a5ce1352d819c180be4328a72618d20a78632`
CRC32	`17B7A7A5`
ssdeep	`768:2qLODVjNPDZUEix9i3Mb/pvj5ZzbQJbTfHUdV8VTkj7DjpqZMRQ:2DDVjqx9RZjvbQJPfEA4/DEZMRQ`
Yara	IsPE64 - (no description) Generic_Malware_Zero - Generic Malware IsDLL - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllGetClassObject
2516
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllGetClassObject
  2908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllRegisterServer
2608
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DllRegisterServer
  2112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,FbyouxodmaAmblxtzonyr
2700
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,FbyouxodmaAmblxtzonyr
  2396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DfcidmAgqxxIybvoovbd
2412
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,DfcidmAgqxxIybvoovbd
  3032
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,GhjrgreaggXyoydphfea
2792
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,GhjrgreaggXyoydphfea
  2268
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,NrmqrpckejMlzraxTtfncwsvfmhs
2884
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,NrmqrpckejMlzraxTtfncwsvfmhs
  2632
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,PluginInit
3020
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,PluginInit
  2696
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\crv.dll,
2272

Name	Response	Post-Analysis Lookup
revedanstvy.bid	A 54.197.173.238	54.197.173.238
aws.amazon.com	A 99.86.203.73 CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net	13.225.123.73

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.197.173.238	Active	Moloch
99.86.203.73	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:33 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2021, 9:33 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://revedanstvy.bid/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://aws.amazon.com/

Performs some HTTP requests (2 events)

request	GET http://revedanstvy.bid/
request	GET https://aws.amazon.com/

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2908 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2112 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:33 a.m.	process_identifier: 2696 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 533 seconds, actually delayed analysis time by 533 seconds

Generates some ICMP traffic

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

ALYac	Trojan.IcedID.gen
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	TrojanSpy:Win32/Stelega.487dce7a
K7GW	Trojan ( 0057f1221 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/Agent.AQO
Cynet	Malicious (score: 99)
Kaspersky	UDS:Trojan.Win64.Agent.a
Avast	Win64:DangerousSig [Trj]
Sophos	Mal/Generic-R + Troj/IcedID-Z
F-Secure	Heuristic.HEUR/AGEN.1143234
DrWeb	Trojan.PWS.Stealer.30701
TrendMicro	TROJ_FRS.0NA104G721
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	MalCert-S.KV (A)
GData	Win32.Trojan-Downloader.IcedID.GUABX6
Avira	HEUR/AGEN.1143234
Kingsoft	Win32.Troj.Undef.(kcloud)
ViRobot	Trojan.Win64.S.Agent.63880
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	TrojanSpy:Win32/Stelega.STA
McAfee	Artemis!3DDEEA156606
MAX	malware (ai score=82)
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	TROJ_FRS.0NA104G721
Ikarus	Trojan.Win64.Agent
Fortinet	W32/Agent.AQO!tr
AVG	Win64:DangerousSig [Trj]
Qihoo-360	Win64/Trojan.Generic.HggASX8A

crv.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All