Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 20, 2021, 11:16 a.m.	July 20, 2021, 11:16 a.m.

Size	463.9KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`b3a8c88297daecdb9b0ac54a3c107797`
SHA256	`a881c9f40c1a5be3919cafb2ebe2bb5b19e29f0f7b28186ee1f4b554d692e776`
CRC32	`75AFF609`
ssdeep	`12288:6wK18bRRnjb5/DvI4opt3FjOGAlQ1OT3bs/y7n:6wKObRRNDvIpdF/kQ1QbsaT`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Lazarus_Zero - Lazarus Generic Malware IsDLL - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,beNotified
2648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,getFuncsArray
2076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,getName
2164
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,isUnicode
1808
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,messageProc
1852
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,setInfo
2728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ComparePlus.dll,
2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 20, 2021, 11:16 a.m.			0	0
IsDebuggerPresent July 20, 2021, 11:16 a.m.			0	0
IsDebuggerPresent July 20, 2021, 11:16 a.m.			0	0
IsDebuggerPresent July 20, 2021, 11:16 a.m.			0	0
IsDebuggerPresent July 20, 2021, 11:16 a.m.			0	0
IsDebuggerPresent July 20, 2021, 11:16 a.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (48 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b60000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72aa4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ae2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b60000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72aa4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ae2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ad1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ad2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b60000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72aa4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ae2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ad1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ad2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 11:16 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.Win32.Agentb.4!c
MicroWorld-eScan	Trojan.GenericKD.46589140
CAT-QuickHeal	Trojan.Agentb
ALYac	Trojan.Agent.475016L
Zillya	Trojan.Agent.Win32.2282086
Alibaba	Trojan:Win32/NukeSped.8ad5b4a8
CrowdStrike	win/malicious_confidence_100% (W)
ESET-NOD32	Win32/NukeSped.KE
Kaspersky	HEUR:Trojan.Win32.Agentb.gen
BitDefender	Trojan.GenericKD.46589140
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.46589140
Emsisoft	Trojan.GenericKD.46589140 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_FRS.VSNTG521
McAfee-GW-Edition	RDN/Generic.dx
FireEye	Trojan.GenericKD.46589140
Avira	TR/NukeSped.eltin
MAX	malware (ai score=100)
Arcabit	Trojan.Generic.D2C6E4D4
GData	Trojan.GenericKD.46589140
AhnLab-V3	Trojan/Win.Lazardoor.R422302
McAfee	RDN/Generic.dx
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_FRS.VSNTG521
Ikarus	Trojan.Win32.NukeSped
Fortinet	W32/FRS.VSNTG521!tr
AVG	Win32:Malware-gen
Panda	Trj/CI.A
Qihoo-360	Win32/Trojan.Agentb.HgkASX4A

ComparePlus.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All