Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 29, 2021, 10:49 a.m.	July 29, 2021, 10:53 a.m.

Size	46.5KB
Type	PE32+ executable (DLL) (native) x86-64, for MS Windows
MD5	`781e6ea7ced126bc27d7a206f5651651`
SHA256	`953be80db4fb9341f303c21684058a028dd1db599780e61faaa91328258a62d7`
CRC32	`C695A768`
ssdeep	`384:DTuTzIJy6yfg6uW84HOAczjJNTYTcFHYFq8Rx+Y42b85ULlIFxoVmf1jHWfxYwJU:DyoPQuAmTsTcmPRf42I5UJwQmf1qCzp`
Yara	IsPE64 - (no description) IsDLL - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,DllGetClassObject
2064
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,DllGetClassObject
  2408
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,DllRegisterServer
2168
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,DllRegisterServer
  2456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,PluginInit
2260
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,PluginInit
  2480
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44389.jpg.dll,
2356

Name	Response	Post-Analysis Lookup
toloutsicnow.top	A 54.197.173.238	54.197.173.238
aws.amazon.com	CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net A 54.192.63.70 A 54.230.166.70	54.192.63.70

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.192.63.70	Active	Moloch
54.197.173.238	Active	Moloch
54.230.166.70	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 54.230.166.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:58318 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49169 -> 54.192.63.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 54.192.63.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 54.197.173.238:80	2032086	ET MALWARE W32/Photoloader.Downloader Request Cookie	A Network Trojan was detected
TCP 192.168.56.102:49172 -> 54.197.173.238:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.102:49173 -> 54.197.173.238:80	2032086	ET MALWARE W32/Photoloader.Downloader Request Cookie	A Network Trojan was detected
UDP 192.168.56.102:62824 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 54.197.173.238:80	2032086	ET MALWARE W32/Photoloader.Downloader Request Cookie	A Network Trojan was detected
TCP 192.168.56.102:49176 -> 54.197.173.238:80	2032086	ET MALWARE W32/Photoloader.Downloader Request Cookie	A Network Trojan was detected
TCP 192.168.56.102:49174 -> 54.197.173.238:80	2032086	ET MALWARE W32/Photoloader.Downloader Request Cookie	A Network Trojan was detected
TCP 192.168.56.102:49175 -> 54.197.173.238:80	2032086	ET MALWARE W32/Photoloader.Downloader Request Cookie	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49168 54.230.166.70:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	f7:53:97:5e:76:1e:fb:f6:70:72:02:95:d5:9f:2f:05:52:79:5d:ae
TLSv1 192.168.56.102:49169 54.192.63.70:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	f7:53:97:5e:76:1e:fb:f6:70:72:02:95:d5:9f:2f:05:52:79:5d:ae
TLSv1 192.168.56.102:49170 54.192.63.70:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	f7:53:97:5e:76:1e:fb:f6:70:72:02:95:d5:9f:2f:05:52:79:5d:ae

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2021, 10:49 a.m.			0	0
IsDebuggerPresent July 29, 2021, 10:49 a.m.			0	0
IsDebuggerPresent July 29, 2021, 10:49 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2021, 10:49 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.tdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://toloutsicnow.top/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://aws.amazon.com/

Performs some HTTP requests (2 events)

request	GET http://toloutsicnow.top/
request	GET https://aws.amazon.com/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

toloutsicnow.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 29, 2021, 10:49 a.m.	process_identifier: 2408 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 29, 2021, 10:49 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 29, 2021, 10:49 a.m.	process_identifier: 2456 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 29, 2021, 10:49 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 29, 2021, 10:49 a.m.	process_identifier: 2480 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 29, 2021, 10:49 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 534 seconds, actually delayed analysis time by 534 seconds

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Trojan.Win32.Flat.4!c
MicroWorld-eScan	Trojan.Agent.FLAT
Qihoo-360	Win64/Heur.Generic.H8gA3wcA
ALYac	Trojan.Agent.FLAT
Sangfor	Trojan.Win32.Agent.FLAT
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Agent.FLAT
ESET-NOD32	Win64/TrojanDownloader.IcedId.D
Paloalto	generic.ml
Avast	Win64:Trojan-gen
Ad-Aware	Trojan.Agent.FLAT
Emsisoft	Trojan.Agent.FLAT (B)
TrendMicro	TROJ_FRS.VSNW1CG21
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.Agent.FLAT
Ikarus	Trojan-Downloader.Win32.Icedid
GData	Trojan.Agent.FLAT
Webroot	W32.Malware.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
McAfee	Artemis!781E6EA7CED1
MAX	malware (ai score=81)
TrendMicro-HouseCall	TROJ_FRS.VSNW1CG21
Fortinet	W64/IcedId.D!tr.dldr
AVG	Win64:Trojan-gen

44389.jpg

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All