popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

downloaddocument.do

Emotet UPX Malicious Library Malicious Packer PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 1, 2021, 9:14 a.m. Aug. 1, 2021, 9:29 a.m.
Size 692.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 c0e07efbb0dd361490426661fe992f6f
SHA256 7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
CRC32 432CEA60
ssdeep 6144:53v6kfEPxw1S5sEMeJJFoZbNFcI+rvezdKH5FYMkxsZSdTs8Xc5n4:5/BEP+Qy7eJJa2qKZFhkxsZSdw8Xc5n
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • IsDLL - (no description)
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
138.34.28.219 Active Moloch
164.124.101.2 Active Moloch
38.110.103.113 Active Moloch
80.15.2.105 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 80.15.2.105:443 -> 192.168.56.102:49166 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 80.15.2.105:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.102:49165 -> 38.110.103.113:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.102:49164 -> 138.34.28.219:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 80.15.2.105:443 -> 192.168.56.102:49167 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 80.15.2.105:443 -> 192.168.56.102:49168 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 80.15.2.105:443 -> 192.168.56.102:49169 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49169 -> 80.15.2.105:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49165
38.110.103.113:443 		C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:10:C4:5A/emailAddress=support@ubnt.com C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:10:C4:5A/emailAddress=support@ubnt.com f8:a6:1d:83:c7:74:cb:aa:74:13:1b:31:74:93:a5:b4:a4:1b:bd:c5
TLSv1
192.168.56.102:49164
138.34.28.219:443 		C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com 0f:6c:9c:c8:a9:10:1e:c8:98:3f:01:df:32:ad:f1:7f:5d:d0:4c:54

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
packer Armadillo v1.xx - v2.xx
suspicious_features Connection to IP address suspicious_request GET https://138.34.28.219/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
suspicious_features Connection to IP address suspicious_request GET https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
suspicious_features Connection to IP address suspicious_request GET https://138.34.28.219/index.html
suspicious_features Connection to IP address suspicious_request GET https://138.34.28.219/login.cgi?uri=/index.html
suspicious_features Connection to IP address suspicious_request GET https://38.110.103.113/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
request GET https://138.34.28.219/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
request GET https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
request GET https://138.34.28.219/index.html
request GET https://138.34.28.219/login.cgi?uri=/index.html
request GET https://38.110.103.113/rob116/TEST22-PC_W617601.E07BB07373A3BB3F491F304B3B719B93/5/file/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f50000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743a1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f01000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 278528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00570000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1560
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description wermgr.exe tried to sleep 138 seconds, actually delayed analysis time by 138 seconds
cmdline C:\Windows\system32\cmd.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x01ea1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2080
process_handle: 0x00000108
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2080
process_handle: 0x00000108
1 0 0
host 138.34.28.219
host 38.110.103.113
host 80.15.2.105
Cynet Malicious (score: 99)
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Trickpak.gen
Avast FileRepMetagen [Malware]
McAfee-GW-Edition Artemis!Trojan
APEX Malicious
Webroot W32.Malware.Gen
Avira TR/AD.Emotet.kphti
Kingsoft Win32.Troj.Undef.(kcloud)
ZoneAlarm HEUR:Trojan.Win32.Trickpak.gen
Microsoft Trojan:Win32/Wacatac.B!ml
McAfee Artemis!C0E07EFBB0DD
Fortinet Malicious_Behavior.SB
AVG FileRepMetagen [Malware]