Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2021, 10:41 a.m.	Aug. 5, 2021, 10:44 a.m.

Size	1.2MB
Type	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`c00e0917372861f279731776738ce2f3`
SHA256	`cf1043d00d87887f92a59e86296d1b7acaf37ccb33e9d2ce1f3c40d669de8ed5`
CRC32	`D06C580D`
ssdeep	`12288:FPddKVO4kguV+5j5HJl05TKD58s6WwbWZS+QhLQXoiah6dCaBSPZC1XZIa0c:Jddbr0HJll58cKhcoh6IyXONc`
Yara	IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsDLL - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4913.dll,_cgo_dummy_export
624
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4913.dll,_cgo_dummy_export
  1956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4913.dll,
736
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4913.dll,DllRegisterServer
1664
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4913.dll,DllRegisterServer
  784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 5, 2021, 10:41 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x777a0895 stacktrace+0x84 memdup-0x1af @ 0x746b0470 hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea New_kernel32_CreateThread+0x29 New_kernel32_CreateToolhelp32Snapshot-0x136 @ 0x746ba013 _beginthread+0xab _vcprintf_l-0x12e5 msvcrt+0x4c4db @ 0x7feff97c4db DllRegisterServer+0xc40 _cgo_dummy_export-0x10d430 4913+0x70710 @ 0x7fef2600710 DllRegisterServer-0xf212 4913+0x608be @ 0x7fef25f08be DllRegisterServer+0x70c9 _cgo_dummy_export-0x106fa7 4913+0x76b99 @ 0x7fef2606b99 DllRegisterServer+0x5ea2 _cgo_dummy_export-0x1081ce 4913+0x75972 @ 0x7fef2605972 DllRegisterServer-0x6e80f 4913+0x12c1 @ 0x7fef25912c1 TpAllocTimer+0xb08 RtlInitializeCriticalSectionEx-0x318 ntdll+0x3b0d8 @ 0x7778b0d8 RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x7777784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x77777b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x746bf9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefdc6a05c rundll32+0x2b50 @ 0xffe12b50 rundll32+0x2e6a @ 0xffe12e6a rundll32+0x3b7a @ 0xffe13b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x774e652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7777c521 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x777a0895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 844680 registers.rsi: 0 registers.r10: 141 registers.rbx: 0 registers.rsp: 849968 registers.r11: 1 registers.r8: 64 registers.r9: 1794000 registers.rdx: 846024 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 844360 registers.r13: 0	1	0	0
__exception__ Aug. 5, 2021, 10:41 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x777a0895 stacktrace+0x84 memdup-0x1af @ 0x746b0470 hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea New_kernel32_CreateThread+0x29 New_kernel32_CreateToolhelp32Snapshot-0x136 @ 0x746ba013 _beginthread+0xab _vcprintf_l-0x12e5 msvcrt+0x4c4db @ 0x7feff97c4db DllRegisterServer+0xc40 _cgo_dummy_export-0x10d430 4913+0x70710 @ 0x7fef2600710 DllRegisterServer-0xf212 4913+0x608be @ 0x7fef25f08be DllRegisterServer+0x70c9 _cgo_dummy_export-0x106fa7 4913+0x76b99 @ 0x7fef2606b99 DllRegisterServer+0x5ea2 _cgo_dummy_export-0x1081ce 4913+0x75972 @ 0x7fef2605972 DllRegisterServer-0x6e80f 4913+0x12c1 @ 0x7fef25912c1 TpAllocTimer+0xb08 RtlInitializeCriticalSectionEx-0x318 ntdll+0x3b0d8 @ 0x7778b0d8 RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x7777784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x77777b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x746bf9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefdc6a05c rundll32+0x2b50 @ 0xffe12b50 rundll32+0x2e6a @ 0xffe12e6a rundll32+0x3b7a @ 0xffe13b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x774e652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7777c521 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x777a0895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2287096 registers.rsi: 0 registers.r10: 141 registers.rbx: 0 registers.rsp: 2292384 registers.r11: 1 registers.r8: 64 registers.r9: 1400784 registers.rdx: 2288440 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2286776 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 5, 2021, 10:41 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x777a0895
stacktrace+0x84 memdup-0x1af @ 0x746b0470
hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea
New_kernel32_CreateThread+0x29 New_kernel32_CreateToolhelp32Snapshot-0x136 @ 0x746ba013
_beginthread+0xab _vcprintf_l-0x12e5 msvcrt+0x4c4db @ 0x7feff97c4db
DllRegisterServer+0xc40 _cgo_dummy_export-0x10d430 4913+0x70710 @ 0x7fef2600710
DllRegisterServer-0xf212 4913+0x608be @ 0x7fef25f08be
DllRegisterServer+0x70c9 _cgo_dummy_export-0x106fa7 4913+0x76b99 @ 0x7fef2606b99
DllRegisterServer+0x5ea2 _cgo_dummy_export-0x1081ce 4913+0x75972 @ 0x7fef2605972
DllRegisterServer-0x6e80f 4913+0x12c1 @ 0x7fef25912c1
TpAllocTimer+0xb08 RtlInitializeCriticalSectionEx-0x318 ntdll+0x3b0d8 @ 0x7778b0d8
RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x7777784a
LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x77777b2e
New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x746bf9f8
LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefdc6a05c
rundll32+0x2b50 @ 0xffe12b50
rundll32+0x2e6a @ 0xffe12e6a
rundll32+0x3b7a @ 0xffe13b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x774e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7777c521

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x777a0895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 844680
registers.rsi: 0
registers.r10: 141
registers.rbx: 0
registers.rsp: 849968
registers.r11: 1
registers.r8: 64
registers.r9: 1794000
registers.rdx: 846024
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 844360
registers.r13: 0

__exception__

Aug. 5, 2021, 10:41 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x777a0895
stacktrace+0x84 memdup-0x1af @ 0x746b0470
hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea
New_kernel32_CreateThread+0x29 New_kernel32_CreateToolhelp32Snapshot-0x136 @ 0x746ba013
_beginthread+0xab _vcprintf_l-0x12e5 msvcrt+0x4c4db @ 0x7feff97c4db
DllRegisterServer+0xc40 _cgo_dummy_export-0x10d430 4913+0x70710 @ 0x7fef2600710
DllRegisterServer-0xf212 4913+0x608be @ 0x7fef25f08be
DllRegisterServer+0x70c9 _cgo_dummy_export-0x106fa7 4913+0x76b99 @ 0x7fef2606b99
DllRegisterServer+0x5ea2 _cgo_dummy_export-0x1081ce 4913+0x75972 @ 0x7fef2605972
DllRegisterServer-0x6e80f 4913+0x12c1 @ 0x7fef25912c1
TpAllocTimer+0xb08 RtlInitializeCriticalSectionEx-0x318 ntdll+0x3b0d8 @ 0x7778b0d8
RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x7777784a
LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x77777b2e
New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x746bf9f8
LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefdc6a05c
rundll32+0x2b50 @ 0xffe12b50
rundll32+0x2e6a @ 0xffe12e6a
rundll32+0x3b7a @ 0xffe13b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x774e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7777c521

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x777a0895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 2287096
registers.rsi: 0
registers.r10: 141
registers.rbx: 0
registers.rsp: 2292384
registers.r11: 1
registers.r8: 64
registers.r9: 1400784
registers.rdx: 2288440
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2286776
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00043e00', u'virtual_address': u'0x00078000', u'entropy': 7.651674556979823, u'name': u'.data', u'virtual_size': u'0x00043ca0'}

entropy

7.65167455698

description

A section with a high entropy has been found

entropy

0.217897271268

description

Overall entropy of this PE file is high

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.Cobalt
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-R
Webroot	W32.Trojan.Gen
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Backdoor:Win64/Vigorf.A
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
McAfee	Artemis!C00E09173728
Malwarebytes	Malware.AI.1075202543

4913.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All