Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

76.exe

Emotet Gen1 UPX Malicious Library PE64 PE File OS Processor Check PE32 DLL

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 20, 2021, 9:32 a.m.	Sept. 20, 2021, 9:45 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cbf7ac18207051de82560b4621f7905f`
SHA256	`76e1b3f87e3d6e8441bf266024881f0b6631214880e03e8c654e1ae1ea85433f`
CRC32	`938F6209`
ssdeep	`49152:j9/Kxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmjGpfxe:Z/m5eMOooqhomhjrcL7E`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

76.exe "C:\Users\test22\AppData\Local\Temp\76.exe"
2480
- 76.tmp "C:\Users\test22\AppData\Local\Temp\is-JS0OI.tmp\76.tmp" /SL5="$5037C,1570064,56832,C:\Users\test22\AppData\Local\Temp\76.exe"
  1660
  - 76.exe "C:\Users\test22\AppData\Local\Temp\76.exe" /SILENT
    572
    - 76.tmp "C:\Users\test22\AppData\Local\Temp\is-A2PU7.tmp\76.tmp" /SL5="$7037C,1570064,56832,C:\Users\test22\AppData\Local\Temp\76.exe" /SILENT
      2344

Name	Response	Post-Analysis Lookup
fareits.com	A 104.21.27.75 A 172.67.169.14	172.67.169.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.169.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 172.67.169.14:80	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 20, 2021, 9:32 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:32 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 20, 2021, 9:32 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 20, 2021, 9:32 a.m.	stacktrace: 76+0x810b7 @ 0x4810b7 76+0x9921b @ 0x49921b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1637928 registers.edi: 4523216 registers.eax: 1637928 registers.ebp: 1638008 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

Performs some HTTP requests (2 events)

request	HEAD http://fareits.com/76.exe
request	GET http://fareits.com/76.exe

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e52000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 1660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e52000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 20, 2021, 9:32 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-F1HFD.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-2GECC.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-F1HFD.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-2GECC.tmp\_isetup\_shfoldr.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-F1HFD.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-JS0OI.tmp\76.tmp
file	C:\Users\test22\AppData\Local\Temp\is-F1HFD.tmp\idp.dll

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Avast	FileRepMalware
McAfee-GW-Edition	Artemis
Jiangmin	Trojan.Agentb.jtz
McAfee	Artemis!CBF7AC182070
AVG	FileRepMalware

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Sept. 20, 2021, 9:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1		2	0
RegOpenKeyExA Sept. 20, 2021, 9:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1		2	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-JS0OI.tmp\76.tmp