popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

antiplane.png

Emotet Gen1 Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 28, 2021, 5:52 p.m. Oct. 28, 2021, 5:55 p.m.
Size 184.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a27e5c0561e2699272e85de4480265e7
SHA256 5b4958ffe28cc0b283a10cd7e86a6867edf348e3f550a6a3a7c56182b1e8bf3c
CRC32 6588D4D2
ssdeep 3072:FgfHqFZ8uslzzc8gHcJoTuHNjcEFiO8bKfg+SjvXJXmYxoLmMJhKI:FgfHcZ8C8aiN4EsOhghXJXnxoyo
Yara
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

packer Armadillo v1.71
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
FindFirstUrlCacheEntryA+0x7dd1 InternetGetCertByURL-0x4861 wininet+0x29202 @ 0x767e9202
DeleteWpadCacheForNetworks+0x14bd PrivacySetZonePreferenceW-0x990 wininet+0xadc05 @ 0x7686dc05
DeleteWpadCacheForNetworks+0x1623 PrivacySetZonePreferenceW-0x82a wininet+0xadd6b @ 0x7686dd6b
RetrieveUrlCacheEntryFileA+0xe607 InternetAutodialCallback-0x1648a wininet+0x74121 @ 0x76834121
RetrieveUrlCacheEntryFileA+0xf4ef InternetAutodialCallback-0x155a2 wininet+0x75009 @ 0x76835009
FindFirstUrlCacheEntryA+0x7d02 InternetGetCertByURL-0x4930 wininet+0x29133 @ 0x767e9133
FindFirstUrlCacheEntryA+0x4d0f InternetGetCertByURL-0x7923 wininet+0x26140 @ 0x767e6140
FindFirstUrlCacheEntryA+0x4c70 InternetGetCertByURL-0x79c2 wininet+0x260a1 @ 0x767e60a1
FindFirstUrlCacheEntryA+0x6e58 InternetGetCertByURL-0x57da wininet+0x28289 @ 0x767e8289
InternetOpenUrlA+0x1d13 InternetCrackUrlW-0x3180 wininet+0x2fed9 @ 0x767efed9
New_wininet_InternetOpenA@20+0x4f New_wininet_InternetOpenUrlA@24-0x14e @ 0x74279f5d
InternetOpenW+0xe3 InternetSetStatusCallback-0x131 wininet+0x3c679 @ 0x767fc679
New_wininet_InternetOpenW@20+0x11e New_wininet_InternetQueryOptionA@16-0x7f @ 0x7427a55f
antiplane+0x41ac @ 0x1f441ac
antiplane+0x491a @ 0x1f4491a
antiplane+0x46e2 @ 0x1f446e2
antiplane+0x57ec @ 0x1f457ec
0x1e1102b
0x1e12791
0x5903c9

exception.instruction_r: f0 0f c1 01 40 c2 04 00 8d 49 00 8b 4c 24 04 b8
exception.symbol: GetConsoleMode+0x61 InterlockedDecrement-0x67 kernel32+0x11389
exception.instruction: xadd dword ptr [ecx], eax
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 70537
exception.address: 0x76371389
registers.esp: 1633232
registers.edi: 1987871596
registers.eax: 1
registers.ebp: 1633244
registers.edx: 2276
registers.ebx: 1987871596
registers.esi: 0
registers.ecx: 4
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f41000
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_ENGLISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_ENGLISH_AUS offset 0x00025d38 size 0x00000128
name RT_ICON language LANG_ENGLISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_ENGLISH_AUS offset 0x00025d38 size 0x00000128
name RT_GROUP_ICON language LANG_ENGLISH filetype data sublanguage SUBLANG_ENGLISH_AUS offset 0x00025e60 size 0x00000022
section {u'size_of_data': u'0x00009000', u'virtual_address': u'0x00019000', u'entropy': 7.624419362289277, u'name': u'.data', u'virtual_size': u'0x0000be08'} entropy 7.62441936229 description A section with a high entropy has been found