Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 29, 2021, 6:30 p.m.	Oct. 29, 2021, 6:32 p.m.

Size	133.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`388c3456276b8e6e9fa8a827c4f37a76`
SHA256	`150db989523abcb3ea71fdc587015b6121a382ab0e01f5d1bd72a6164b323bcb`
CRC32	`57BD144B`
ssdeep	`3072:bXCWDCvw5bQ0zvSSOap/I9ypqtbspoEXtc+pk32ONPESAJvSkYA9:jCWDCviQk3BTsbsp83sSAlSM`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature BazarLoader_IN - BazarLoader IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ClearNode
2300
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ClearNode
  3044
  - cmd.exe cmd /c ping 127.0.0.1 -n 10 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ClearNode wdtbkqfe koorgsfd & exit
    2788
    - PING.EXE ping 127.0.0.1 -n 10 -w 1000
      2728
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ClearNode wdtbkqfe koorgsfd
      2672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ddsdfwe
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,ddsdfwe
  2712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,htrhrr
2164
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,htrhrr
  2748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,cxzasada
2496
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,cxzasada
  2400
  - cmd.exe cmd /c ping 192.0.2.17 -n 10 -i 28 -4 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", cxzasada wdtbkqfe koorgsfd & exit
    1856
    - PING.EXE ping 192.0.2.17 -n 10 -i 28 -4 -w 1000
      1172
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", cxzasada wdtbkqfe koorgsfd
      264
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,nvqqws
292
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,nvqqws
  2548
  - cmd.exe cmd /c ping 192.0.2.8 -n 6 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", nvqqws wdtbkqfe koorgsfd & exit
    1140
    - PING.EXE ping 192.0.2.8 -n 6 -w 1000
      1540
    - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", nvqqws wdtbkqfe koorgsfd
      2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,pogfhgf
3060
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,pogfhgf
  2736
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\temp.dll,
204

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2021, 6:24 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2021, 6:23 p.m.	process_identifier: 3044 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:23 p.m.	process_identifier: 2712 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:23 p.m.	process_identifier: 2400 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:24 p.m.	process_identifier: 2548 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:23 p.m.	process_identifier: 2748 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:23 p.m.	process_identifier: 2736 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:25 p.m.	process_identifier: 264 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 478 seconds, actually delayed analysis time by 478 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001ba00', u'virtual_address': u'0x00006000', u'entropy': 7.734400970796314, u'name': u'.rdata', u'virtual_size': u'0x0001b91c'}

entropy

7.7344009708

description

A section with a high entropy has been found

entropy

0.833962264151

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	ping 192.0.2.8 -n 6 -w 1000
cmdline	cmd /c ping 192.0.2.17 -n 10 -i 28 -4 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", cxzasada wdtbkqfe koorgsfd & exit
cmdline	cmd /c ping 192.0.2.8 -n 6 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", nvqqws wdtbkqfe koorgsfd & exit
cmdline	ping 192.0.2.17 -n 10 -i 28 -4 -w 1000
cmdline	cmd /c ping 127.0.0.1 -n 10 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\temp.dll", ClearNode wdtbkqfe koorgsfd & exit
cmdline	ping 127.0.0.1 -n 10 -w 1000

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Lionic	Trojan.Multi.GenericML.4!c
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	Trojan.Gen.2
Kaspersky	UDS:Trojan.Multi.GenericML.xnet
APEX	Malicious
TrendMicro	TrojanSpy.Win64.BAZARLOADER.YXBJ3Z
McAfee-GW-Edition	BehavesLike.Win64.BadFile.cc
FireEye	Generic.mg.388c3456276b8e6e
Microsoft	Trojan:Win64/BazarLoader.MZK!MTB
Cynet	Malicious (score: 100)
McAfee	Artemis!388C3456276B
Avast	Win64:MalwareX-gen [Trj]
Fortinet	W64/Kryptik.CQV!tr
AVG	Win64:MalwareX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen

Generates some ICMP traffic

temp.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All