Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 1, 2021, 10:25 a.m.	Nov. 1, 2021, 10:57 a.m.

Size	290.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`f27bb2f94b96d532e6ba900cab2527fd`
SHA256	`bfbc1c27a73c33e375eeea164dc876c23bca1fbc0051bb48d3ed3e50df6fa0e8`
CRC32	`23CFE491`
ssdeep	`6144:2xUQ2UKZQGbM6Pum96gGco3ZQ++r2Ce/CUE:A2UKZQeM6PzogGcopQ++yV6UE`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllMain
2396
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllMain
  2988
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllRegisterServer
2608
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllRegisterServer
  2232
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllGetClassObject
2340
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllGetClassObject
  1896
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllUnregisterServer
2220
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,DllUnregisterServer
  2452
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,StartW
2128
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,StartW
  2560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\oldmystat3.dll,
2992

Name	Response	Post-Analysis Lookup
oldmystat.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 1, 2021, 10:25 a.m.	stacktrace: 0x1ce0030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1ce0030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 30278137 registers.rsp: 33880632 registers.r11: 514 registers.r8: 8791747600644 registers.r9: 0 registers.rdx: 2001282656 registers.r12: 0 registers.rbp: 30277642 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2232 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1896 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2452 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2988 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2560 region_size: 585728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000001ce0000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Encoder.j!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47278627
FireEye	Generic.mg.f27bb2f94b96d532
ALYac	Trojan.GenericKD.47278627
Cylance	Unsafe
Sangfor	Trojan.Win64.Ogneglazka.hr
K7AntiVirus	Trojan ( 0058996c1 )
K7GW	Trojan ( 0058996c1 )
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	Trojan.Gen.2
ESET-NOD32	Win64/CobaltStrike.Artifact.A
Paloalto	generic.ml
Kaspersky	Trojan.Win64.Ogneglazka.hr
BitDefender	Trojan.GenericKD.47278627
Avast	Win64:BankerX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37906606
Emsisoft	Trojan.GenericKD.47278627 (B)
TrendMicro	Trojan.Win64.BAZARLOADER.SMYXBIMZ
McAfee-GW-Edition	RDN/PWS-Banker
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Krypt
Avira	TR/Crypt.Agent.fhjjb
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan.Win64.Ogneglazka.hr
GData	Trojan.GenericKD.47278627
Cynet	Malicious (score: 99)
McAfee	RDN/PWS-Banker
MAX	malware (ai score=88)
Malwarebytes	Trojan.CobaltStrike
Yandex	Trojan.GenAsa!5MwrDO7BOgQ
Fortinet	W64/GenKryptik.FKYP!tr
Webroot	W32.Trojan.Gen
AVG	Win64:BankerX-gen [Trj]
Panda	Trj/CI.A

oldmystat3.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All