Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2021, 8 a.m.	Nov. 17, 2021, 8:11 a.m.

Size	252.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`3496897bb3865e4a5b95ea6c1856183c`
SHA256	`44489ad8d29acf07fd8e3285a43f88f949298b77b0e0f24ac3c6da11bd9d86cc`
CRC32	`C58D76E4`
ssdeep	`3072:PtgItJoMl9eJ02kGuBDhk3VsbwVBQdP6ZkiaoZa74jZUUzdDIm6O80MTcdfokHJu:OHK9eSBFA+bwVB35tMTc5ocEFWTBqz`
Yara	Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Emotet_RL_1_Zero - Win32 Trojan Emotet IsDLL - (no description) Win32_Trojan_Emotet_RL_2_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\PP.dll,
2864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\PP.dll,Control_RunDLL
2772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.75.201.2	Active	Moloch
103.8.26.102	Active	Moloch
103.8.26.103	Active	Moloch
104.251.214.46	Active	Moloch
138.185.72.26	Active	Moloch
178.79.147.66	Active	Moloch
185.184.25.237	Active	Moloch
188.93.125.116	Active	Moloch
195.154.133.20	Active	Moloch
207.38.84.195	Active	Moloch
210.57.217.132	Active	Moloch
212.237.5.209	Active	Moloch
45.118.135.203	Active	Moloch
45.142.114.231	Active	Moloch
45.76.176.10	Active	Moloch
51.68.175.8	Active	Moloch
58.227.42.236	Active	Moloch
66.42.55.5	Active	Moloch
81.0.236.93	Active	Moloch
94.177.248.64	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 94.177.248.64:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 94.177.248.64:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 210.57.217.132:8080 -> 192.168.56.101:49203	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 66.42.55.5:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 66.42.55.5:7080 -> 192.168.56.101:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.184.25.237:8080 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 103.8.26.102:8080 -> 192.168.56.101:49226	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49228 -> 178.79.147.66:8080	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 185.184.25.237:8080 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 45.76.176.10:8080	2404316	ET CNC Feodo Tracker Reported CnC Server group 17	A Network Trojan was detected
TCP 192.168.56.101:49184 -> 103.8.26.102:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49194 -> 207.38.84.195:8080	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 51.68.175.8:8080 -> 192.168.56.101:49199	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49201 -> 210.57.217.132:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49218 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49183 -> 103.8.26.102:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49219 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.8.26.102:8080 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49225 -> 103.8.26.102:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49202 -> 210.57.217.132:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49207 -> 94.177.248.64:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 66.42.55.5:7080 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 103.8.26.102:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49174 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49210 -> 66.42.55.5:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49211 -> 66.42.55.5:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49214 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49215 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49170 -> 66.42.55.5:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49173 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.8.26.103:8080 -> 192.168.56.101:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 94.177.248.64:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 94.177.248.64:443 -> 192.168.56.101:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 94.177.248.64:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.8.26.103:8080 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49197 -> 51.68.175.8:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49198 -> 51.68.175.8:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Nov. 17, 2021, 8 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 17, 2021, 8 a.m.			0	0

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (6 events)

ip	103.8.26.102
ip	103.8.26.103
ip	185.184.25.237
ip	210.57.217.132
ip	51.68.175.8
ip	66.42.55.5

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e24000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 8 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e41000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 17, 2021, 8 a.m.	snapshot_handle: 0x00000160 process_name: pw.exe process_identifier: 2516	1	1
Process32NextW Nov. 17, 2021, 8 a.m.	snapshot_handle: 0x00000160 process_name: taskhost.exe process_identifier: 2556	1	1
Process32NextW Nov. 17, 2021, 8 a.m.	snapshot_handle: 0x00000160 process_name: sdclt.exe process_identifier: 2580	1	1
Process32NextW Nov. 17, 2021, 8 a.m.	snapshot_handle: 0x00000160 process_name: SearchProtocolHost.exe process_identifier: 2688	1	1
Process32NextW Nov. 17, 2021, 8 a.m.	snapshot_handle: 0x00000160 process_name: rundll32.exe process_identifier: 2772	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00033000', u'virtual_address': u'0x00001000', u'entropy': 7.491479171511666, u'name': u'.text', u'virtual_size': u'0x00032f04'}

entropy

7.49147917151

description

A section with a high entropy has been found

entropy

0.811133200795

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (20 events)

host	103.75.201.2
host	103.8.26.102
host	103.8.26.103
host	104.251.214.46
host	138.185.72.26
host	178.79.147.66
host	185.184.25.237
host	188.93.125.116
host	195.154.133.20
host	207.38.84.195
host	210.57.217.132
host	212.237.5.209
host	45.118.135.203
host	45.142.114.231
host	45.76.176.10
host	51.68.175.8
host	58.227.42.236
host	66.42.55.5
host	81.0.236.93
host	94.177.248.64

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.3496897bb3865e4a
CrowdStrike	win/malicious_confidence_60% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FNOE
APEX	Malicious
Kaspersky	VHO:Trojan-Banker.Win32.Emotet.ghbn
SentinelOne	Static AI - Malicious PE
Cynet	Malicious (score: 100)
eGambit	Unsafe.AI_Score_92%
MaxSecure	Trojan.Malware.300983.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (31 events)

dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49231
dead_host	192.168.56.101:49196
dead_host	45.76.176.10:8080
dead_host	195.154.133.20:443
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49193
dead_host	103.75.201.2:443
dead_host	138.185.72.26:8080
dead_host	104.251.214.46:8080
dead_host	192.168.56.101:49228
dead_host	58.227.42.236:80
dead_host	207.38.84.195:8080
dead_host	188.93.125.116:8080
dead_host	45.118.135.203:7080
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49189
dead_host	81.0.236.93:443
dead_host	192.168.56.101:49229
dead_host	45.142.114.231:8080
dead_host	178.79.147.66:8080
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49195
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49230
dead_host	192.168.56.101:49232
dead_host	192.168.56.101:49187
dead_host	212.237.5.209:443

PP

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All