Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 3, 2022, 5:21 p.m.	March 3, 2022, 5:24 p.m.

Size	624.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`14c497524246f9c91d46942447d4dc9c`
SHA256	`dd77b40b9c6fb4ff049fabec3532c756c4803956ff94d1f58e52606b1d9e542b`
CRC32	`F18D03C1`
ssdeep	`12288:pao0Se86lloPxHHVVIjqxEqRVoQmiIII999tLLLdAkkJoFLZZWbClgluPcRBATft:AqxETMJ777u3OmONFqNJtN1v96TOAn92`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) IsDLL - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Zgye2.dll,DllRegisterServer
2424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Zgye2.dll,DllUnregisterClass
2512
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Zgye2.dll,DllUnregisterServer
2604
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Zgye2.dll,
2696
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Zgye2.dll,DllRegisterClass
2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.215.84.159	Active	Moloch
103.75.201.2	Active	Moloch
107.182.225.142	Active	Moloch
119.235.255.201	Active	Moloch
131.100.24.231	Active	Moloch
139.180.205.161	Active	Moloch
159.8.59.82	Active	Moloch
195.154.253.60	Active	Moloch
207.38.84.195	Active	Moloch
209.126.98.206	Active	Moloch
209.15.236.39	Active	Moloch
212.237.56.116	Active	Moloch
217.182.143.207	Active	Moloch
50.116.54.215	Active	Moloch
51.254.140.238	Active	Moloch
81.0.236.90	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 217.182.143.207:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 217.182.143.207:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 207.38.84.195:8080	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 217.182.143.207:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49188 -> 207.38.84.195:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 209.126.98.206:8080 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 131.100.24.231:80	2404303	ET CNC Feodo Tracker Reported CnC Server group 4	A Network Trojan was detected
TCP 192.168.56.103:49181 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49180 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49187 -> 207.38.84.195:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 207.38.84.195:8080 -> 192.168.56.103:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 209.126.98.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49175 -> 209.126.98.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 131.100.24.231:80 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 3, 2022, 5:21 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 3, 2022, 5:21 p.m.			0	0
IsDebuggerPresent March 3, 2022, 5:21 p.m.			0	0
IsDebuggerPresent March 3, 2022, 5:21 p.m.			0	0
IsDebuggerPresent March 3, 2022, 5:21 p.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ЛЗЦЫЙШП

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10040000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10040000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2512 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10040000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2604 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10040000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2332 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 3, 2022, 5:21 p.m.	snapshot_handle: 0x0000015c process_name: conhost.exe process_identifier: 2260	1	1	0
Process32NextW March 3, 2022, 5:21 p.m.	snapshot_handle: 0x0000015c process_name: rundll32.exe process_identifier: 2424	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 3, 2022, 5:21 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 147456 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00361000 process_handle: 0xffffffff	1	0	0

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (16 events)

host	104.215.84.159
host	103.75.201.2
host	107.182.225.142
host	119.235.255.201
host	131.100.24.231
host	139.180.205.161
host	159.8.59.82
host	195.154.253.60
host	207.38.84.195
host	209.126.98.206
host	209.15.236.39
host	212.237.56.116
host	217.182.143.207
host	50.116.54.215
host	51.254.140.238
host	81.0.236.90

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.14c497524246f9c9
ESET-NOD32	a variant of Win32/GenKryptik.FRMF
Kaspersky	VHO:Trojan-Banker.Win32.Convagent.gen
Avast	Win32:BotX-gen [Trj]
ZoneAlarm	VHO:Trojan-Banker.Win32.Convagent.gen
AhnLab-V3	Trojan/Win.Emotet.C4991478
Rising	Trojan.Mansabo!8.E80A (C64:YzY0OqH1I6GjhpCs)
Fortinet	W32/Emotet.C!tr
AVG	Win32:BotX-gen [Trj]

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (17 events)

dead_host	212.237.56.116:7080
dead_host	192.168.56.103:49192
dead_host	209.15.236.39:8080
dead_host	192.168.56.103:49185
dead_host	103.75.201.2:443
dead_host	50.116.54.215:443
dead_host	192.168.56.103:49184
dead_host	51.254.140.238:7080
dead_host	159.8.59.82:8080
dead_host	195.154.253.60:8080
dead_host	139.180.205.161:443
dead_host	192.168.56.103:49186
dead_host	119.235.255.201:8080
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49178
dead_host	81.0.236.90:443
dead_host	107.182.225.142:8080

Zgye2

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All