popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

EsgywXXsyQdTMJtFh

Emotet Gen1 Malicious Library UPX Malicious Packer PE File OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 15, 2022, 9:32 a.m. March 15, 2022, 9:36 a.m.
Size 996.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 deda6d1032d48e93378756d7b9382883
SHA256 db92b2510a361764ae6b65238fe5498cb4a3e0b436411065d1a01d6d5cb9ac66
CRC32 50C1FB34
ssdeep 12288:x5Vo9Kjtm2aVFyuI7/URXPDMS57jcjdk1IWGJUThK6zJiwdkCuKeTO7FPWEF:xkZVFyRs/DVtg6iWeUNKukwruKGGPWE
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • Malicious_Library_Zero - Malicious_Library
  • IsDLL - (no description)
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
139.196.72.155 Active Moloch
159.69.237.188 Active Moloch
168.119.39.118 Active Moloch
186.250.48.5 Active Moloch
194.9.172.107 Active Moloch
207.148.81.119 Active Moloch
51.75.33.122 Active Moloch
78.47.204.80 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
resource name TEXT
resource name WAVE
resource name ТТОЛЛГШЩ
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d1e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00880000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73981000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73494000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a12000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x750c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ab1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d1e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008b0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73981000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73494000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a12000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746d1000
process_handle: 0xffffffff
1 0 0
Kaspersky VHO:Trojan-Banker.Win32.Emotet.gen
Antiy-AVL Trojan/Generic.ASCommon.21F
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm VHO:Trojan-Banker.Win32.Emotet.gen
Rising Trojan.Emotet!8.B95 (C64:YzY0OtXzuj+YLOXT)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 139264
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0003c400', u'virtual_address': u'0x000b1000', u'entropy': 7.6443759108210445, u'name': u'.rsrc', u'virtual_size': u'0x0003c370'} entropy 7.64437591082 description A section with a high entropy has been found
entropy 0.242211055276 description Overall entropy of this PE file is high
process rundll32.exe
host 139.196.72.155
host 159.69.237.188
host 168.119.39.118
host 186.250.48.5
host 194.9.172.107
host 207.148.81.119
host 51.75.33.122
host 78.47.204.80
dead_host 186.250.48.5:80
dead_host 168.119.39.118:443
dead_host 192.168.56.101:49175
dead_host 159.69.237.188:443
dead_host 207.148.81.119:8080
dead_host 78.47.204.80:443
dead_host 194.9.172.107:8080
dead_host 51.75.33.122:443