popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

tGJconiBvy59a81

Emotet Gen1 Malicious Library UPX Malicious Packer PE File OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 15, 2022, 9:35 a.m. March 15, 2022, 9:45 a.m.
Size 996.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6197f590f96b12eb7e186f86dba2d98c
SHA256 799af1f0a4925bbee3ae88f89617125b2acb9ae275867d20677683a5ceba1c6a
CRC32 89DFC8AF
ssdeep 12288:x5Vo9Kjtm2aVFyuI7/URXPDMS57jcjdk1pWGJUThK6zJiwdkCuKeTO7FPWEF:xkZVFyRs/DVtg6vWeUNKukwruKGGPWE
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • Malicious_Library_Zero - Malicious_Library
  • IsDLL - (no description)
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
139.196.72.155 Active Moloch
159.69.237.188 Active Moloch
164.124.101.2 Active Moloch
168.119.39.118 Active Moloch
186.250.48.5 Active Moloch
194.9.172.107 Active Moloch
207.148.81.119 Active Moloch
45.71.195.104 Active Moloch
51.75.33.122 Active Moloch
78.47.204.80 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
resource name TEXT
resource name WAVE
resource name ТТОЛЛГШЩ
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dbe000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2524
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00470000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dbe000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75981000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b41000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000170
process_name: mobsync.exe
process_identifier: 1444
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: sdclt.exe
process_identifier: 2156
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: cmd.exe
process_identifier: 2336
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: conhost.exe
process_identifier: 2344
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: pw.exe
process_identifier: 2408
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: rundll32.exe
process_identifier: 2436
1 1 0
Kaspersky VHO:Trojan-Banker.Win32.Emotet.gen
Antiy-AVL Trojan/Generic.ASCommon.21F
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Rising Trojan.Emotet!8.B95 (C64:YzY0OtXzuj+YLOXT)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 139264
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0003c400', u'virtual_address': u'0x000b1000', u'entropy': 7.6443759108210445, u'name': u'.rsrc', u'virtual_size': u'0x0003c370'} entropy 7.64437591082 description A section with a high entropy has been found
entropy 0.242211055276 description Overall entropy of this PE file is high
process rundll32.exe
host 139.196.72.155
host 159.69.237.188
host 168.119.39.118
host 186.250.48.5
host 194.9.172.107
host 207.148.81.119
host 45.71.195.104
host 51.75.33.122
host 78.47.204.80
dead_host 192.168.56.103:49171
dead_host 186.250.48.5:80
dead_host 168.119.39.118:443
dead_host 207.148.81.119:8080
dead_host 159.69.237.188:443
dead_host 78.47.204.80:443
dead_host 194.9.172.107:8080
dead_host 51.75.33.122:443
dead_host 192.168.56.103:49176