Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 15, 2022, 10:27 a.m.	March 15, 2022, 10:29 a.m.

Size	997.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`2d9f428fe4782858a3761e597649f9d6`
SHA256	`37031a9441200d6490726292538a203d02fcde53e590d2be38b41f602d3d7210`
CRC32	`58DA0D52`
ssdeep	`24576:k8dlVJKB+nLkT3G1u6UkgKkSwLBeUNKsuG31Pt8H:3dlV0EnIT0wgeKsh56H`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library IsDLL - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3NXwcYNCa.dll,DllUnregisterServer
2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3NXwcYNCa.dll,DllRegisterServer
2764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\3NXwcYNCa.dll,
2952

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.75.201.2	Active	Moloch
103.75.201.4	Active	Moloch
110.232.117.186	Active	Moloch
146.59.226.45	Active	Moloch
151.106.112.196	Active	Moloch
153.126.146.25	Active	Moloch
158.69.222.101	Active	Moloch
162.214.118.104	Active	Moloch
164.68.99.3	Active	Moloch
173.212.193.249	Active	Moloch
176.56.128.118	Active	Moloch
177.87.70.10	Active	Moloch
185.157.82.211	Active	Moloch
185.4.135.27	Active	Moloch
185.8.212.130	Active	Moloch
186.250.48.117	Active	Moloch
192.99.251.50	Active	Moloch
195.154.133.20	Active	Moloch
196.218.30.83	Active	Moloch
207.38.84.195	Active	Moloch
209.126.98.206	Active	Moloch
212.237.17.99	Active	Moloch
212.24.98.99	Active	Moloch
217.182.143.248	Active	Moloch
31.24.158.56	Active	Moloch
45.118.135.203	Active	Moloch
45.142.114.231	Active	Moloch
45.176.232.124	Active	Moloch
46.55.222.11	Active	Moloch
5.9.116.246	Active	Moloch
51.91.7.5	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 217.182.143.248:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 217.182.143.248:8080 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 185.4.135.27:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 185.4.135.27:8080 -> 192.168.56.101:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 217.182.143.248:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49174 -> 192.99.251.50:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49173 -> 192.99.251.50:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 146.59.226.45:443 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 177.87.70.10:8080 -> 192.168.56.101:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 146.59.226.45:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49201 -> 186.250.48.117:7080	2404309	ET CNC Feodo Tracker Reported CnC Server group 10	A Network Trojan was detected
TCP 192.168.56.101:49193 -> 103.75.201.4:443	2404301	ET CNC Feodo Tracker Reported CnC Server group 2	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 103.75.201.2:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49201 -> 186.250.48.117:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49193 -> 103.75.201.4:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49184 -> 103.75.201.2:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49212 -> 176.56.128.118:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49194 -> 103.75.201.4:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49217 -> 207.38.84.195:8080	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 46.55.222.11:443	2404317	ET CNC Feodo Tracker Reported CnC Server group 18	A Network Trojan was detected
TCP 192.168.56.101:49170 -> 185.4.135.27:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 207.38.84.195:8080 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 46.55.222.11:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.99.251.50:443 -> 192.168.56.101:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 46.55.222.11:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49188 -> 177.87.70.10:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49222 -> 209.126.98.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.75.201.4:443 -> 192.168.56.101:49195	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 146.59.226.45:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49200 -> 186.250.48.117:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49211 -> 176.56.128.118:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 186.250.48.117:7080 -> 192.168.56.101:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 176.56.128.118:443 -> 192.168.56.101:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 46.55.222.11:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49215 -> 207.38.84.195:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 209.126.98.206:8080 -> 192.168.56.101:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 207.38.84.195:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.75.201.2:443 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49223 -> 209.126.98.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49189 -> 177.87.70.10:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 15, 2022, 10:27 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 15, 2022, 10:27 a.m.			0	0
IsDebuggerPresent March 15, 2022, 10:27 a.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	TEXT
resource name	WAVE
resource name	ТТОЛЛГШЩ

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (6 events)

ip	177.87.70.10
ip	185.4.135.27
ip	186.250.48.117
ip	207.38.84.195
ip	209.126.98.206
ip	217.182.143.248

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73494000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73494000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746d1000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 15, 2022, 10:27 a.m.	snapshot_handle: 0x00000174 process_name: taskhost.exe process_identifier: 2560	1	1	0
Process32NextW March 15, 2022, 10:27 a.m.	snapshot_handle: 0x00000174 process_name: SearchProtocolHost.exe process_identifier: 2676	1	1	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Kaspersky	VHO:Trojan-Banker.Win32.Convagent.gen
Antiy-AVL	Trojan/Generic.ASCommon.21F
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Rising	Trojan.Kryptik!8.8 (C64:YzY0Oh/jx0YklSUX)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 15, 2022, 10:27 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 147456 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003da00', u'virtual_address': u'0x000b0000', u'entropy': 7.655070106647107, u'name': u'.rsrc', u'virtual_size': u'0x0003d970'}

entropy

7.65507010665

description

A section with a high entropy has been found

entropy

0.247489959839

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (31 events)

host	103.75.201.2
host	103.75.201.4
host	110.232.117.186
host	146.59.226.45
host	151.106.112.196
host	153.126.146.25
host	158.69.222.101
host	162.214.118.104
host	164.68.99.3
host	173.212.193.249
host	176.56.128.118
host	177.87.70.10
host	185.157.82.211
host	185.4.135.27
host	185.8.212.130
host	186.250.48.117
host	192.99.251.50
host	195.154.133.20
host	196.218.30.83
host	207.38.84.195
host	209.126.98.206
host	212.237.17.99
host	212.24.98.99
host	217.182.143.248
host	31.24.158.56
host	45.118.135.203
host	45.142.114.231
host	45.176.232.124
host	46.55.222.11
host	5.9.116.246
host	51.91.7.5

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (32 events)

dead_host	45.118.135.203:7080
dead_host	192.168.56.101:49192
dead_host	185.157.82.211:8080
dead_host	212.237.17.99:8080
dead_host	192.168.56.101:49219
dead_host	153.126.146.25:7080
dead_host	195.154.133.20:443
dead_host	151.106.112.196:8080
dead_host	192.168.56.101:49197
dead_host	196.218.30.83:443
dead_host	192.168.56.101:49228
dead_host	110.232.117.186:8080
dead_host	192.168.56.101:49181
dead_host	164.68.99.3:8080
dead_host	173.212.193.249:8080
dead_host	51.91.7.5:8080
dead_host	185.8.212.130:7080
dead_host	31.24.158.56:8080
dead_host	192.168.56.101:49229
dead_host	5.9.116.246:8080
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49204
dead_host	45.176.232.124:443
dead_host	192.168.56.101:49226
dead_host	192.168.56.101:49221
dead_host	158.69.222.101:443
dead_host	192.168.56.101:49230
dead_host	192.168.56.101:49210
dead_host	162.214.118.104:8080
dead_host	192.168.56.101:49187
dead_host	212.24.98.99:8080
dead_host	192.168.56.101:49227

3NXwcYNCa

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All