Summary | ZeroBOX

gqKtdKmTsC4iDh

Emotet Gen1 Malicious Library UPX Malicious Packer PE File OS Processor Check PE32 DLL
Category Machine Started Completed
FILE s1_win7_x6403_us March 15, 2022, 11:32 a.m. March 15, 2022, 11:34 a.m.
Size 997.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 d0f4262777531bb9b5f02e450e088496
SHA256 851557658ab123b1e1bc84197cbbc91dc69a884213b95fcdcd591f7a9346cb5e
CRC32 7E04A1EC
ssdeep 24576:k8dlVJKB+nLkT3G1u6UkgKkwwLBeUNKsuG31Pt8H:3dlV0EnITCwgeKsh56H
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • Malicious_Library_Zero - Malicious_Library
  • IsDLL - (no description)
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.75.201.2 Active Moloch
103.75.201.4 Active Moloch
110.232.117.186 Active Moloch
146.59.226.45 Active Moloch
151.106.112.196 Active Moloch
153.126.146.25 Active Moloch
158.69.222.101 Active Moloch
162.214.118.104 Active Moloch
164.124.101.2 Active Moloch
164.68.99.3 Active Moloch
173.212.193.249 Active Moloch
176.56.128.118 Active Moloch
177.87.70.10 Active Moloch
185.157.82.211 Active Moloch
185.4.135.27 Active Moloch
185.8.212.130 Active Moloch
186.250.48.117 Active Moloch
192.99.251.50 Active Moloch
195.154.133.20 Active Moloch
196.218.30.83 Active Moloch
207.38.84.195 Active Moloch
209.126.98.206 Active Moloch
212.237.17.99 Active Moloch
212.24.98.99 Active Moloch
217.182.143.248 Active Moloch
31.24.158.56 Active Moloch
45.118.135.203 Active Moloch
45.142.114.231 Active Moloch
45.176.232.124 Active Moloch
46.55.222.11 Active Moloch
5.9.116.246 Active Moloch
51.91.7.5 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 192.99.251.50:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49177 -> 146.59.226.45:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49173 -> 192.99.251.50:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.99.251.50:443 -> 192.168.56.103:49174 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 146.59.226.45:443 -> 192.168.56.103:49178 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 103.75.201.4:443 2404301 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected
TCP 192.168.56.103:49164 -> 217.182.143.248:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 103.75.201.4:443 -> 192.168.56.103:49194 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 177.87.70.10:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49182 -> 103.75.201.2:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49202 -> 186.250.48.117:7080 2404309 ET CNC Feodo Tracker Reported CnC Server group 10 A Network Trojan was detected
TCP 217.182.143.248:8080 -> 192.168.56.103:49166 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 186.250.48.117:7080 -> 192.168.56.103:49201 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 186.250.48.117:7080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49221 -> 209.126.98.206:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49207 -> 46.55.222.11:443 2404317 ET CNC Feodo Tracker Reported CnC Server group 18 A Network Trojan was detected
TCP 103.75.201.2:443 -> 192.168.56.103:49184 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49214 -> 207.38.84.195:8080 2404312 ET CNC Feodo Tracker Reported CnC Server group 13 A Network Trojan was detected
TCP 192.168.56.103:49211 -> 176.56.128.118:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49214 -> 207.38.84.195:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49193 -> 103.75.201.4:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49205 -> 46.55.222.11:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 46.55.222.11:443 -> 192.168.56.103:49206 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 176.56.128.118:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49215 -> 207.38.84.195:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49169 -> 185.4.135.27:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49176 -> 146.59.226.45:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 177.87.70.10:8080 -> 192.168.56.103:49189 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49199 -> 186.250.48.117:7080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49204 -> 46.55.222.11:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49222 -> 209.126.98.206:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49165 -> 217.182.143.248:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49168 -> 185.4.135.27:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 185.4.135.27:8080 -> 192.168.56.103:49170 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 103.75.201.2:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49187 -> 177.87.70.10:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49192 -> 103.75.201.4:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 176.56.128.118:443 -> 192.168.56.103:49212 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 207.38.84.195:8080 -> 192.168.56.103:49216 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 209.126.98.206:8080 -> 192.168.56.103:49223 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
resource name TEXT
resource name WAVE
resource name ТТОЛЛГШЩ
ip 177.87.70.10
ip 185.4.135.27
ip 186.250.48.117
ip 207.38.84.195
ip 209.126.98.206
ip 217.182.143.248
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dbd000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2412
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75981000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dbd000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2516
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00300000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0
Kaspersky VHO:Trojan-Banker.Win32.Convagent.gen
Antiy-AVL Trojan/Generic.ASCommon.21F
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm VHO:Trojan-Banker.Win32.Convagent.gen
Rising Trojan.Kryptik!8.8 (C64:YzY0Oh/jx0YklSUX)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 147456
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0003da00', u'virtual_address': u'0x000b0000', u'entropy': 7.655070106647107, u'name': u'.rsrc', u'virtual_size': u'0x0003d970'} entropy 7.65507010665 description A section with a high entropy has been found
entropy 0.247489959839 description Overall entropy of this PE file is high
process rundll32.exe
host 103.75.201.2
host 103.75.201.4
host 110.232.117.186
host 146.59.226.45
host 151.106.112.196
host 153.126.146.25
host 158.69.222.101
host 162.214.118.104
host 164.68.99.3
host 173.212.193.249
host 176.56.128.118
host 177.87.70.10
host 185.157.82.211
host 185.4.135.27
host 185.8.212.130
host 186.250.48.117
host 192.99.251.50
host 195.154.133.20
host 196.218.30.83
host 207.38.84.195
host 209.126.98.206
host 212.237.17.99
host 212.24.98.99
host 217.182.143.248
host 31.24.158.56
host 45.118.135.203
host 45.142.114.231
host 45.176.232.124
host 46.55.222.11
host 5.9.116.246
host 51.91.7.5
dead_host 185.157.82.211:8080
dead_host 212.237.17.99:8080
dead_host 192.168.56.103:49186
dead_host 192.168.56.103:49208
dead_host 192.168.56.103:49229
dead_host 153.126.146.25:7080
dead_host 195.154.133.20:443
dead_host 192.168.56.103:49225
dead_host 192.168.56.103:49191
dead_host 151.106.112.196:8080
dead_host 196.218.30.83:443
dead_host 192.168.56.103:49209
dead_host 192.168.56.103:49218
dead_host 110.232.117.186:8080
dead_host 45.118.135.203:7080
dead_host 164.68.99.3:8080
dead_host 173.212.193.249:8080
dead_host 51.91.7.5:8080
dead_host 185.8.212.130:7080
dead_host 31.24.158.56:8080
dead_host 5.9.116.246:8080
dead_host 212.24.98.99:8080
dead_host 192.168.56.103:49196
dead_host 45.176.232.124:443
dead_host 192.168.56.103:49203
dead_host 192.168.56.103:49220
dead_host 192.168.56.103:49227
dead_host 158.69.222.101:443
dead_host 162.214.118.104:8080
dead_host 192.168.56.103:49180
dead_host 192.168.56.103:49228
dead_host 192.168.56.103:49226