Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 29, 2022, 9:06 a.m.	March 29, 2022, 9:10 a.m.

Size	680.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`6ba36615d02eed36ad3fbe2014be82fc`
SHA256	`fa6d82b883c694b44a99acdd1c8fe8d70c1195f236815bec4be3377624f681e5`
CRC32	`892405E2`
ssdeep	`12288:pWL+xbWhXWjdo9GeetVDn11EtAbrf5z/Kv7PvK5RUY+K4+mHWDn/nChiSw7dmDrc:pWL+xbqOdaGeetBEwf5zZCMV0rdAMu`
Yara	Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsDLL - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\UTnG7GKKkZf.dll,DllRegisterServer
2300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\UTnG7GKKkZf.dll,DllUnregisterServer
2400
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\UTnG7GKKkZf.dll,
2492

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.75.201.2	Active	Moloch
107.182.225.142	Active	Moloch
119.193.124.41	Active	Moloch
131.100.24.231	Active	Moloch
138.185.72.26	Active	Moloch
151.106.112.196	Active	Moloch
153.126.146.25	Active	Moloch
158.69.222.101	Active	Moloch
159.8.59.82	Active	Moloch
164.68.99.3	Active	Moloch
185.8.212.130	Active	Moloch
188.44.20.25	Active	Moloch
189.232.46.161	Active	Moloch
192.99.251.50	Active	Moloch
195.201.151.129	Active	Moloch
197.242.150.244	Active	Moloch
209.126.98.206	Active	Moloch
212.237.17.99	Active	Moloch
212.24.98.99	Active	Moloch
216.120.236.62	Active	Moloch
217.182.25.250	Active	Moloch
45.118.135.203	Active	Moloch
5.9.116.246	Active	Moloch
50.116.54.215	Active	Moloch
51.91.7.5	Active	Moloch
51.91.76.89	Active	Moloch
58.227.42.236	Active	Moloch
79.172.212.216	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 216.120.236.62:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49164 -> 216.120.236.62:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49187 -> 58.227.42.236:80	2404319	ET CNC Feodo Tracker Reported CnC Server group 20	A Network Trojan was detected
TCP 159.8.59.82:8080 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 216.120.236.62:8080 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 189.232.46.161:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49187 -> 58.227.42.236:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49176 -> 217.182.25.250:8080	2404314	ET CNC Feodo Tracker Reported CnC Server group 15	A Network Trojan was detected
TCP 192.168.56.103:49192 -> 131.100.24.231:80	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 192.168.56.103:49206 -> 103.75.201.2:443	2404301	ET CNC Feodo Tracker Reported CnC Server group 2	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 119.193.124.41:7080	2404303	ET CNC Feodo Tracker Reported CnC Server group 4	A Network Trojan was detected
TCP 192.168.56.103:49192 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49206 -> 103.75.201.2:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49177 -> 119.193.124.41:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49186 -> 58.227.42.236:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49193 -> 131.100.24.231:80	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49219 -> 209.126.98.206:8080	2404313	ET CNC Feodo Tracker Reported CnC Server group 14	A Network Trojan was detected
TCP 192.168.56.103:49182 -> 159.8.59.82:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49219 -> 209.126.98.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 131.100.24.231:80 -> 192.168.56.103:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 58.227.42.236:80 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 192.99.251.50:443	2404311	ET CNC Feodo Tracker Reported CnC Server group 12	A Network Trojan was detected
TCP 192.168.56.103:49223 -> 79.172.212.216:8080	2404321	ET CNC Feodo Tracker Reported CnC Server group 22	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 192.99.251.50:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49223 -> 79.172.212.216:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.99.251.50:443 -> 192.168.56.103:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 51.91.76.89:8080	2404318	ET CNC Feodo Tracker Reported CnC Server group 19	A Network Trojan was detected
TCP 192.168.56.103:49207 -> 103.75.201.2:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49172 -> 51.91.76.89:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49173 -> 51.91.76.89:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49222 -> 79.172.212.216:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 51.91.76.89:8080 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 192.99.251.50:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49168 -> 189.232.46.161:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 189.232.46.161:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 119.193.124.41:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 119.193.124.41:7080 -> 192.168.56.103:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 159.8.59.82:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.75.201.2:443 -> 192.168.56.103:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49218 -> 209.126.98.206:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 209.126.98.206:8080 -> 192.168.56.103:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 79.172.212.216:8080 -> 192.168.56.103:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 29, 2022, 9:06 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2022, 9:06 a.m.			0	0
IsDebuggerPresent March 29, 2022, 9:06 a.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	БДВАСГОЛ67К
resource name	None

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (6 events)

ip	119.193.124.41
ip	159.8.59.82
ip	209.126.98.206
ip	216.120.236.62
ip	51.91.76.89
ip	79.172.212.216

Allocates read-write-execute memory (usually to unpack itself) (22 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1004a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1004a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW March 29, 2022, 9:06 a.m.	snapshot_handle: 0x00000178 process_name: pw.exe process_identifier: 1592	1	1
Process32NextW March 29, 2022, 9:06 a.m.	snapshot_handle: 0x00000178 process_name: taskhost.exe process_identifier: 2088	1	1
Process32NextW March 29, 2022, 9:06 a.m.	snapshot_handle: 0x00000178 process_name: sdclt.exe process_identifier: 2096	1	1
Process32NextW March 29, 2022, 9:06 a.m.	snapshot_handle: 0x00000178 process_name: cmd.exe process_identifier: 2204	1	1
Process32NextW March 29, 2022, 9:06 a.m.	snapshot_handle: 0x00000178 process_name: conhost.exe process_identifier: 2212	1	1
Process32NextW March 29, 2022, 9:06 a.m.	snapshot_handle: 0x00000178 process_name: rundll32.exe process_identifier: 2300	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 29, 2022, 9:06 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 131072 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x008d1000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00040000', u'virtual_address': u'0x00064000', u'entropy': 6.836242849525787, u'name': u'.rsrc', u'virtual_size': u'0x0003fcd8'}

entropy

6.83624284953

description

A section with a high entropy has been found

entropy

0.378698224852

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (28 events)

host	103.75.201.2
host	107.182.225.142
host	119.193.124.41
host	131.100.24.231
host	138.185.72.26
host	151.106.112.196
host	153.126.146.25
host	158.69.222.101
host	159.8.59.82
host	164.68.99.3
host	185.8.212.130
host	188.44.20.25
host	189.232.46.161
host	192.99.251.50
host	195.201.151.129
host	197.242.150.244
host	209.126.98.206
host	212.237.17.99
host	212.24.98.99
host	216.120.236.62
host	217.182.25.250
host	45.118.135.203
host	5.9.116.246
host	50.116.54.215
host	51.91.7.5
host	51.91.76.89
host	58.227.42.236
host	79.172.212.216

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
K7AntiVirus	Trojan ( 0058eb641 )
K7GW	Trojan ( 0058eb641 )
CrowdStrike	win/malicious_confidence_70% (D)
Cyren	W32/Emotet.EEN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FSOV
APEX	Malicious
Kaspersky	VHO:Trojan-Banker.Win32.Convagent.gen
Avast	Win32:BotX-gen [Trj]
Rising	Trojan.Emotet!8.B95 (C64:YzY0OrjW5dJHVtJ+)
Sophos	ML/PE-A
Cynet	Malicious (score: 100)
McAfee	GenericRXAA-AA!6BA36615D02E
VBA32	BScope.Trojan.Mansabo
AVG	Win32:BotX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (28 events)

dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49212
dead_host	192.168.56.103:49217
dead_host	192.168.56.103:49205
dead_host	212.237.17.99:8080
dead_host	50.116.54.215:443
dead_host	153.126.146.25:7080
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49191
dead_host	151.106.112.196:8080
dead_host	192.168.56.103:49213
dead_host	138.185.72.26:8080
dead_host	107.182.225.142:8080
dead_host	188.44.20.25:443
dead_host	217.182.25.250:8080
dead_host	45.118.135.203:7080
dead_host	164.68.99.3:8080
dead_host	185.8.212.130:7080
dead_host	5.9.116.246:8080
dead_host	197.242.150.244:8080
dead_host	192.168.56.103:49203
dead_host	158.69.222.101:443
dead_host	192.168.56.103:49185
dead_host	195.201.151.129:8080
dead_host	192.168.56.103:49204
dead_host	212.24.98.99:8080
dead_host	192.168.56.103:49200

UTnG7GKKkZf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All