Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 23, 2022, 9:31 a.m.	May 23, 2022, 9:37 a.m.

Size	362.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`bf2f633fde70f181cc81fe6dffb048e7`
SHA256	`663127c151c31915e66da770d7e2109306f1e2bf12acce04bb3defcb0de92134`
CRC32	`71B693C6`
ssdeep	`6144:hlNuuXQASByX7RxoJcXy16qFHJ7wwD1w3pq6jTK/V9OT0u:hlNu9ASByX7jy/BJ7rGTK/V3`
Yara	IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,AddIn_FileTime
2360
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,AddIn_FileTime
  2716
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,DllRegisterServer
2548
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,DllRegisterServer
  2792
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IkcFP\YbfEsqLsOZnY.dll"
    3024
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,
2648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,AddIn_SystemTime
2464
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\4l6T5s7EcTyT.dll,AddIn_SystemTime
  2756
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.248.225.227	Active	Moloch
110.235.83.107	Active	Moloch
134.122.119.23	Active	Moloch
160.16.143.191	Active	Moloch
165.22.73.229	Active	Moloch
190.90.233.66	Active	Moloch
195.77.239.39	Active	Moloch
196.44.98.190	Active	Moloch
202.28.34.99	Active	Moloch
202.29.239.162	Active	Moloch
210.57.209.142	Active	Moloch
37.44.244.177	Active	Moloch
62.171.178.147	Active	Moloch
87.106.97.83	Active	Moloch
88.217.172.165	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 165.22.73.229:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49176 -> 165.22.73.229:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 165.22.73.229:8080 -> 192.168.56.103:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 160.16.143.191:7080 -> 192.168.56.103:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 134.122.119.23:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49196 -> 202.29.239.162:443	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 192.168.56.103:49196 -> 202.29.239.162:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49180 -> 160.16.143.191:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 134.122.119.23:8080 -> 192.168.56.103:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 202.29.239.162:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49179 -> 160.16.143.191:7080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 202.29.239.162:443 -> 192.168.56.103:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 134.122.119.23:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 23, 2022, 9:31 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2022, 9:31 a.m.			0	0
IsDebuggerPresent May 23, 2022, 9:31 a.m.			0	0
IsDebuggerPresent May 23, 2022, 9:31 a.m.			0	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 23, 2022, 9:31 a.m.	stacktrace: 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xb8 registers.r14: 0 registers.r15: 0 registers.rcx: 4292542464 registers.rsi: 0 registers.r10: 0 registers.rbx: 4292542464 registers.rsp: 1833800 registers.r11: 1833552 registers.r8: 2992548 registers.r9: 10 registers.rdx: 4292542464 registers.r12: 10 registers.rbp: 2992416 registers.rdi: 1834016 registers.rax: 121230267911140 registers.r13: 0	1	0	0
__exception__ May 23, 2022, 9:31 a.m.	stacktrace: 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 0xb8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xb8 registers.r14: 0 registers.r15: 0 registers.rcx: 4292542464 registers.rsi: 0 registers.r10: 0 registers.rbx: 4292542464 registers.rsp: 1047256 registers.r11: 1046992 registers.r8: 2730408 registers.r9: 10 registers.rdx: 4292542464 registers.r12: 10 registers.rbp: 2730272 registers.rdi: 1047456 registers.rax: 121230272910833 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2716 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2756 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2792 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:33 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000064d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3442000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefcf27000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd6af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd5d9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076cf0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff10d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eee000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bc0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb6da000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 23, 2022, 9:32 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8668909568 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IkcFP\YbfEsqLsOZnY.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW May 23, 2022, 9:31 a.m.	snapshot_handle: 0x0000000000000148 process_name: mobsync.exe process_identifier: 1580	1	1
Process32NextW May 23, 2022, 9:31 a.m.	snapshot_handle: 0x0000000000000148 process_name: pw.exe process_identifier: 2060	1	1
Process32NextW May 23, 2022, 9:31 a.m.	snapshot_handle: 0x0000000000000148 process_name: pw.exe process_identifier: 2352	1	1
Process32NextW May 23, 2022, 9:31 a.m.	snapshot_handle: 0x0000000000000148 process_name: WerFault.exe process_identifier: 2992	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002ea00', u'virtual_address': u'0x00030000', u'entropy': 7.850495841019569, u'name': u'.rsrc', u'virtual_size': u'0x0002e9fc'}

entropy

7.85049584102

description

A section with a high entropy has been found

entropy

0.515905947441

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

regsvr32.exe

Communicates with host for which no DNS query was performed (15 events)

host	104.248.225.227
host	110.235.83.107
host	134.122.119.23
host	160.16.143.191
host	165.22.73.229
host	190.90.233.66
host	195.77.239.39
host	196.44.98.190
host	202.28.34.99
host	202.29.239.162
host	210.57.209.142
host	37.44.244.177
host	62.171.178.147
host	87.106.97.83
host	88.217.172.165

Installs itself for autorun at Windows startup (1 event)

service_name

YbfEsqLsOZnY.dll

service_path

C:\Windows\System32\regsvr32.exe "C:\Windows\system32\IkcFP\YbfEsqLsOZnY.dll"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 23, 2022, 9:31 a.m.	service_start_name: start_type: 2 password: display_name: YbfEsqLsOZnY.dll filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\IkcFP\YbfEsqLsOZnY.dll" service_name: YbfEsqLsOZnY.dll filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IkcFP\YbfEsqLsOZnY.dll" desired_access: 2 service_handle: 0x0000000000398ab0 error_control: 0 service_type: 16 service_manager_handle: 0x00000000003dc670	1	3771056	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\IkcFP\YbfEsqLsOZnY.dll:Zone.Identifier

Generates some ICMP traffic

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen17.54643
MicroWorld-eScan	Trojan.GenericKDZ.87939
ALYac	Trojan.GenericKDZ.87939
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D15783
Cyren	W64/Emotet.EKC.gen!Eldorado
ESET-NOD32	a variant of Win64/Kryptik.DBT
ClamAV	Win.Dropper.Emotet-9950376-0
Kaspersky	Trojan-Banker.Win64.Emotet.cltr
BitDefender	Trojan.GenericKDZ.87939
Avast	Win64:BankerX-gen [Trj]
Ad-Aware	Trojan.GenericKDZ.87939
McAfee-GW-Edition	BehavesLike.Win64.Generic.fc
FireEye	Generic.mg.bf2f633fde70f181
Emsisoft	Trojan.GenericKDZ.87939 (B)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKDZ.87939
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.FTN.R493366
McAfee	Emotet-FTN!BF2F633FDE70
Malwarebytes	Trojan.Emotet
APEX	Malicious
Tencent	Win64.Trojan-banker.Emotet.Pgwt
MAX	malware (ai score=81)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W64/Emotet.FUWI!tr
AVG	Win64:BankerX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	87.106.97.83:7080
dead_host	196.44.98.190:8080
dead_host	202.28.34.99:8080
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49193
dead_host	104.248.225.227:8080
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49199
dead_host	190.90.233.66:443
dead_host	195.77.239.39:8080
dead_host	192.168.56.103:49188
dead_host	210.57.209.142:8080
dead_host	88.217.172.165:8080
dead_host	192.168.56.103:49192
dead_host	37.44.244.177:8080
dead_host	62.171.178.147:8080
dead_host	110.235.83.107:7080

4l6T5s7EcTyT

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All