popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Fgv77t71DAPm09UU

UPX Malicious Library Malicious Packer PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 24, 2022, 12:27 p.m. May 24, 2022, 12:29 p.m.
Size 573.5KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 33ce0628fb349731b2485d8c5cebef82
SHA256 fd3ed19bfab0e048b8a1c968ff4fec893715b388758b2ddeb034fe155b6325ab
CRC32 C94588D0
ssdeep 6144:zNn1ncsIljXkGkSeW9AdTLDSbmfOBtk1J5zwBlk3LkEqNz0yPWmlAz6Ac7LG104T:zNn1nskvW98UVBqJyBlk3LqZ86CN9hb
Yara
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • IsDLL - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.75.201.2 Active Moloch
103.75.201.4 Active Moloch
146.59.226.45 Active Moloch
158.69.222.101 Active Moloch
162.214.118.104 Active Moloch
177.87.70.10 Active Moloch
185.157.82.211 Active Moloch
185.4.135.27 Active Moloch
192.99.251.50 Active Moloch
195.154.133.20 Active Moloch
217.182.143.248 Active Moloch
31.24.158.56 Active Moloch
5.9.116.246 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49167 -> 146.59.226.45:443 2404305 ET CNC Feodo Tracker Reported CnC Server group 6 A Network Trojan was detected
TCP 192.168.56.103:49173 -> 103.75.201.2:443 2404301 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected
TCP 192.168.56.103:49167 -> 146.59.226.45:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49173 -> 103.75.201.2:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49181 -> 158.69.222.101:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49180 -> 158.69.222.101:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 146.59.226.45:443 -> 192.168.56.103:49168 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 158.69.222.101:443 -> 192.168.56.103:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 192.99.251.50:443 2404310 ET CNC Feodo Tracker Reported CnC Server group 11 A Network Trojan was detected
TCP 192.168.56.103:49166 -> 146.59.226.45:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49172 -> 103.75.201.2:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 103.75.201.2:443 -> 192.168.56.103:49174 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
resource name HINTDATA
resource name ДЩЕАПМВУ
resource name None
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e3a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x753d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b61000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2316
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ec0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75981000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x739a1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 147456
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00028800', u'virtual_address': u'0x00064000', u'entropy': 7.846107525662811, u'name': u'.rsrc', u'virtual_size': u'0x000286bc'} entropy 7.84610752566 description A section with a high entropy has been found
entropy 0.282969432314 description Overall entropy of this PE file is high
process rundll32.exe
host 103.75.201.2
host 103.75.201.4
host 146.59.226.45
host 158.69.222.101
host 162.214.118.104
host 177.87.70.10
host 185.157.82.211
host 185.4.135.27
host 192.99.251.50
host 195.154.133.20
host 217.182.143.248
host 31.24.158.56
host 5.9.116.246
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.417103
FireEye Generic.mg.33ce0628fb349731
ALYac Trojan.Agent.Emotet
Cylance Unsafe
K7AntiVirus Trojan ( 0058decb1 )
Alibaba Trojan:Win32/Emotetcrypt.ca8f63a2
K7GW Trojan ( 0058decb1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Zusy.D65D4F
VirIT Trojan.Win32.Emotet.DGM
Cyren W32/Emotet.EHE.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Emotet.CV
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Generic-9941538-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.pef
BitDefender Gen:Variant.Zusy.417103
NANO-Antivirus Trojan.Win32.Mansabo.jngssl
Rising Trojan.Emotet!1.DCA8 (CLASSIC)
Ad-Aware Gen:Variant.Zusy.417103
Sophos Mal/Generic-S + Troj/Emotet-CZQ
F-Secure Trojan.TR/AD.Nekark.mbmai
DrWeb Trojan.Emotet.1153
Zillya Trojan.Emotet.Win32.62333
TrendMicro TrojanSpy.Win32.EMOTET.YXCCOZ
McAfee-GW-Edition BehavesLike.Win32.Emotet.hc
Emsisoft Trojan.Emotet.Gen.A (A)
Jiangmin Trojan.Mansabo.chu
Avira TR/AD.Nekark.mbmai
MAX malware (ai score=83)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Emotetcrypt.IH!MTB
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
GData Win32.Trojan.BSE.1TKINNF
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.BotX-gen.R477821
McAfee Emotet-FSQ!33CE0628FB34
TACHYON Trojan/W32.Mansabo.587264
VBA32 Trojan.Emotet
Malwarebytes Trojan.Emotet
Panda Trj/Genetic.gen
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.YXCCOZ
Tencent Trojan.Win32.Mansabo.ic
Yandex Trojan.Emotet!dbHcRKq3+P8
Ikarus Trojan-Spy.Emotet
MaxSecure Trojan.Malware.74088369.susgen
Fortinet W32/Emotet.1153!tr
AVG Win32:BotX-gen [Trj]
dead_host 192.99.251.50:443
dead_host 192.168.56.103:49176
dead_host 5.9.116.246:8080
dead_host 103.75.201.4:443
dead_host 31.24.158.56:8080
dead_host 185.4.135.27:8080
dead_host 185.157.82.211:8080
dead_host 177.87.70.10:8080
dead_host 192.168.56.103:49177
dead_host 192.168.56.103:49170
dead_host 162.214.118.104:8080
dead_host 192.168.56.103:49179
dead_host 195.154.133.20:443
dead_host 192.168.56.103:49178
dead_host 217.182.143.248:8080