popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

c7crGdejW4380ORuxqR

UPX Malicious Library Malicious Packer PE64 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 24, 2022, 6:27 p.m. May 24, 2022, 6:29 p.m.
Size 831.5KB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 d5e9618a54167e7ad174deee219e51a1
SHA256 90147b9c27ddb127d6ec28a45f90d2e474720f0d9a7fd14e4b0a5c60f70b5055
CRC32 04909F16
ssdeep 24576:F16TffbuFta+9ZeTKu72muEnESFZqnUZ:+ffSFtBYTKuf8U
Yara
  • UPX_Zero - UPX packed file
  • IsDLL - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.248.225.227 Active Moloch
110.235.83.107 Active Moloch
134.122.119.23 Active Moloch
160.16.143.191 Active Moloch
165.22.73.229 Active Moloch
190.90.233.66 Active Moloch
195.77.239.39 Active Moloch
196.44.98.190 Active Moloch
202.28.34.99 Active Moloch
202.29.239.162 Active Moloch
210.57.209.142 Active Moloch
37.44.244.177 Active Moloch
62.171.178.147 Active Moloch
87.106.97.83 Active Moloch
88.217.172.165 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 165.22.73.229:8080 -> 192.168.56.103:49168 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 165.22.73.229:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 160.16.143.191:7080 -> 192.168.56.103:49172 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 160.16.143.191:7080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49170 -> 160.16.143.191:7080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49187 -> 202.29.239.162:443 2404312 ET CNC Feodo Tracker Reported CnC Server group 13 A Network Trojan was detected
TCP 192.168.56.103:49174 -> 134.122.119.23:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49187 -> 202.29.239.162:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49175 -> 134.122.119.23:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 202.29.239.162:443 -> 192.168.56.103:49188 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 134.122.119.23:8080 -> 192.168.56.103:49176 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 165.22.73.229:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49186 -> 202.29.239.162:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
resource name None
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2488
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d90000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2488
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001eb0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006270000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000010055000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefee30000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef7411000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff10d000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000003c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000670000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefcf27000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd6af000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd5d9000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076cf0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076eee000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bc0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefb6da000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 10236186624
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
cmdline C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CXfMPCPTRlvuID\fUGhucCVyzIbH.dll"
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000000000016c
process_name: pw.exe
process_identifier: 2312
1 1 0
Elastic malicious (high confidence)
FireEye Generic.mg.d5e9618a54167e7a
McAfee Emotet-FSS!D5E9618A5416
Kaspersky VHO:Trojan-Banker.Win64.Emotet.clud
Cynet Malicious (score: 100)
Ikarus Trojan-Spy.Emotet
Rising Trojan.Emotet!8.B95 (C64:YzY0OvHcOOZrZiMm)
Fortinet W64/Emotet.7E7K!tr
section {u'size_of_data': u'0x00054000', u'virtual_address': u'0x00080000', u'entropy': 6.855949007620302, u'name': u'.rsrc', u'virtual_size': u'0x00053fb8'} entropy 6.85594900762 description A section with a high entropy has been found
entropy 0.404575556893 description Overall entropy of this PE file is high
process regsvr32.exe
host 104.248.225.227
host 110.235.83.107
host 134.122.119.23
host 160.16.143.191
host 165.22.73.229
host 190.90.233.66
host 195.77.239.39
host 196.44.98.190
host 202.28.34.99
host 202.29.239.162
host 210.57.209.142
host 37.44.244.177
host 62.171.178.147
host 87.106.97.83
host 88.217.172.165
service_name fUGhucCVyzIbH.dll service_path C:\Windows\System32\regsvr32.exe "C:\Windows\system32\CXfMPCPTRlvuID\fUGhucCVyzIbH.dll"
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: fUGhucCVyzIbH.dll
filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\CXfMPCPTRlvuID\fUGhucCVyzIbH.dll"
service_name: fUGhucCVyzIbH.dll
filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CXfMPCPTRlvuID\fUGhucCVyzIbH.dll"
desired_access: 2
service_handle: 0x0000000000500c90
error_control: 0
service_type: 16
service_manager_handle: 0x00000000004e4c80
1 5246096 0
file C:\Windows\System32\CXfMPCPTRlvuID\fUGhucCVyzIbH.dll:Zone.Identifier
dead_host 87.106.97.83:7080
dead_host 196.44.98.190:8080
dead_host 202.28.34.99:8080
dead_host 192.168.56.103:49190
dead_host 104.248.225.227:8080
dead_host 192.168.56.103:49181
dead_host 192.168.56.103:49182
dead_host 192.168.56.103:49178
dead_host 190.90.233.66:443
dead_host 195.77.239.39:8080
dead_host 210.57.209.142:8080
dead_host 192.168.56.103:49183
dead_host 192.168.56.103:49184
dead_host 192.168.56.103:49179
dead_host 88.217.172.165:8080
dead_host 37.44.244.177:8080
dead_host 62.171.178.147:8080
dead_host 192.168.56.103:49185
dead_host 110.235.83.107:7080