Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 22, 2023, 1:43 p.m.	Jan. 22, 2023, 2:02 p.m.

Size	724.4KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`5c1d49ce048a20458519ba0b762d84c7`
SHA256	`320ed64e1200825dab347eca5d78c2aac988e1fc20a1dc4d010879000dd984ae`
CRC32	`22E8F9CA`
ssdeep	`12288:AuUMcATtpy9GZRWYc6Nqg01g2u+OeO+OeNhBBhhBBAK+BUEM9ATHnyCLuiesexmm:AuwQXcy7K+G+THhLuCempzLqOGg2h3rD`
PDB Path	Z:\SkMtrch\Release\SkMtrch.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Antivirus - Contains references to security software

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Y6F8h5.dll,AxlnstSVGroup
2544
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Y6F8h5.dll,
2628

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 22, 2023, 1:43 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

Z:\SkMtrch\Release\SkMtrch.pdb

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 1:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

MicroWorld-eScan	Trojan.GenericKD.65013194
FireEye	Generic.mg.5c1d49ce048a2045
McAfee	Artemis!5C1D49CE048A
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vhjt
BitDefender	Trojan.GenericKD.65013194
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.AFBN
Cynet	Malicious (score: 100)
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Trojan.GenericKD.65013194 (B)
Zillya	Trojan.Agent.Win32.3193283
McAfee-GW-Edition	Artemis
GData	Trojan.GenericKD.65013194
MAX	malware (ai score=84)
Arcabit	Trojan.Generic.D3E005CA
Google	Detected
ALYac	Trojan.GenericKD.65013194
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R04AH09AH23
Ikarus	Trojan.Win32.Agent
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Trojan-gen
Avast	Win32:Trojan-gen

Y6F8h5

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All