Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 22, 2023, 3:26 p.m.	Jan. 22, 2023, 3:33 p.m.

Size	89.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`87f59221122202070e2f2670720627d5`
SHA256	`531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533`
CRC32	`0E8CB944`
ssdeep	`1536:So4NPCKLbqoYkbpplW9YoUsxXzbcouNhj2ZszsWuKcdJUrSDaB89p:SoUCWbBNpplToUs1uNhj25LJUkaB89p`
PDB Path	D:\Mktmp\Amadey\ClipperDLL\Release\CLIPPERDLL.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
2144
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,Main
2236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
1440
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,
2324

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 22, 2023, 3:26 p.m.			0	0
IsDebuggerPresent Jan. 22, 2023, 3:26 p.m.			0	0
IsDebuggerPresent Jan. 22, 2023, 3:26 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\ClipperDLL\Release\CLIPPERDLL.pdb

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7444f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7444f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 3:26 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74501000 process_handle: 0xffffffff	1

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.64865039
FireEye	Trojan.GenericKD.64865039
McAfee	GenericRXAA-AA!87F592211222
VIPRE	Trojan.GenericKD.64865039
Sangfor	Trojan.Win32.Agent.Vell
Arcabit	Trojan.Generic.D3DDC30F
BitDefenderTheta	Gen:NN.ZedlaF.36212.fu4@aOOoUdni
VirIT	Trojan.Win32.Genus.NMA
Symantec	Trojan.Gen.2
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.64865039
Avast	Win32:TrojanX-gen [Trj]
Emsisoft	Trojan.GenericKD.64865039 (B)
McAfee-GW-Edition	Artemis
Antiy-AVL	Trojan/Win32.Wacatac
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.64865039
AhnLab-V3	Trojan/Win.Generic.C5355012
VBA32	Trojan.Sabsik
ALYac	Trojan.GenericKD.64865039
MAX	malware (ai score=81)
Malwarebytes	Trojan.Amadey
TrendMicro-HouseCall	TROJ_GEN.R002H07AA23
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]

clip64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All