Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 4, 2023, 7:01 a.m.	April 4, 2023, 7:03 a.m.

Size	93.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`1c812c7057527a6d163c54cc4ecc4830`
SHA256	`a1452126afab8381749c34ab80303fcf95f94af500ba6acd7dba3fbbafa3295f`
CRC32	`CC1AE237`
ssdeep	`1536:yjGllSyDgwaiaAR6Ts7b8K5kASGlGWSoZ8dkEU+ScHA6sWjcdou8U+eUus7FhE:gDmDR77glU+3Qou8UPts7XE`
PDB Path	F:\æ ¸æ¶\è¿æ ¸æ¶1\dll\libcurl.dll\Release\libcurl.dll.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE32 - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_easy_cleanup
2552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_easy_getinfo
2636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_easy_init
2728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_easy_perform
2816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_easy_setopt
2912
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_easy_strerror
3004
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_formadd
2056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_formfree
1356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,curl_slist_append
2256
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libcurl.dll,
2492

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

F:\æ ¸æ¶\è¿æ ¸æ¶1\dll\libcurl.dll\Release\libcurl.dll.pdb

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 1356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 7:01 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bff000 process_handle: 0xffffffff	1

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

ALYac	Trojan.GenericKD.66185990
ESET-NOD32	Win32/Agent.AFIY
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Trojan.GenericKD.66185990
MicroWorld-eScan	Trojan.GenericKD.66185990
Avast	Win32:Trojan-gen
Emsisoft	Trojan.GenericKD.66185990 (B)
VIPRE	Trojan.GenericKD.66185990
McAfee-GW-Edition	BehavesLike.Win32.Infected.nh
FireEye	Trojan.GenericKD.66185990
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.66185990
MAX	malware (ai score=85)
Arcabit	Trojan.Generic.D3F1EB06
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
McAfee	Artemis!1C812C705752
TrendMicro-HouseCall	TROJ_GEN.R06BH0CD223
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.AFIY!tr
AVG	Win32:Trojan-gen

libcurl.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All