Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 26, 2023, 5:31 p.m.	June 26, 2023, 5:35 p.m.

Size	92.0KB
Type	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`8f8d9541654b011456e78754a33f7d52`
SHA256	`7bd70c9475661914cc2597cf00e6fd79ccef9b76e76eb08ee0b8986dc9d4248f`
CRC32	`B20F219F`
ssdeep	`768:NDHPBFnnp3MrrMBAkX/XX76PCGgvMJ91/W9/M8EK/sjUcnd02bsGLCHRAvPb5GoV:Nfnnp3OkX/H7x8nd0MCrJObdOBOO72K`
Yara	IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Info2.dll,DllMain
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Info2.dll,DllMain
  2808
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Info2.dll,Start
2648
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Info2.dll,Start
  2800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Info2.dll,
2740

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
20.115.112.114	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 20.115.112.114:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49232	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49200	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49229	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49209	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49204	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49240	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49237	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49225	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49236	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.115.112.114:443 -> 192.168.56.101:49233	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2023, 5:23 p.m.			0	0
IsDebuggerPresent June 26, 2023, 5:23 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2800 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002150000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2808 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 26, 2023, 5:23 p.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 26, 2023, 5:23 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

20.115.112.114

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.Win32.Havoc.4!c
MicroWorld-eScan	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
ALYac	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
Alibaba	Trojan:Win64/Havoc.391c802b
Arcabit	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Havoc_AGen.B
Cynet	Malicious (score: 100)
Kaspersky	UDS:Backdoor.Win64.Havoc.aia
BitDefender	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
Avast	BackdoorX-gen [Trj]
Emsisoft	Generic.Trojan.Havokiz.Marte.D.AF0D4B72 (B)
VIPRE	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
McAfee-GW-Edition	BehavesLike.Win64.Infected.nm
FireEye	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
Sophos	Mal/Generic-S
Antiy-AVL	Trojan/Win64.Havoc
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:Backdoor.Win64.Havoc.aia
GData	Generic.Trojan.Havokiz.Marte.D.AF0D4B72
Google	Detected
McAfee	Artemis!8F8D9541654B
MAX	malware (ai score=85)
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Backdoor.Havoc!8.970A (CLOUD)
Ikarus	Trojan.Win64.Havoc
AVG	BackdoorX-gen [Trj]
DeepInstinct	MALICIOUS

Info2.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All