Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 7, 2023, 8:30 a.m.	Aug. 7, 2023, 8:36 a.m.

Size	76.5KB
Type	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`e9d5c93dddcbd74935f1532560ae89e8`
SHA256	`28c79c2291c86b81a561d3c882d946ec63bafe48ada96ca0936fdbef0d067a72`
CRC32	`5A89DA4F`
ssdeep	`1536:ogo2smHsP4j2e84tApNSkPOdKra0IFPeaoYoW5ud693abCjccr4:xtHsP4j2ettmSkPOor/8PXoYoW5udg3q`
Yara	IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\demon1.dll,Start
2596
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\demon1.dll,Start
  2740
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\demon1.dll,
2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 7, 2023, 8:23 a.m.			0	0

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 7, 2023, 8:23 a.m.	process_identifier: 2740 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001eb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 8:23 a.m.	process_identifier: 2740 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 8:23 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

Elastic	malicious (high confidence)
Arcabit	Generic.Trojan.Havokiz.Marte.E.DBA0E5AC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Havoc_AGen.B
ClamAV	Win.Malware.Ulise-9988623-0
Kaspersky	VHO:Backdoor.Win64.Convagent.gen
BitDefender	Generic.Trojan.Havokiz.Marte.E.762085AC
MicroWorld-eScan	Generic.Trojan.Havokiz.Marte.E.762085AC
Avast	Win64:Evo-gen [Trj]
Emsisoft	Generic.Trojan.Havokiz.Marte.E.762085AC (B)
VIPRE	Generic.Trojan.Havokiz.Marte.E.762085AC
FireEye	Generic.Trojan.Havokiz.Marte.E.762085AC
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win64.Havoc
Microsoft	VirTool:Win64/Havokiz.D!MTB
ZoneAlarm	VHO:Backdoor.Win64.Convagent.gen
GData	Generic.Trojan.Havokiz.Marte.E.762085AC
Google	Detected
ALYac	Generic.Trojan.Havokiz.Marte.E.762085AC
Rising	Trojan.Agent!8.B1E (TFE:4:taKsxMMX66P)
Ikarus	Trojan.Win64.Havoc
AVG	Win64:Evo-gen [Trj]
DeepInstinct	MALICIOUS

demon1.dll