popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vpn_2.41_x86.exe

Emotet Malicious Library UPX PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 11, 2023, 11:35 a.m. Oct. 11, 2023, 11:38 a.m.
Size 2.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e9f6a165d0e416dc8b7bd49465a3fa5c
SHA256 725b94d66ecd5e1238401746bc89b063f4ffa5767995119d7bc23ab2ed827c03
CRC32 574BB9EA
ssdeep 49152:8q3QscuJsVPCYc80pixEXY2QpvH8naf9Gion08x2sChdI:80nJsVPBcexz2QpvHqu9GioJ2sChdI
PDB Path E:\buildsource\OOLU_TRUNK\src\AdViewer\bin\Release\OOAdViewer.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.194.222.123 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
pdb_path E:\buildsource\OOLU_TRUNK\src\AdViewer\bin\Release\OOAdViewer.pdb
section .gfids
section .giats
section Erot\x00\x00t
section .caritta
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2992
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a90000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2992
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02230000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7748f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2992
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description vpn_2.41_x86.exe tried to sleep 146 seconds, actually delayed analysis time by 146 seconds
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000cc
process_name: tvnserver.exe
process_identifier: 2580
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: pw.exe
process_identifier: 2692
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: wsqmcons.exe
process_identifier: 2740
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: sdclt.exe
process_identifier: 2760
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: taskhost.exe
process_identifier: 2820
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: cmd.exe
process_identifier: 2920
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: conhost.exe
process_identifier: 2932
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: vpn_2.41_x86.exe
process_identifier: 2992
1 1 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: pw.exe
process_identifier: 3008
1 1 0
Skyhigh Artemis!Trojan
McAfee Artemis!E9F6A165D0E4
Kaspersky UDS:Trojan.Win32.Shella.gen
DrWeb BackDoor.Rat.457
ZoneAlarm UDS:Trojan.Win32.Shella.gen
section {u'size_of_data': u'0x00035400', u'virtual_address': u'0x0021e000', u'entropy': 7.982463261025619, u'name': u'Erot\\x00\\x00t', u'virtual_size': u'0x000353e2'} entropy 7.98246326103 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000cc
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000d0
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000d4
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000d8
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000dc
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000e0
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000e4
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000e8
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000ec
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000f0
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x00000110
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x00000114
process_name: pw.exe
process_identifier: 3008
0 0

Process32NextW

 snapshot_handle: 0x00000118
process_name: pw.exe
process_identifier: 3008
0 0
host 104.194.222.123
file C:\Users\test22\AppData\Roaming\webDAV.exe.exe:Zone.Identifier