Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 06:09
audiodg.exe
09.22 06:09
psfod.exe
09.22 06:09
73EtsZxIoDetWTu.exe
09.22 06:09
otqp9.exe
09.22 06:09
xx.exe
09.22 06:09
fck.exe
09.22 06:09
LummaC222222.exe
09.22 06:09
seethebestwayforunders...
09.22 06:09
Name.exe
09.22 06:09
needmoney.exe

Latest News
09.22 08:09
Hackfest, A New Event ...
09.22 08:09
엠클라우독, 문서 관리 및 정보보안 분야...
09.22 08:09
엘세븐시큐리티, 개인정보 차단 솔루션 시...
09.22 07:09
Examining Mobile Threa...
09.22 07:09
스패로우, SW 공급망 보안 시장서 리더...
09.22 07:09
스콥정보통신, 네트워크 자원관리 및 접근...
09.22 06:09
Unicorn2 Devblog: mmap...
09.22 06:09
국제 사이버범죄조직들에 맞서 치열한 전투...
09.22 05:09
Staffelstabübergabe de...
09.22 05:09
세일포인트, 금융기관 맞춤형 아이덴티티 ...

Summary | ZeroBOX

dllhostex.exe

Malicious Library UPX Malicious Packer PE File OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 16, 2023, 6:57 p.m.	Nov. 16, 2023, 7:02 p.m.

Size	1.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`f5a7b1f998390241f5c10cbddfe88647`
SHA256	`5cd9ff29454e84923d4178484ecfb3bc48561d4401fa94b98f9d2693d47a740a`
CRC32	`4AC43571`
ssdeep	`24576:wOTuFoSUpzjLJrr4FtnILnSqmdoRdSeUSjguAF11N0i7TwONgV0HL1z9ChftQAg+:2oSUpzjLJYFtnILtmdoRdgSjguA30i76`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

dllhostex.exe "C:\Users\test22\AppData\Local\Temp\dllhostex.exe"
3020

Name	Response	Post-Analysis Lookup
iron.tenchier.com	A 139.177.196.162 CNAME o.auntions.com A 139.59.109.18 A 194.195.223.249	194.195.223.249

IP Address	Status	Action
139.177.196.162	Active	Moloch
139.59.109.18	Active	Moloch
164.124.101.2	Active	Moloch
194.195.223.249	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49167 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49174 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49176 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49164 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49176 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49174 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49167 -> 139.177.196.162:443	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 16, 2023, 6:56 p.m.	process_identifier: 3020 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

dllhostex.exe tried to sleep 288 seconds, actually delayed analysis time by 288 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 16, 2023, 6:56 p.m.	flags: 14 family: 0		111	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	139.59.109.18:443
dead_host	194.195.223.249:443