Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 14, 2024, 5:45 p.m.	July 14, 2024, 5:51 p.m.

Size	2.9MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`0693990c67e447b84f9055a43cf88974`
SHA256	`a65db0e86aa782ca682fa5222435b8920197de83c56db9b96a67c35967d13b17`
CRC32	`33381DEA`
ssdeep	`49152:OMtP+3WGFsAOuAG8VpAh3P8k3OaNDff+VHscWJLsOlMi144reB0qFQ3CJ6PVDE:vP+3WGp7A91uNDf+pscWpsOlXsqOp`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\random.dll,
2152
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\random.dll,AwcdthodsHlu
316

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 14, 2024, 5:45 p.m.	process_identifier: 316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1014c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2024, 5:45 p.m.	process_identifier: 316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2024, 5:45 p.m.	process_identifier: 316 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0014b000', u'virtual_address': u'0x00001000', u'entropy': 7.9731148905685085, u'name': u'.text', u'virtual_size': u'0x0014a2c9'}

entropy

7.97311489057

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00125000', u'virtual_address': u'0x0014c000', u'entropy': 7.998092396650459, u'name': u'.rdata', u'virtual_size': u'0x00124d47'}

entropy

7.99809239665

description

A section with a high entropy has been found

entropy

0.829787234043

description

Overall entropy of this PE file is high

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetectMalware
Skyhigh	BehavesLike.Win32.Expiro.vc
Cylance	Unsafe
Symantec	Trojan.Emotet
Elastic	malicious (high confidence)
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	VHO:Trojan-Downloader.Win32.Mufanom.gen
NANO-Antivirus	Virus.Win32.Gen.ccmw
Rising	Trojan.Generic@AI.100 (RDMK:cmRtazomeJBnHH+dvVirYZ7wylUB)
BitDefenderTheta	Gen:NN.ZedlaF.36808.8w8@aidodxn
Ikarus	Trojan.Win32.Krypt
Google	Detected
Kingsoft	malware.kb.a.997
ZoneAlarm	VHO:Trojan-Downloader.Win32.Mufanom.gen
McAfee	Trojan-FUYR!0693990C67E4
DeepInstinct	MALICIOUS
Fortinet	W32/Kryptik.HVWI!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

random.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All