Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 18, 2024, 10:07 a.m.	Oct. 18, 2024, 10:20 a.m.

Size	95.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`68ab6bcbb50fb8f895e92f8c00e350ff`
SHA256	`e72717c3598893ddb4444f71747b3010171ed14737d63d043ecf9ec7844fd5a5`
CRC32	`5891FE47`
ssdeep	`1536:evuO66CQjyU5vgRGHegBARoU9d8jeD+F7n5ULKwJFtwMciaGYOI3lRdgf:evuF6CQ2OgM+e9cCyD+Fj5UL/JjBaGYy`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Swift-sleep10-jitter-50-amsiPatch-Breakpoints.dll,DllMain@12
2540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Swift-sleep10-jitter-50-amsiPatch-Breakpoints.dll,Start
2624
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Swift-sleep10-jitter-50-amsiPatch-Breakpoints.dll,
2720

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 18, 2024, 10:07 a.m.	stacktrace: DllMain@12+0x1a Start-0x935e swift-sleep10-jitter-50-amsipatch-breakpoints+0x9a1a @ 0x73bf9a1a RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930 LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9 LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a rundll32+0x14ed @ 0xc014ed rundll32+0x1baf @ 0xc01baf rundll32+0x12e8 @ 0xc012e8 rundll32+0x1901 @ 0xc01901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 b8 ca 04 00 00 00 75 0d 64 8b 15 18 00 00 00 exception.instruction: cmp dword ptr [eax + 0x4ca], 0 exception.exception_code: 0xc0000005 exception.symbol: DllMain@12+0x43cd Start-0x4fab swift-sleep10-jitter-50-amsipatch-breakpoints+0xddcd exception.address: 0x73bfddcd registers.esp: 1832320 registers.edi: 1832616 registers.eax: 0 registers.ebp: 1832360 registers.edx: 32 registers.ebx: 1 registers.esi: 2916294128 registers.ecx: 1832580	1	0	0
__exception__ Oct. 18, 2024, 10:07 a.m.	stacktrace: DllMain@12+0x1a Start-0x935e swift-sleep10-jitter-50-amsipatch-breakpoints+0x9a1a @ 0x73bf9a1a RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930 LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9 LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a rundll32+0x14ed @ 0xc014ed rundll32+0x1baf @ 0xc01baf rundll32+0x12e8 @ 0xc012e8 rundll32+0x1901 @ 0xc01901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 b8 ca 04 00 00 00 75 0d 64 8b 15 18 00 00 00 exception.instruction: cmp dword ptr [eax + 0x4ca], 0 exception.exception_code: 0xc0000005 exception.symbol: DllMain@12+0x43cd Start-0x4fab swift-sleep10-jitter-50-amsipatch-breakpoints+0xddcd exception.address: 0x73bfddcd registers.esp: 3010544 registers.edi: 3010840 registers.eax: 0 registers.ebp: 3010584 registers.edx: 32 registers.ebx: 1 registers.esi: 2916294128 registers.ecx: 3010804	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 18, 2024, 10:07 a.m.

stacktrace:

DllMain@12+0x1a Start-0x935e swift-sleep10-jitter-50-amsipatch-breakpoints+0x9a1a @ 0x73bf9a1a
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
rundll32+0x14ed @ 0xc014ed
rundll32+0x1baf @ 0xc01baf
rundll32+0x12e8 @ 0xc012e8
rundll32+0x1901 @ 0xc01901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 b8 ca 04 00 00 00 75 0d 64 8b 15 18 00 00 00
exception.instruction: cmp dword ptr [eax + 0x4ca], 0
exception.exception_code: 0xc0000005
exception.symbol: DllMain@12+0x43cd Start-0x4fab swift-sleep10-jitter-50-amsipatch-breakpoints+0xddcd
exception.address: 0x73bfddcd
registers.esp: 1832320
registers.edi: 1832616
registers.eax: 0
registers.ebp: 1832360
registers.edx: 32
registers.ebx: 1
registers.esi: 2916294128
registers.ecx: 1832580

__exception__

Oct. 18, 2024, 10:07 a.m.

stacktrace:

DllMain@12+0x1a Start-0x935e swift-sleep10-jitter-50-amsipatch-breakpoints+0x9a1a @ 0x73bf9a1a
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
rundll32+0x14ed @ 0xc014ed
rundll32+0x1baf @ 0xc01baf
rundll32+0x12e8 @ 0xc012e8
rundll32+0x1901 @ 0xc01901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 b8 ca 04 00 00 00 75 0d 64 8b 15 18 00 00 00
exception.instruction: cmp dword ptr [eax + 0x4ca], 0
exception.exception_code: 0xc0000005
exception.symbol: DllMain@12+0x43cd Start-0x4fab swift-sleep10-jitter-50-amsipatch-breakpoints+0xddcd
exception.address: 0x73bfddcd
registers.esp: 3010544
registers.edi: 3010840
registers.eax: 0
registers.ebp: 3010584
registers.edx: 32
registers.ebx: 1
registers.esi: 2916294128
registers.ecx: 3010804

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.ShellCode.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Havocp.S33873462
ALYac	Generic.ShellCode.Marte.2.B322A6DF
VIPRE	Generic.ShellCode.Marte.2.B322A6DF
Sangfor	Trojan.Win32.Shellcode.Vxzp
BitDefender	Generic.ShellCode.Marte.2.B322A6DF
Arcabit	Generic.ShellCode.Marte.2.B322A6DF
Symantec	Trojan.Gen.MBT
Elastic	Windows.Trojan.Generic
ESET-NOD32	a variant of Win32/Havoc.F
Avast	Win32:MsfShell-V [Hack]
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Generic.ShellCode.Marte.2.B322A6DF
Rising	Trojan.ShellCode!1.C856 (CLASSIC)
Emsisoft	Generic.ShellCode.Marte.2.B322A6DF (B)
TrendMicro	TROJ_GEN.R002C0DJH24
McAfeeD	ti!E72717C35988
CTX	dll.trojan.havoc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.ShellCode.Marte.2.B322A6DF
Google	Detected
Antiy-AVL	Trojan/Win32.Metasploit.a
Kingsoft	Win64.Trojan.Shelma.a
Gridinsoft	Trojan.Win32.PikaBot.sa
Microsoft	Trojan:Win32/Pikabot.RPY!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Malware.Rozena.F
McAfee	Artemis!68AB6BCBB50F
DeepInstinct	MALICIOUS
Ikarus	Win32.Outbreak
Panda	Trj/CI.A
Tencent	Trojan.Win32.Metasploit_heur.16000691
huorong	Backdoor/CobaltStrike.l
MaxSecure	Trojan.Malware.121218.susgen
AVG	Win32:MsfShell-V [Hack]
Paloalto	generic.ml
alibabacloud	Backdoor:Win/Havoc.G

Swift-sleep10-jitter-50-amsiPatch-Breakpoints.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All