Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 26, 2024, 5:20 p.m.	Oct. 26, 2024, 5:24 p.m.

Size	635.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`a34b7a2cbc156505f9963f986f491b3c`
SHA256	`13d50c5aaee30b965597d6af69b88038246f65deb4d2e0a5ca04394b47e5b16d`
CRC32	`0E134B6C`
ssdeep	`12288:USB6YObJN3d0aH+5lR35CTxzcTo6cNs6IQy/lOljXt19EO:USE5JN3dVS/cTps19OlbtrEO`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libemb.dll,FreeLibraryMemoryAndExitThread
2548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libemb.dll,NtUnloadDllMemoryAndExitThread
2632
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libemb.dll,
2724

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2024, 5:20 p.m.			0	0
IsDebuggerPresent Oct. 26, 2024, 5:20 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73500000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73661000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73424000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0009b0a0

size

0x000002bc

Moves the original executable to a new location (2 events)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Oct. 26, 2024, 5:20 p.m.	newfilepath_r: C:\Users\Public\Documents\libemb.dll flags: 1 oldfilepath_r: C:\Windows\SysWOW64\libemb.dll newfilepath: C:\Users\Public\Documents\libemb.dll oldfilepath: C:\Windows\SysWOW64\libemb.dll		0	0
MoveFileWithProgressW Oct. 26, 2024, 5:20 p.m.	newfilepath_r: C:\Users\Public\Documents\libemb.dll flags: 1 oldfilepath_r: C:\Windows\SysWOW64\libemb.dll newfilepath: C:\Users\Public\Documents\libemb.dll oldfilepath: C:\Windows\SysWOW64\libemb.dll		0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00005800', u'virtual_address': u'0x00093000', u'entropy': 6.851774743029072, u'name': u'.data', u'virtual_size': u'0x00006fb8'}

entropy

6.85177474303

description

A section with a high entropy has been found

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.Win32.Dllhijack.4!c
MicroWorld-eScan	Gen:Variant.Jaik.244899
CAT-QuickHeal	Trojan.DLLhijack
ALYac	Gen:Variant.Jaik.244899
VIPRE	Gen:Variant.Jaik.244899
Sangfor	Trojan.Win32.SilverFox.swkbu
CrowdStrike	win/grayware_confidence_60% (D)
BitDefender	Gen:Variant.Jaik.244899
K7GW	Trojan ( 005b5f241 )
K7AntiVirus	Trojan ( 005b5f241 )
Arcabit	Trojan.Jaik.D3BCA3
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Injector.ETRZ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.DLLhijack.qvb
Alibaba	Trojan:Win32/Injector.ce642258
Rising	Trojan.Injector!1.FD65 (CLASSIC)
Emsisoft	Gen:Variant.Jaik.244899 (B)
F-Secure	Trojan.TR/AVI.Agent.ofrty
DrWeb	Trojan.Loader.2072
McAfeeD	ti!13D50C5AAEE3
CTX	dll.trojan.dllhijack
Sophos	Mal/Generic-S
FireEye	Gen:Variant.Jaik.244899
Webroot	W32.DLLhijack
Google	Detected
Avira	TR/AVI.Agent.ofrty
Antiy-AVL	Trojan/Win32.DLLhijack
Kingsoft	Win32.Trojan.DLLhijack.qvb
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Phonzy.B!ml
ViRobot	Trojan.Win.Z.Jaik.650240.A
GData	Gen:Variant.Jaik.244899
AhnLab-V3	Trojan/Win.Generic.R656658
McAfee	Artemis!A34B7A2CBC15
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.605676534
Ikarus	Trojan.Win32.Injector
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09JP24
Tencent	Backdoor.Win32.Runshell_l.16001458
Fortinet	W32/ETRZ!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/DLLhijack.qmq

libemb.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All