Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 26, 2024, 5:20 p.m.	Oct. 26, 2024, 5:25 p.m.

Size	635.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`14ff2a275e6994ba792d2733f35c410f`
SHA256	`ab67f9b2aba675e29dfde3beb40683ffdceb70b1237f43093aa94a20855d2e87`
CRC32	`1CA46935`
ssdeep	`12288:MSB6YObJN3d0aH+5lR35CTxzcTo6cNs6IQy/lOljXtF9EO:MSE5JN3dVS/cTps19Olbt7EO`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libemb.dll,FreeLibraryMemoryAndExitThread
1952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libemb.dll,
2156
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\libemb.dll,NtUnloadDllMemoryAndExitThread
2068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2024, 5:20 p.m.			0	0
IsDebuggerPresent Oct. 26, 2024, 5:20 p.m.			0	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 26, 2024, 5:20 p.m.	stacktrace: FreeLibraryMemoryAndExitThread-0x1b53 libemb+0x327d @ 0x743c327d FreeLibraryMemoryAndExitThread+0xe libemb+0x4dde @ 0x743c4dde rundll32+0x1326 @ 0x971326 rundll32+0x1901 @ 0x971901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 44 06 54 c7 45 f0 00 00 00 00 01 f0 6a 66 6a exception.instruction: mov eax, dword ptr [esi + eax + 0x54] exception.exception_code: 0xc0000005 exception.symbol: FreeLibraryMemoryAndExitThread+0x10019 libemb+0x14de9 exception.address: 0x743d4de9 registers.esp: 2225736 registers.edi: 0 registers.eax: 4009750271 registers.ebp: 2225788 registers.edx: 1 registers.ebx: 0 registers.esi: 196648 registers.ecx: 1950174691	1	0	0
__exception__ Oct. 26, 2024, 5:20 p.m.	stacktrace: exception.instruction_r: c7 44 24 08 00 00 00 00 8b 7c 24 04 be c4 86 66 exception.instruction: mov dword ptr [esp + 8], 0 exception.exception_code: 0xc0000005 exception.symbol: FreeLibraryMemoryAndExitThread+0xf8c8 libemb+0x14698 exception.address: 0x743d4698 registers.esp: 1242588 registers.edi: 1950172352 registers.eax: 2005823141 registers.ebp: 1950714534 registers.edx: 235 registers.ebx: 2723356340 registers.esi: 2723454760 registers.ecx: 3006378885	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2024, 5:20 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0009b0a0

size

0x000002bc

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Oct. 26, 2024, 5:20 p.m.	newfilepath_r: C:\Users\Public\Documents\libemb.dll flags: 1 oldfilepath_r: C:\Windows\SysWOW64\libemb.dll newfilepath: C:\Users\Public\Documents\libemb.dll oldfilepath: C:\Windows\SysWOW64\libemb.dll		0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00005800', u'virtual_address': u'0x00093000', u'entropy': 6.851774743029072, u'name': u'.data', u'virtual_size': u'0x00006fb8'}

entropy

6.85177474303

description

A section with a high entropy has been found

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.Common.C9E48257
Lionic	Trojan.Win32.DLLhijack.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.DLLhijack
ALYac	Gen:Variant.Jaik.244899
Cylance	Unsafe
VIPRE	Gen:Variant.Jaik.244899
Sangfor	Trojan.Win32.SilverFox.swkbu
CrowdStrike	win/grayware_confidence_60% (D)
BitDefender	Gen:Variant.Jaik.244899
K7GW	Trojan ( 005b5f241 )
K7AntiVirus	Trojan ( 005b5f241 )
Arcabit	Trojan.Jaik.D3BCA3
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Injector.ETRZ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.DLLhijack.qry
Alibaba	Trojan:Win32/Injector.a968beb5
NANO-Antivirus	Trojan.Win32.Loader.ktawhr
MicroWorld-eScan	Gen:Variant.Jaik.244899
Rising	Trojan.Injector!1.FD65 (CLASSIC)
Emsisoft	Gen:Variant.Jaik.244899 (B)
F-Secure	Trojan.TR/AVI.Agent.ofrty
DrWeb	Trojan.Loader.2072
McAfeeD	ti!AB67F9B2ABA6
CTX	dll.trojan.dllhijack
Sophos	Mal/Generic-S
FireEye	Gen:Variant.Jaik.244899
Webroot	W32.DLLhijack
Google	Detected
Avira	TR/AVI.Agent.ofrty
Antiy-AVL	Trojan/Win32.DLLhijack
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Phonzy.B!ml
ViRobot	Trojan.Win.Z.Jaik.650240
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Jaik.244899
AhnLab-V3	Trojan/Win.Generic.R656658
McAfee	Artemis!14FF2A275E69
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.605676534
Ikarus	Trojan.Win32.Injector
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09JO24
Tencent	Backdoor.Win32.Runshell_l.16001458
Fortinet	W32/ETRZ!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml

libemb.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All