Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 16, 2021, 1:23 p.m.	March 16, 2021, 1:23 p.m.

Size	382.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`c8d36bed14933b4f4349a7be71b06c22`
SHA256	`7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50`
CRC32	`011820D0`
ssdeep	`6144:F0TcG2Wne/LiHMM9VmWuusFu1+qRrzBRGQ1cDtRBw+WO42AOxCRTTebT4:F0TcG2Wne/o9JuusF6xMicKqCk34`
PDB Path	c:\Colorabout\ForLarge\Forwardnext\past.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero win_files_operation - Affect private profile IsPE32 - (no description) IsDLL - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\2200.dll,Thisview
7140
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\2200.dll,
6988

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

c:\Colorabout\ForLarge\Forwardnext\past.pdb

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72244000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 1:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1

Yara rule detected in process memory (43 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.45781189
FireEye	Trojan.GenericKD.45781189
CAT-QuickHeal	Trojan.Agent
McAfee	RDN/Generic.com
Sangfor	Spyware.Win32.Ursnif.KLHKV8
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	Trojan:Win32/Ursnif.c54f49f2
K7GW	Trojan ( 00578d3b1 )
K7AntiVirus	Trojan ( 00578d3b1 )
Arcabit	Trojan.Generic.D2BA90C5
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Cynet	Malicious (score: 100)
BitDefender	Trojan.GenericKD.45781189
NANO-Antivirus	Trojan.Win32.Gozi.inksdu
Avast	Win32:Trojan-gen
Rising	Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware	Trojan.GenericKD.45781189
Emsisoft	Trojan.GenericKD.45781189 (B)
F-Secure	Trojan.TR/Gozi.wxqlr
DrWeb	Trojan.Gozi.793
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PBS21
McAfee-GW-Edition	RDN/Generic.com
Sophos	Mal/Generic-S
ESET-NOD32	a variant of Win32/Kryptik.HJTY
MaxSecure	Trojan.Malware.115371239.susgen
Avira	TR/Gozi.wxqlr
Antiy-AVL	Trojan/Win32.Generic
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	Trojan:Win32/Ymacco.AB7E
GData	Trojan.GenericKD.45781189
AhnLab-V3	Malware/Win32.Generic.C4362827
ALYac	Trojan.GenericKD.45781189
TrendMicro-HouseCall	TROJ_GEN.R002C0PBS21
Yandex	Trojan.Agent!SmbOeIeMjts
MAX	malware (ai score=85)
Fortinet	PossibleThreat.MU
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A
Qihoo-360	Win32/TrojanPSW.Gozi.HgkASQMA

2200.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All