popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

linas139.dll

Trickbot
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 17, 2021, 6:21 p.m. March 17, 2021, 6:21 p.m.
Size 284.5KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 190b62c21a3413d44cc73e4098b6987b
SHA256 fdc885d4bcbbe9b274c49819801a2a2adfe9cbeee4c1fc509bfc9f385667f1cd
CRC32 EC67F03B
ssdeep 3072:0W5f07yUq2M5cGgs6TjHn+Ki666skl12eFNqw+Q+hXC003NpC/R8O2gUszpi/On1:08R2M9gsD6skaqNDqy0O9O2Nsli/IcU
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Win_Trojan_Trickbot_Zero - Used Trickbot
  • IsPE32 - (no description)
  • IsDLL - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
resource name ADDRESS
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d16000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ca0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73701000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b04000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73702000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d91000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1116
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2664
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
cmdline C:\Windows\system32\cmd.exe
section {u'size_of_data': u'0x0003ec00', u'virtual_address': u'0x0000b000', u'entropy': 7.612306636136962, u'name': u'.rsrc', u'virtual_size': u'0x0003eb38'} entropy 7.61230663614 description A section with a high entropy has been found
entropy 0.885361552028 description Overall entropy of this PE file is high
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2504
process_handle: 0x00000100
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2504
process_handle: 0x00000100
1 0 0
Elastic malicious (high confidence)
McAfee GenericRXAA-AA!190B62C21A34
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
ESET-NOD32 a variant of Win32/GenKryptik.FCYN
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Trickpak.gen
BitDefender Trojan.GenericKD.36513797
MicroWorld-eScan Gen:Variant.Bulz.396010
Avast Win32:Trojan-gen
Rising Trojan.Trickpak!8.122C7 (CLOUD)
Ad-Aware Trojan.GenericKD.36513797
Sophos ML/PE-A
Comodo TrojWare.Win32.Agent.nnblg@0
DrWeb Trojan.Packed2.42908
McAfee-GW-Edition BehavesLike.Win32.Emotet.dc
FireEye Generic.mg.190b62c21a3413d4
Emsisoft Gen:Variant.Bulz.396010 (B)
Ikarus Trojan.Win32.Krypt
GData Trojan.GenericKD.36513797
Kingsoft Win32.Troj.Undef.(kcloud)
AegisLab Trojan.Win32.Trickpak.4!c
Microsoft Trojan:Win32/Wacatac.B!ml
ALYac Backdoor.Agent.Trickbot
Cylance Unsafe
SentinelOne Static AI - Suspicious PE
Fortinet W32/Trickpak.FCYN!tr
BitDefenderTheta Gen:NN.ZedlaF.34628.ru8@aW5zrMhk
AVG Win32:Trojan-gen
Panda Trj/GdSda.A
Qihoo-360 Win32/Trojan.Generic.HgkASQ4A