Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.02 08:07
log2.exe
07.02 08:07
log1.exe
07.02 07:07
svchost.exe
07.02 07:07
asec.exe
07.02 07:07
kdmapper.exe
07.02 07:07
buildcr.exe
07.02 07:07
csrss.exe
07.02 07:07
IHBHXXQF.exe
07.02 07:07
snukingorig2.5.exe
07.02 07:07
igccu.exe

Latest News
07.02 08:07
Infostealers on the Ri...
07.02 07:07
A Playbook for Detecti...
07.02 07:07
The Evolution of Phish...
07.02 07:07
CISA Report Finds Most...
07.02 06:07
Cyber A.I. Group Annou...
07.02 06:07
Despite adoption hurdl...
07.02 06:07
The importance of inte...
07.02 06:07
regreSSHion: Critical ...
07.02 06:07
ポルシェカレラカップブラジル、Microso...
07.02 06:07
Celebrate Repair Indep...

Summary | ZeroBOX

44277.730641088.dat

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 23, 2021, 10:42 a.m.	March 23, 2021, 10:44 a.m.

Size	80.0KB
Type	PE32+ executable (DLL) (native) x86-64, for MS Windows
MD5	`8fd8de6608974999b4ed1b216651ae3e`
SHA256	`2c1c490ba12c59ef4f99e42aa9799f4fcbae91240869505fd5dd10466f1adab1`
CRC32	`113C8E2A`
ssdeep	`768:pWadwr+b2aikC6DwLUslDgXBpH/zuVQX9pzvjU4YqsABzktk42mWhlzS8q:75ikC6DwLUHfzDX9JU4YK83Az9`
Yara	PE_Header_Zero - PE File Signature Zero IsPE64 - (no description) IsDLL - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44277.730641088.dat.dll,DllRegisterServer
2864
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44277.730641088.dat.dll,DllRegisterServer
  5540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\44277.730641088.dat.dll,
6204

Name	Response	Post-Analysis Lookup
aws.amazon.com	A 13.225.123.73 CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net	13.225.123.73

IP Address	Status	Action
13.225.123.73	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 13.225.123.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 13.225.123.73:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=aws.amazon.com	f7:53:97:5e:76:1e:fb:f6:70:72:02:95:d5:9f:2f:05:52:79:5d:ae

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 23, 2021, 10:35 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 23, 2021, 10:35 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 23, 2021, 10:35 a.m.	process_identifier: 5540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory March 23, 2021, 10:35 a.m.	process_identifier: 5540 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0