Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.07.09 09:36	Machine	s1_win7_x6402
Filename	crv.dll
Type	PE32+ executable (DLL) (native) x86-64, for MS Windows
AI Score	5	Behavior Score	4.4
ZERO API	file : malware
VT API (file)	30 detected (IcedID, Unsafe, malicious, confidence, Stelega, score, DangerousSig, R + Troj, AGEN, 0NA104G721, Artemis, MalCert, GUABX6, kcloud, ai score=82, PasswordStealer, HggASX8A)
md5	3ddeea156606b2e5d19c86cedf3dec30
sha256	33cc3816f98fa22354559711326a5ce1352d819c180be4328a72618d20a78632
ssdeep	768:2qLODVjNPDZUEix9i3Mb/pvj5ZzbQJbTfHUdV8VTkj7DjpqZMRQ:2DDVjqx9RZjvbQJPfEA4/DEZMRQ
imphash	001d993cb52b06dd86f1aafa1c13bed8
impfuzzy	3:sUrXAErLgc2SHXX0AXtJaDhBAtJZAORZstJMdAhJO7lBn:BXtLpUAG1Boj70ABBn

Network IP location

Signature (10cnts)

Level	Description
danger	File has been identified by 30 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
notice	A process attempted to delay the analysis task.
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid

Rules (4cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
info	IsDLL	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (6cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://revedanstvy.bid/ whois	AMAZON-AES	54.197.173.238	2585	mailcious
https://aws.amazon.com/ whois	AMAZON-02	99.86.203.73		clean
revedanstvy.bid whois	AMAZON-AES	54.197.173.238		mailcious
aws.amazon.com whois	AMAZON-02	13.225.123.73		clean
54.197.173.238 whois	AMAZON-AES	54.197.173.238		clean
99.86.203.73 whois	AMAZON-02	99.86.203.73		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x180005000 GetThreadPriority
0x180005008 GetCurrentThread
0x180005010 CreateThread
0x180005018 WaitForSingleObject
0x180005020 DuplicateHandle
0x180005028 ResumeThread

EAT(Export Address Table) Library

0x180001020 DfcidmAgqxxIybvoovbd
0x180001040 DllGetClassObject
0x1800011b0 DllRegisterServer
0x180001030 FbyouxodmaAmblxtzonyr
0x180001000 GhjrgreaggXyoydphfea
0x180001010 NrmqrpckejMlzraxTtfncwsvfmhs
0x180001120 PluginInit

Report - crv.dll

Signature (10cnts)

Rules (4cnts)

Network (6cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure