Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 1, 2021, 7:42 a.m.	Dec. 1, 2021, 7:44 a.m.

Size	628.1KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`1c6cee8b4c857f9b9a6da5d1c7e6b36b`
SHA256	`9ec34c2224f0ebc8dda40787593369d520a71048b95d7994875aeadba507548c`
CRC32	`67DE36FE`
ssdeep	`12288:U3NDmdLBdNdbrQtl5gS1dC/uwhu76l8Eem:KLLJCRhUBEJ`
Yara	Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) IsDLL - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lni.dll,
2416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lni.dll,Control_RunDLL
2312

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.75.201.2	Active	Moloch
103.8.26.102	Active	Moloch
103.8.26.103	Active	Moloch
104.245.52.73	Active	Moloch
104.251.214.46	Active	Moloch
107.182.225.142	Active	Moloch
110.232.117.186	Active	Moloch
138.185.72.26	Active	Moloch
158.69.222.101	Active	Moloch
176.104.106.96	Active	Moloch
178.79.147.66	Active	Moloch
185.184.25.237	Active	Moloch
195.154.133.20	Active	Moloch
203.114.109.124	Active	Moloch
207.38.84.195	Active	Moloch
210.57.217.132	Active	Moloch
212.237.17.99	Active	Moloch
212.237.5.209	Active	Moloch
212.237.56.116	Active	Moloch
216.158.226.206	Active	Moloch
41.76.108.46	Active	Moloch
45.118.115.99	Active	Moloch
45.118.135.203	Active	Moloch
45.142.114.231	Active	Moloch
46.55.222.11	Active	Moloch
50.116.54.215	Active	Moloch
51.68.175.8	Active	Moloch
58.227.42.236	Active	Moloch
81.0.236.90	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 41.76.108.46:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49164 -> 46.55.222.11:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49172 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49180 -> 103.8.26.102:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49169 -> 41.76.108.46:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.8.26.102:8080 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 46.55.222.11:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49218 -> 41.76.108.46:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49193 -> 207.38.84.195:8080	2404312	ET CNC Feodo Tracker Reported CnC Server group 13	A Network Trojan was detected
TCP 192.168.56.103:49176 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 41.76.108.46:8080 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49219 -> 41.76.108.46:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49181 -> 103.8.26.102:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49223 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49186 -> 178.79.147.66:8080	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 192.168.56.103:49206 -> 51.68.175.8:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 41.76.108.46:8080 -> 192.168.56.103:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.8.26.103:8080 -> 192.168.56.103:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49209 -> 210.57.217.132:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.8.26.103:8080 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 51.68.175.8:8080 -> 192.168.56.103:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 46.55.222.11:443 -> 192.168.56.103:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 46.55.222.11:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49213 -> 46.55.222.11:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49167 -> 104.245.52.73:8080	2404301	ET CNC Feodo Tracker Reported CnC Server group 2	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 50.116.54.215:443	2404317	ET CNC Feodo Tracker Reported CnC Server group 18	A Network Trojan was detected
TCP 192.168.56.103:49214 -> 46.55.222.11:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 185.184.25.237:8080 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49205 -> 51.68.175.8:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49222 -> 103.8.26.103:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49210 -> 210.57.217.132:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 210.57.217.132:8080 -> 192.168.56.103:49211	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49226 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49227 -> 185.184.25.237:8080	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 1, 2021, 7:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 1, 2021, 7:42 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (6 events)

ip	103.8.26.102
ip	103.8.26.103
ip	185.184.25.237
ip	210.57.217.132
ip	41.76.108.46
ip	51.68.175.8

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1008f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ea1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d60000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:42 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:43 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e70000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:43 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f60000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 1, 2021, 7:44 a.m.	process_identifier: 2312 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.1c6cee8b4c857f9b
CrowdStrike	win/malicious_confidence_100% (D)
APEX	Malicious

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00030000', u'virtual_address': u'0x0005b000', u'entropy': 6.986357500017251, u'name': u'.data', u'virtual_size': u'0x000333b8'}

entropy

6.98635750002

description

A section with a high entropy has been found

entropy

0.307692307692

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (29 events)

host	103.75.201.2
host	103.8.26.102
host	103.8.26.103
host	104.245.52.73
host	104.251.214.46
host	107.182.225.142
host	110.232.117.186
host	138.185.72.26
host	158.69.222.101
host	176.104.106.96
host	178.79.147.66
host	185.184.25.237
host	195.154.133.20
host	203.114.109.124
host	207.38.84.195
host	210.57.217.132
host	212.237.17.99
host	212.237.5.209
host	212.237.56.116
host	216.158.226.206
host	41.76.108.46
host	45.118.115.99
host	45.118.135.203
host	45.142.114.231
host	46.55.222.11
host	50.116.54.215
host	51.68.175.8
host	58.227.42.236
host	81.0.236.90

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (42 events)

dead_host	45.118.135.203:7080
dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49190
dead_host	212.237.17.99:8080
dead_host	192.168.56.103:49186
dead_host	45.142.114.231:8080
dead_host	195.154.133.20:443
dead_host	203.114.109.124:443
dead_host	81.0.236.90:443
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49198
dead_host	103.75.201.2:443
dead_host	138.185.72.26:8080
dead_host	192.168.56.103:49187
dead_host	104.251.214.46:8080
dead_host	58.227.42.236:80
dead_host	192.168.56.103:49199
dead_host	207.38.84.195:8080
dead_host	110.232.117.186:8080
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49184
dead_host	176.104.106.96:8080
dead_host	216.158.226.206:443
dead_host	45.118.115.99:8080
dead_host	192.168.56.103:49196
dead_host	178.79.147.66:8080
dead_host	107.182.225.142:8080
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49192
dead_host	104.245.52.73:8080
dead_host	158.69.222.101:443
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49204
dead_host	50.116.54.215:443
dead_host	192.168.56.103:49197
dead_host	212.237.56.116:7080
dead_host	212.237.5.209:443
dead_host	192.168.56.103:49200

Lni

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All