Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 6:51 p.m.	June 24, 2021, 8:35 p.m.

Size	36.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`912047706a95ccffb31c4adb912e0adb`
SHA256	`3f1643df156bd00c51d2986743d87abfe3e4d642200aa5dd8d0ef0644a602861`
CRC32	`3EBE86E8`
ssdeep	`768:sX0mvrQFZiRigW3BeBPkgkqMptgYToDWzbIDs:sXBrCGigWxaOmiHAs`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
1552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
1.15.15.44	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 6:51 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 24, 2021, 6:51 p.m.	service_start_name: start_type: 2 password: display_name: System Remote Data Simulation Layer filepath: C:\Windows\svchost.exe service_name: SRDSL filepath_r: C:\Windows\svchost.exe desired_access: 983551 service_handle: 0x0084f810 error_control: 0 service_type: 272 service_manager_handle: 0x00852138	1	8714256	0

Communicates with host for which no DNS query was performed (1 event)

host

1.15.15.44

Installs itself for autorun at Windows startup (1 event)

service_name

SRDSL

service_path

C:\Windows\svchost.exe

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen7.25806
MicroWorld-eScan	Trojan.GenericKD.37131878
FireEye	Generic.mg.912047706a95ccff
CAT-QuickHeal	Trojan.Mauvaise.SL1
McAfee	GenericRXFT-ZL!912047706A95
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 004b78a51 )
Alibaba	Trojan:Win32/Farfli.33243685
K7GW	Trojan ( 004b78a51 )
Cybereason	malicious.06a95c
BitDefenderTheta	AI:Packer.B4D7A47F1E
Cyren	W32/Farfli.OIMS-2324
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Farfli.BLH
APEX	Malicious
Avast	Win32:BackdoorX-gen [Trj]
ClamAV	Win.Malware.Farfli-7101089-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.37131878
NANO-Antivirus	Trojan.Win32.AD.erhebd
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.10b0cd6d
Ad-Aware	Trojan.GenericKD.37131878
Sophos	ML/PE-A + Mal/Behav-225
VIPRE	Trojan.Win32.Redosdru.C (v)
TrendMicro	BKDR_ZEGOST.SM37
McAfee-GW-Edition	GenericRXFT-ZL!912047706A95
Emsisoft	Trojan.GenericKD.37131878 (B)
Ikarus	Trojan.Win32.Farfli
Jiangmin	Trojan.Generic.beksk
Webroot	W32.Malware.gen
Avira	HEUR/AGEN.1109845
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.2153630
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Agent.vb!s1
Microsoft	Trojan:Win32/Vigorf.A
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKD.37131878
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Generic.R371173
VBA32	BScope.TrojanPSW.Cimuz.B
TACHYON	Trojan/W32.Agent.36864.DUT
Malwarebytes	Backdoor.Farfli
Zoner	Trojan.Win32.86085
TrendMicro-HouseCall	BKDR_ZEGOST.SM37

server.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All