Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 9:35 a.m.	June 25, 2021, 10:19 a.m.

Size	116.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`93340c5fe915ca0a843a38fb9d993e25`
SHA256	`cb1b5642d56aedff09b5eb8368bf54d2ec8a710de5f7cfcfb7fdc6148619dfd8`
CRC32	`E5E160EA`
ssdeep	`1536:guAlzmP4NK3jfWPd72JQzVOfgoYYkxP8ZSa6THmQQ:qlzkQz+goY9hTHDQ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

%E5%AF%86%E7%A0%81%E4%BF%9D%E6%8A%A4%E5%8D%87%E7%BA%A7.bat "C:\Users\test22\AppData\Local\Temp\%E5%AF%86%E7%A0%81%E4%BF%9D%E6%8A%A4%E5%8D%87%E7%BA%A7.bat"
5904

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
192.250.240.134	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 9:34 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Foreign language identified in PE resource (26 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b6f0

size

0x00000428

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b5a0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b5a0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b5a0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b5a0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b5a0

size

0x00000128

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001bb38

size

0x000002b4

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001be60

size

0x000000fa

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001c890

size

0x0000003a

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001bdf0

size

0x00000070

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b6c8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b6c8

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001bf60

size

0x00000300

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001bb18

size

0x0000001e

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (26 events)

Time & API	Arguments	Status	Return
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000c4 process_name: taskhost.exe process_identifier: 5308	1	1
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000c4 process_name: cmd.exe process_identifier: 8356	1	1
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000c4 process_name: pw.exe process_identifier: 6619182		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000d4 process_name: slui.exe process_identifier: 8212	1	1
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000d4 process_name: slui.exe process_identifier: 6881397		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000001fc process_name: slui.exe process_identifier: 3014768		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000204 process_name: slui.exe process_identifier: 7274573		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000208 process_name: slui.exe process_identifier: 5046390		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000020c process_name: slui.exe process_identifier: 6815859		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000218 process_name: slui.exe process_identifier: 6619235		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000021c process_name: slui.exe process_identifier: 4456552		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000220 process_name: slui.exe process_identifier: 7536758		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000224 process_name: slui.exe process_identifier: 6684769		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000022c process_name: process_identifier: 5439572		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000234 process_name: slui.exe process_identifier: 6553715		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000238 process_name: slui.exe process_identifier: 5046338		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000023c process_name: slui.exe process_identifier: 6619246		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000240 process_name: slui.exe process_identifier: 6750273		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000244 process_name: slui.exe process_identifier: 7471220		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000248 process_name: slui.exe process_identifier: 7733331		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000024c process_name: slui.exe process_identifier: 4980808		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000250 process_name: slui.exe process_identifier: 6619251		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000254 process_name: slui.exe process_identifier: 7864421		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000258 process_name: slui.exe process_identifier: 3342387		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000025c process_name: slui.exe process_identifier: 3014722		0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000260 process_name: process_identifier: 7733362		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 5904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (30 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000c4 process_name: pw.exe process_identifier: 6619182		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000000d4 process_name: slui.exe process_identifier: 6881397		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000200 process_name: slui.exe process_identifier: 7602224		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000104 process_name: slui.exe process_identifier: 7536688		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x000001fc process_name: slui.exe process_identifier: 3014768		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000204 process_name: slui.exe process_identifier: 7274573		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000208 process_name: slui.exe process_identifier: 5046390		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000020c process_name: slui.exe process_identifier: 6815859		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000210 process_name: slui.exe process_identifier: 6881397		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000214 process_name: slui.exe process_identifier: 7602277		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000218 process_name: slui.exe process_identifier: 6619235		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000021c process_name: slui.exe process_identifier: 4456552		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000220 process_name: slui.exe process_identifier: 7536758		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000224 process_name: slui.exe process_identifier: 6684769		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000228 process_name: slui.exe process_identifier: 4390992		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000022c process_name: process_identifier: 5439572		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000230 process_name: slui.exe process_identifier: 6619182		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000234 process_name: slui.exe process_identifier: 6553715		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000238 process_name: slui.exe process_identifier: 5046338		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000023c process_name: slui.exe process_identifier: 6619246		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000240 process_name: slui.exe process_identifier: 6750273		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000244 process_name: slui.exe process_identifier: 7471220		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000248 process_name: slui.exe process_identifier: 7733331		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000024c process_name: slui.exe process_identifier: 4980808		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000250 process_name: slui.exe process_identifier: 6619251		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000254 process_name: slui.exe process_identifier: 7864421		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000258 process_name: slui.exe process_identifier: 3342387		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x0000025c process_name: slui.exe process_identifier: 3014722		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000260 process_name: process_identifier: 7733362		0	0
Process32NextW June 25, 2021, 9:34 a.m.	snapshot_handle: 0x00000264 process_name: slui.exe process_identifier: 6553705		0	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	192.250.240.134

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
ClamAV	Win.Malware.Gh0stRAT-7459730-1
Cylance	Unsafe
Cybereason	malicious.d08f74
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Backdoor.Win32.Lotok.gen
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Injector.cm
FireEye	Generic.mg.93340c5fe915ca0a
SentinelOne	Static AI - Suspicious PE
Kingsoft	Win32.Hack.Undef.(kcloud)
AegisLab	Trojan.Win32.Lotok.m!c
Microsoft	Trojan:Win32/Wacatac.B!ml
McAfee	Artemis!93340C5FE915
Rising	Trojan.Kryptik!1.CC61 (CLASSIC)
Ikarus	Trojan.Win32.Farfli
eGambit	Unsafe.AI_Score_89%
Fortinet	W32/Kryptik.HFPG!tr
BitDefenderTheta	Gen:NN.ZexaE.34758.hq0@aSQ9enhb
CrowdStrike	win/malicious_confidence_80% (D)
MaxSecure	Trojan.Malware.300983.susgen

%E5%AF%86%E7%A0%81%E4%BF%9D%E6%8A%A4%E5%8D%87%E7%BA%A7.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All