Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 2, 2021, 4:40 p.m.	July 2, 2021, 4:42 p.m.

Size	395.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bd5693ff7ade6c145cece2316064d812`
SHA256	`51e9acb44814b69e368a13bdfb4bab1961647bc7efd78234aefc755a0e3d6479`
CRC32	`DB2D8FCE`
ssdeep	`12288:eQN9iUTzUjd4OctP+2MUdqb72+6hQaKx1O:eQN9i+FpIo02+eCx1O`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

spool.exe "C:\Users\test22\AppData\Local\Temp\spool.exe"
9068
- cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\spool.exe > nul
  6928
  - PING.EXE ping -n 2 127.0.0.1
    6012

Name	Response	Post-Analysis Lookup
ref.tbfull.com	A 39.103.200.111	39.103.200.111

IP Address	Status	Action
150.158.157.34	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
39.103.200.111	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 2, 2021, 4:40 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 2, 2021, 4:40 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713	0
NtProtectVirtualMemory July 2, 2021, 4:40 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 344064 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10161000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (8 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00062f70

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00062f70

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00062f70

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00062f70

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00062f70

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000633d8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000633d8

size

0x00000022

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document text

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00063400

size

0x0000028b

Creates executable files on the filesystem (1 event)

file	C:\Windows\System32\Dtldt.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 2, 2021, 4:40 p.m.	service_start_name: start_type: 2 password: display_name: Deudtl Dlctbsjb Jbsabrjb Skcs filepath: C:\Windows\System32\Dtldt.exe -auto service_name: Jqiyhx Qxpgx filepath_r: C:\Windows\system32\Dtldt.exe -auto desired_access: 18 service_handle: 0x005ad008 error_control: 0 service_type: 16 service_manager_handle: 0x005acfb8	1	5951496	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\spool.exe > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\spool.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005f000', u'virtual_address': u'0x00001000', u'entropy': 7.865582749715651, u'name': u'.data', u'virtual_size': u'0x0005efee'}

entropy

7.86558274972

description

A section with a high entropy has been found

entropy

0.964467005076

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\spool.exe > nul
cmdline	ping -n 2 127.0.0.1

Communicates with host for which no DNS query was performed (2 events)

host	150.158.157.34
host	172.217.25.14

Installs itself for autorun at Windows startup (1 event)

service_name

Jqiyhx Qxpgx

service_path

C:\Windows\System32\Dtldt.exe -auto

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 9068 resumed a thread in remote process 6928
NtResumeThread July 2, 2021, 4:40 p.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 6928	1	0	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	DeepScan:Generic.Keylogger.2.3376591A
FireEye	Generic.mg.bd5693ff7ade6c14
ALYac	DeepScan:Generic.Keylogger.2.3376591A
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0055d49e1 )
BitDefender	DeepScan:Generic.Keylogger.2.3376591A
K7GW	Trojan ( 0055d49e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	DeepScan:Generic.Keylogger.2.3376591A
BitDefenderTheta	AI:Packer.1E6035A91F
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Farfli.CTT
APEX	Malicious
Avast	Win32:BackdoorX-gen [Trj]
Kaspersky	Backdoor.Win32.Farfli.bvyp
Alibaba	Backdoor:Win32/Farfli.8adb5e2b
NANO-Antivirus	Trojan.Win32.Farfli.hitbri
Rising	Trojan.Generic@ML.100 (RDML:ZIMIPn0l+OY5llnocRyEJA)
Ad-Aware	DeepScan:Generic.Keylogger.2.3376591A
Emsisoft	DeepScan:Generic.Keylogger.2.3376591A (B)
DrWeb	Trojan.Rootkit.22030
TrendMicro	TROJ_GEN.R002C0PFR21
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Sophos	ML/PE-A + Mal/SwiftG-X
SentinelOne	Static AI - Malicious PE
Jiangmin	Heur:TrojanDropper.TDSS
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=84)
Microsoft	HackTool:Win32/Mimikatz!atmn
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	DeepScan:Generic.Keylogger.2.3376591A
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.R333274
Acronis	suspicious
McAfee	GenericRXKB-WQ!BD5693FF7ADE
VBA32	BScope.Backdoor.Farfli
Malwarebytes	Malware.AI.1358604974
Panda	Generic Suspicious
TrendMicro-HouseCall	TROJ_GEN.R002C0PFR21
Tencent	Win32.Backdoor.Farfli.Phgg
Yandex	Backdoor.Farfli!W+Mb7VQS57w
Ikarus	Backdoor.Win32.Shiz
Fortinet	W32/GenKryptik.DJUZ!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:BackdoorX-gen [Trj]
Cybereason	malicious.f7ade6

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	192.168.56.102:49813
dead_host	192.168.56.102:49818
dead_host	192.168.56.102:49819
dead_host	192.168.56.102:49816
dead_host	39.103.200.111:14993
dead_host	192.168.56.102:49814
dead_host	192.168.56.102:49815

spool.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All