Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2021, 11:24 a.m.	Aug. 9, 2021, 11:30 a.m.

Size	672.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`294fab1523dc3b50cbcc120e67946a5b`
SHA256	`31a88f1273d29300652ece4ce7d5eeef39b404dd628c59c2c327b0333bf33c36`
CRC32	`DD02EDD4`
ssdeep	`12288:veD27Sdt6DA+v7tdOmzsrFczvPE7QlSEvB:hSbsA+vuTFczvPeQlSEp`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
620
- Lyzmpvm.exe "C:\Program Files (x86)\Microsoft Ksysqh\Lyzmpvm.exe"
  1556

Name	Response	Post-Analysis Lookup
gg.csgohvh.cc

IP Address	Status	Action
139.196.224.137	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 192.168.56.101:49197 -> 139.196.224.137:8080	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://139.196.224.137:8080/NetSyst96.dll

Performs some HTTP requests (1 event)

request

GET http://139.196.224.137:8080/NetSyst96.dll

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 9, 2021, 11:24 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 11:24 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 11:24 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2021, 11:24 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054650

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054650

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542a8

size

0x000000bc

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542a8

size

0x000000bc

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054a60

size

0x0000003a

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054778

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000547a0

size

0x000002c0

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\NetSyst96.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Aug. 9, 2021, 11:24 a.m.	service_start_name: start_type: 2 password: display_name: Kctdas hichkvgqehcohzmpri filepath: C:\Program Files (x86)\Microsoft Ksysqh\Lyzmpvm.exe service_name: Wsdnkc rsmrufqa filepath_r: C:\Program Files (x86)\Microsoft Ksysqh\Lyzmpvm.exe desired_access: 983551 service_handle: 0x0059bb58 error_control: 0 service_type: 272 service_manager_handle: 0x0059bab8	1	5880664	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 9, 2021, 11:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 9, 2021, 11:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

139.196.224.137

Installs itself for autorun at Windows startup (1 event)

service_name

Wsdnkc rsmrufqa

service_path

C:\Program Files (x86)\Microsoft Ksysqh\Lyzmpvm.exe

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Cud.Gen.1
CAT-QuickHeal	Trojan.Redosdru.18844
McAfee	Farfli!294FAB1523DC
Cylance	Unsafe
Zillya	Downloader.Agent.Win32.335022
Sangfor	Backdoor.Win32.Generic.ky
K7AntiVirus	Trojan-Downloader ( 004fefdf1 )
Alibaba	Backdoor:Win32/Farfli.13c
K7GW	Trojan-Downloader ( 004fefdf1 )
Cybereason	malicious.523dc3
Symantec	Downloader!gm
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.CWO
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Downloader.Farfli-6453698-0
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Trojan.Cud.Gen.1
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10b77a37
Ad-Aware	Trojan.Cud.Gen.1
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.TrojanDownloader.Farfli.CWO@7k0rzk
DrWeb	Trojan.DownLoader36.59104
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	BKDR_ZEGOST.SM17
McAfee-GW-Edition	Farfli!294FAB1523DC
FireEye	Generic.mg.294fab1523dc3b50
Emsisoft	Trojan.Cud.Gen.1 (B)
SentinelOne	Static AI - Suspicious PE
GData	Trojan.Cud.Gen.1
Jiangmin	Backdoor.Generic.ajkp
Avira	HEUR/AGEN.1111749
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASMalwS.203D8BE
Gridinsoft	Trojan.Win32.Downloader.sa
ViRobot	Trojan.Win32.Z.Farfli.688196
ZoneAlarm	Trojan-Downloader.Win32.Agent.gen
Microsoft	TrojanDownloader:Win32/Farfli.F!bit
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win32.RL_Generic.R369242
TACHYON	Backdoor/W32.Agent.688196
VBA32	BScope.TrojanDownloader.Farfli
Malwarebytes	Backdoor.Farfli
TrendMicro-HouseCall	BKDR_ZEGOST.SM17
Rising	Downloader.Agent!1.ABFC (CLASSIC)
Yandex	Trojan.GenAsa!6HyyeQhbdKM
Ikarus	Trojan-Downloader.Win32.Farfli
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.GHFL!tr

2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All