Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 14, 2021, 9:44 a.m.	Aug. 14, 2021, 9:45 a.m.

Size	86.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`efc0f46f3fa314f232394e2cb781659f`
SHA256	`56a4482d9b2138c32622fb4ab0b5ec599cdc881021628a7939a854778351edf1`
CRC32	`9F7F1B23`
ssdeep	`1536:kOF6APNRdilNVyTnPAVfXGDpmdXn/OAY6TLcXKd1A:lFXPNbilNVyTPAVfWwV/FNU`
Yara	Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

services.exe "C:\Users\test22\AppData\Local\Temp\services.exe"
1892
- Ehqdrvo.exe "C:\Program Files (x86)\Microsoft Frzmam\Ehqdrvo.exe"
  2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.229.126.73	Active	Moloch
144.48.240.173	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 144.48.240.173:29106	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 14, 2021, 9:45 a.m.	process_identifier: 1892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:45 a.m.	process_identifier: 1892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:45 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:45 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (45 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000a560

size

0x000002c8

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00010ff8

size

0x00000468

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011460

size

0x00000012

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000119f8

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011e7c

size

0x0000008c

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fc8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fc8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fc8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fc8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fc8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fc8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011fdc

size

0x00000300

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\NetSyst96.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Aug. 14, 2021, 9:45 a.m.	service_start_name: start_type: 2 password: display_name: Pbxuul hchpslaezrbjjlrvuv filepath: C:\Program Files (x86)\Microsoft Frzmam\Ehqdrvo.exe service_name: Wstuhq hxvxevva filepath_r: C:\Program Files (x86)\Microsoft Frzmam\Ehqdrvo.exe desired_access: 983551 service_handle: 0x005656e8 error_control: 0 service_type: 272 service_manager_handle: 0x00565648	1	5658344	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	103.229.126.73
host	144.48.240.173

Installs itself for autorun at Windows startup (1 event)

service_name

Wstuhq hxvxevva

service_path

C:\Program Files (x86)\Microsoft Frzmam\Ehqdrvo.exe

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46752096
FireEye	Generic.mg.efc0f46f3fa314f2
CAT-QuickHeal	Trojan.MauvaiseRI.S5244871
McAfee	Trojan-FJYJ!EFC0F46F3FA3
Cylance	Unsafe
Zillya	Backdoor.Farfli.Win32.5448
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 004eeb581 )
Alibaba	Backdoor:Win32/Zlob.180910
K7GW	Trojan-Downloader ( 004eeb581 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D2C96160
Baidu	Win32.Trojan-Downloader.Agent.bh
Cyren	W32/Agent.ZZJG-1868
Symantec	SMG.Heur!gen
ESET-NOD32	Win32/TrojanDownloader.Agent.CJI
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Downloader.Zegost-6484584-1
Kaspersky	Backdoor.Win32.Farfli.akdq
BitDefender	Trojan.GenericKD.46752096
NANO-Antivirus	Trojan.Win32.BesysAd.eljjnl
Avast	Win32:Malware-gen
Rising	Trojan.Generic@ML.100 (RDML:B/qpGP2/p3Blnakb5J5isA)
Ad-Aware	Trojan.GenericKD.46752096
TACHYON	Backdoor/W32.Farfli.88420
Emsisoft	Trojan.GenericKD.46752096 (B)
Comodo	TrojWare.Win32.TrojanDownloader.Redosdru.FG@6j5x7c
DrWeb	Trojan.BesysAd.18
TrendMicro	BKDR_ZEGOST.SM17
McAfee-GW-Edition	Trojan-FJYJ!EFC0F46F3FA3
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor/Hupigon.ayjb
Avira	TR/Crypt.XPACK.Gen3
Antiy-AVL	Trojan/Generic.ASCommon.1F4
Gridinsoft	PUP.Win32.Tencent.zv!s1
Microsoft	TrojanDownloader:Win32/Farfli.F!bit
ZoneAlarm	Backdoor.Win32.Farfli.akdq
GData	Win32.Trojan.PSE.1NT5ZA2
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Farfli.R187699
MAX	malware (ai score=83)
VBA32	Backdoor.Farfli
Malwarebytes	Backdoor.Farfli
Zoner	Trojan.Win32.80374
TrendMicro-HouseCall	BKDR_ZEGOST.SM17
Tencent	Malware.Win32.Gencirc.10b3bd37
Yandex	Trojan.GenAsa!rUmyptG9Mc4

services.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All