popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Server.exe

Malicious Library OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 31, 2021, 12:47 p.m. Aug. 31, 2021, 12:49 p.m.
Size 572.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1d40468835f2dab842cb3dbf4aea5923
SHA256 f11b08065089f6a0b1606264970e8addd187088be6df9b019d43360c6c0029b7
CRC32 237505ED
ssdeep 6144:iV+u0bUDMT2EDFjj4bflswu/jtLFVgT/WOfrtNswrEH7fYP7nQKO+3Y1tMmbWs:Ob3MKbflsw0t5VgLWYtHraO4+3Y12wW
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.45.140.175 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
resource name SKINMAGIC
resource name None
suspicious_features Connection to IP address suspicious_request GET http://103.45.140.175/Server.exe
request GET http://103.45.140.175/Server.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
3221225713 0

NtProtectVirtualMemory

 process_identifier: 560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 86016
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10026000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1003b000
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name SKINMAGIC language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00095958 size 0x0000baad
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a15c8 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a15c8 size 0x000000b4
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1c90 size 0x000000e2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1c90 size 0x000000e2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1c90 size 0x000000e2
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x2 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1680 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00095698 size 0x000002c0
name None language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1408 size 0x00000082
file c:\Server.exe
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x000003c8
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: smss.exe
process_identifier: 228
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: csrss.exe
process_identifier: 308
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: csrss.exe
process_identifier: 368
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: winlogon.exe
process_identifier: 412
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: services.exe
process_identifier: 448
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: lsass.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: lsm.exe
process_identifier: 472
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 584
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 660
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 736
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 852
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: audiodg.exe
process_identifier: 912
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 1004
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 312
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: spoolsv.exe
process_identifier: 1032
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 1072
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: taskhost.exe
process_identifier: 1140
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: dwm.exe
process_identifier: 1204
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: explorer.exe
process_identifier: 1236
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 1432
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: IMEDICTUPDATE.EXE
process_identifier: 1476
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 1844
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: pw.exe
process_identifier: 1996
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: SearchIndexer.exe
process_identifier: 748
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: taskeng.exe
process_identifier: 2932
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: WmiPrvSE.exe
process_identifier: 2160
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: svchost.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: mobsync.exe
process_identifier: 3048
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: pw.exe
process_identifier: 2136
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: wsqmcons.exe
process_identifier: 2648
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: sdclt.exe
process_identifier: 2032
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: taskhost.exe
process_identifier: 204
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: cmd.exe
process_identifier: 2972
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: conhost.exe
process_identifier: 2960
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: SearchProtocolHost.exe
process_identifier: 2964
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: SearchFilterHost.exe
process_identifier: 2444
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: Server.exe
process_identifier: 560
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: pw.exe
process_identifier: 1764
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: schtasks.exe
process_identifier: 2620
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: conhost.exe
process_identifier: 2024
1 1 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: conhost.exe
process_identifier: 7602224
0 0

Process32NextW

 snapshot_handle: 0x0000011c
process_name: conhost.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x000003c4
process_name: conhost.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x000003cc
process_name: conhost.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x000003d0
process_name: conhost.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x000003d4
process_name: conhost.exe
process_identifier: 6815859
0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 73728
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 24 Aug 2021 15:12:10 GMT Accept-Ranges: bytes ETag: "5d35969fa98d71:0" Server: Microsoft-IIS/7.5 Date: Tue, 31 Aug 2021 03:47:44 GMT Content-Length: 585728 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢Õm\û>\û>\û>3Ü¿>Xû>'ß·>]û>\û>vû>ŸÌæ>Eû>\ú>Á»>ßßµ>yû>jå±>Óû>jå°>û>Zà±>Xû>Zà°> û>´Ü°>Wû>›Å½>]û>Rich\û>PELå?š^à @àGaP@0 °0 úPÌ.textú7@ `.rdataÂåPðP@@.dataë@°@@À.rsrcú0 ð@@
received: 1024
socket: 884
1 1024 0
section {u'size_of_data': u'0x0001b000', u'virtual_address': u'0x00064000', u'entropy': 7.301840214429749, u'name': u'.data', u'virtual_size': u'0x0002eb08'} entropy 7.30184021443 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000003c8
process_name: conhost.exe
process_identifier: 7602224
0 0

Process32NextW

 snapshot_handle: 0x0000011c
process_name: conhost.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x000003c4
process_name: conhost.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x000003cc
process_name: conhost.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x000003d0
process_name: conhost.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x000003d4
process_name: conhost.exe
process_identifier: 6815859
0 0

Process32NextW

 snapshot_handle: 0x000003d8
process_name: conhost.exe
process_identifier: 6881397
0 0

Process32NextW

 snapshot_handle: 0x000003dc
process_name: conhost.exe
process_identifier: 7602277
0 0

Process32NextW

 snapshot_handle: 0x000003e0
process_name: conhost.exe
process_identifier: 6619235
0 0

Process32NextW

 snapshot_handle: 0x000003e4
process_name: conhost.exe
process_identifier: 4456552
0 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: conhost.exe
process_identifier: 7536758
0 0

Process32NextW

 snapshot_handle: 0x000003ec
process_name: conhost.exe
process_identifier: 6684769
0 0

Process32NextW

 snapshot_handle: 0x000003f0
process_name: conhost.exe
process_identifier: 4390992
0 0

Process32NextW

 snapshot_handle: 0x000003f4
process_name:
process_identifier: 5439572
0 0

Process32NextW

 snapshot_handle: 0x000003f8
process_name: conhost.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: conhost.exe
process_identifier: 6553715
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: conhost.exe
process_identifier: 5046338
0 0

Process32NextW

 snapshot_handle: 0x00000408
process_name: conhost.exe
process_identifier: 6619246
0 0

Process32NextW

 snapshot_handle: 0x0000040c
process_name: conhost.exe
process_identifier: 6750273
0 0

Process32NextW

 snapshot_handle: 0x00000410
process_name: conhost.exe
process_identifier: 7471220
0 0

Process32NextW

 snapshot_handle: 0x00000414
process_name: conhost.exe
process_identifier: 7733331
0 0

Process32NextW

 snapshot_handle: 0x00000418
process_name: conhost.exe
process_identifier: 4980808
0 0

Process32NextW

 snapshot_handle: 0x0000041c
process_name: conhost.exe
process_identifier: 6619251
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: conhost.exe
process_identifier: 7864421
0 0

Process32NextW

 snapshot_handle: 0x00000424
process_name: conhost.exe
process_identifier: 3342387
0 0

Process32NextW

 snapshot_handle: 0x00000428
process_name: conhost.exe
process_identifier: 3014722
0 0

Process32NextW

 snapshot_handle: 0x0000042c
process_name:
process_identifier: 7733362
0 0

Process32NextW

 snapshot_handle: 0x00000430
process_name: conhost.exe
process_identifier: 6553705
0 0
host 103.45.140.175
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Trojan.Malware.JquaaOXYz4jb
CAT-QuickHeal Backdoor.ZegostRI.S13133422
ALYac Gen:Trojan.Malware.JquaaOXYz4jb
Cylance Unsafe
Zillya Trojan.GenKryptik.Win32.46545
K7AntiVirus Trojan ( 0053e6c01 )
Alibaba Backdoor:Win32/Zegost.604e15d9
K7GW Trojan ( 0053e6c01 )
Cybereason malicious.835f2d
Cyren W32/Lotok.B.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Farfli.CNM
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Gh0stRAT-9783913-0
Kaspersky HEUR:Backdoor.Win32.Lotok.gen
BitDefender Gen:Trojan.Malware.JquaaOXYz4jb
NANO-Antivirus Trojan.Win32.GenKryptik.hjbzvv
Avast Win32:BackdoorX-gen [Trj]
Rising Trojan.Generic@ML.100 (RDML:Ee49Oab2SY7z1oqJK14JCg)
Ad-Aware Gen:Trojan.Malware.JquaaOXYz4jb
TACHYON Backdoor/W32.Lotok.585728
Sophos Mal/Generic-R + Troj/AutoG-HT
Comodo TrojWare.Win32.Aebot.EF@4ye0hx
F-Secure Trojan.TR/AD.Farfli.kkgpz
DrWeb Trojan.DownLoader33.34006
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Emotet.hh
FireEye Generic.mg.1d40468835f2dab8
Emsisoft Gen:Trojan.Malware.JquaaOXYz4jb (B)
Ikarus Trojan.Win32.Injector
Jiangmin Trojan.Generic.gsmfx
Avira TR/AD.Farfli.kkgpz
Antiy-AVL Trojan[Backdoor]/Win32.Zegost
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Backdoor:Win32/Zegost.CQ!bit
Gridinsoft Trojan.Win32.Downloader.oa!s1
Arcabit Trojan.Malware.JquaaOXYz4jb
ZoneAlarm HEUR:Backdoor.Win32.Lotok.gen
GData Gen:Trojan.Malware.JquaaOXYz4jb
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Zegost.R334775
McAfee GenericRXAA-AA!1D40468835F2
MAX malware (ai score=80)
VBA32 BScope.Backdoor.Lotok
Malwarebytes Backdoor.Farfli
Zoner Trojan.Win32.97840
Tencent Malware.Win32.Gencirc.11c1b94e