popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

11111.exe

Malicious Library OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 31, 2021, 12:47 p.m. Aug. 31, 2021, 12:49 p.m.
Size 572.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6d99db65a28ca2dcf725a966678ad30e
SHA256 453196885b342bd95497c0a04f0fd781bd7015c2245aec1ec07e32e80b55b997
CRC32 D5230DF7
ssdeep 6144:iV+u0bUDMT2EDFjj4bflswu/jtLFVgT/WOfrtNswrEH7fYP7MQKO+3Y1tMmbWs:Ob3MKbflsw0t5VgLWYtHraOz+3Y12wW
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.45.140.175 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
resource name SKINMAGIC
resource name None
suspicious_features Connection to IP address suspicious_request GET http://103.45.140.175/11111.exe
request GET http://103.45.140.175/11111.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
3221225713 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 86016
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10026000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1003b000
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name SKINMAGIC language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00095958 size 0x0000baad
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a15c8 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a15c8 size 0x000000b4
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1fa0 size 0x00000144
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094610 size 0x000008a8
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1c90 size 0x000000e2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1c90 size 0x000000e2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1c90 size 0x000000e2
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a29e8 size 0x00000024
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x2 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1680 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00094eb8 size 0x00000014
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00095698 size 0x000002c0
name None language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a1408 size 0x00000082
file c:\11111.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000003ac
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: WmiPrvSE.exe
process_identifier: 1916
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: SearchIndexer.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: SearchProtocolHost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: SearchFilterHost.exe
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: mobsync.exe
process_identifier: 2140
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: pw.exe
process_identifier: 3064
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: sdclt.exe
process_identifier: 2764
1 1 0

Process32NextW

 snapshot_handle: 0x000003ac
process_name: taskhost.exe
process_identifier: 3052
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 73728
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 24 Aug 2021 15:46:05 GMT Accept-Ranges: bytes ETag: "57565c26ff98d71:0" Server: Microsoft-IIS/7.5 Date: Tue, 31 Aug 2021 03:47:50 GMT Content-Length: 585728 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢Õm\û>\û>\û>3Ü¿>Xû>'ß·>]û>\û>vû>ŸÌæ>Eû>\ú>Á»>ßßµ>yû>jå±>Óû>jå°>û>Zà±>Xû>Zà°> û>´Ü°>Wû>›Å½>]û>Rich\û>PELå?š^à @àGaP@0 °0 úPÌ.textú7@ `.rdataÂåPðP@@.dataë@°@@À.rsrcú0 ð@@
received: 1024
socket: 904
1 1024 0
section {u'size_of_data': u'0x0001b000', u'virtual_address': u'0x00064000', u'entropy': 7.301765397454749, u'name': u'.data', u'virtual_size': u'0x0002eb08'} entropy 7.30176539745 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000003ac
process_name: 11111.exe
process_identifier: 7602224
0 0

Process32NextW

 snapshot_handle: 0x0000018c
process_name: 11111.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x000003b4
process_name: 11111.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: 11111.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x000003bc
process_name: 11111.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x000003c0
process_name: 11111.exe
process_identifier: 6815859
0 0

Process32NextW

 snapshot_handle: 0x000003c4
process_name: 11111.exe
process_identifier: 6881397
0 0

Process32NextW

 snapshot_handle: 0x000003c8
process_name: 11111.exe
process_identifier: 7602277
0 0

Process32NextW

 snapshot_handle: 0x000003cc
process_name: 11111.exe
process_identifier: 6619235
0 0

Process32NextW

 snapshot_handle: 0x000003d0
process_name: 11111.exe
process_identifier: 4456552
0 0

Process32NextW

 snapshot_handle: 0x000003d4
process_name: 11111.exe
process_identifier: 7536758
0 0

Process32NextW

 snapshot_handle: 0x000003d8
process_name: 11111.exe
process_identifier: 6684769
0 0

Process32NextW

 snapshot_handle: 0x000003dc
process_name: 11111.exe
process_identifier: 4390992
0 0

Process32NextW

 snapshot_handle: 0x000003e0
process_name:
process_identifier: 5439572
0 0

Process32NextW

 snapshot_handle: 0x000003e4
process_name: 11111.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: 11111.exe
process_identifier: 6553715
0 0

Process32NextW

 snapshot_handle: 0x000003ec
process_name: 11111.exe
process_identifier: 5046338
0 0

Process32NextW

 snapshot_handle: 0x000003f0
process_name: 11111.exe
process_identifier: 6619246
0 0

Process32NextW

 snapshot_handle: 0x000003f4
process_name: 11111.exe
process_identifier: 6750273
0 0

Process32NextW

 snapshot_handle: 0x000003f8
process_name: 11111.exe
process_identifier: 7471220
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: 11111.exe
process_identifier: 7733331
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: 11111.exe
process_identifier: 4980808
0 0

Process32NextW

 snapshot_handle: 0x00000408
process_name: 11111.exe
process_identifier: 6619251
0 0

Process32NextW

 snapshot_handle: 0x0000040c
process_name: 11111.exe
process_identifier: 7864421
0 0

Process32NextW

 snapshot_handle: 0x00000410
process_name: 11111.exe
process_identifier: 3342387
0 0

Process32NextW

 snapshot_handle: 0x00000414
process_name: 11111.exe
process_identifier: 3014722
0 0

Process32NextW

 snapshot_handle: 0x00000418
process_name:
process_identifier: 7733362
0 0

Process32NextW

 snapshot_handle: 0x0000041c
process_name: 11111.exe
process_identifier: 6553705
0 0
host 103.45.140.175
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Lotok.m!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37492745
FireEye Generic.mg.6d99db65a28ca2dc
CAT-QuickHeal Backdoor.ZegostRI.S13133422
ALYac Trojan.GenericKD.37492745
Cylance Unsafe
Zillya Trojan.GenKryptik.Win32.46545
Sangfor Backdoor.Win32.Lotok.gen
K7AntiVirus Trojan ( 0053e6c01 )
Alibaba Backdoor:Win32/Zegost.3d26b774
K7GW Trojan ( 0053e6c01 )
Cybereason malicious.5a28ca
Cyren W32/Lotok.B.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Farfli.CNM
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Gh0stRAT-9783913-0
Kaspersky HEUR:Backdoor.Win32.Lotok.gen
BitDefender Trojan.GenericKD.37492745
NANO-Antivirus Trojan.Win32.GenKryptik.hjbzvv
Avast Win32:BackdoorX-gen [Trj]
Tencent Malware.Win32.Gencirc.11c1b94e
Ad-Aware Trojan.GenericKD.37492745
TACHYON Backdoor/W32.Lotok.585728
Emsisoft Trojan.GenericKD.37492745 (B)
Comodo TrojWare.Win32.Aebot.EF@4ye0hx
DrWeb Trojan.DownLoader33.34006
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Emotet.hh
Sophos ML/PE-A + Troj/AutoG-HT
Ikarus Trojan.Win32.Injector
Jiangmin Trojan.Generic.gsmfx
Avira TR/AD.Farfli.kkgpz
Antiy-AVL Trojan/Generic.ASMalwS.30496E3
Kingsoft Win32.Hack.Undef.(kcloud)
Gridinsoft Trojan.Win32.Downloader.oa!s1
Microsoft Backdoor:Win32/Zegost.CQ!bit
GData Trojan.GenericKD.37492745
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Zegost.R334775
McAfee GenericRXAA-AA!6D99DB65A28C
MAX malware (ai score=85)
VBA32 BScope.Backdoor.Lotok
Malwarebytes Backdoor.Farfli
Zoner Trojan.Win32.97840
Rising Trojan.Generic@ML.100 (RDML:Ee49Oab2SY7z1oqJK14JCg)
Yandex Trojan.GenKryptik!6/WAPNYvv1A