Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 7, 2021, 8:22 a.m.	Sept. 7, 2021, 8:31 a.m.

Size	371.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`fbce6a70198854557fbeca0f09587758`
SHA256	`a9005337ee42d933713cdb8fe8a777d36403b37649676ceb2d2c2417a8e91a04`
CRC32	`BCACBA4C`
ssdeep	`6144:cQqek/BOtrgHyI/cXqUul/R0dPE1Nxw6sLcWaWPve1BQ4rO4Xc6dzO3cAO/mQ:8Vy5hWRecPxw6icWaWPvenAqD7`
Yara	PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

Semt.exe "C:\Users\test22\AppData\Local\Temp\Semt.exe"
2020
- Seel.exe "C:\Windows\temp\Seel.exe"
  112
- nw_elf.exe "C:\Windows\temp\nw_elf.exe"
  1756

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.119.1.139	Active	Moloch
139.155.178.173	Active	Moloch
154.38.97.86	Active	Moloch
154.38.97.90	Active	Moloch
164.124.101.2	Active	Moloch
34.97.69.225	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 154.38.97.86:868	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49208 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 154.38.97.86:868 -> 192.168.56.101:49203	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.101:49209 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 154.38.97.86:868 -> 192.168.56.101:49203	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 154.38.97.86:868 -> 192.168.56.101:49203	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 154.38.97.86:868 -> 192.168.56.101:49203	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 154.38.97.86:868 -> 192.168.56.101:49203	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.38.97.86:868 -> 192.168.56.101:49203	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 7, 2021, 8:22 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 7, 2021, 8:22 a.m.	stacktrace: Host+0x14c @ 0x10002bfc exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Host-0x1307 exception.address: 0x100017a9 registers.esp: 1637528 registers.edi: 0 registers.eax: 1 registers.ebp: 1637580 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 1896	1	0	0
__exception__ Sept. 7, 2021, 8:22 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 2020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 2020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727f1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100fa000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10120000 process_handle: 0xffffffff		3221225713
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75431000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724f1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (2 events)

description	Seel.exe tried to sleep 253 seconds, actually delayed analysis time by 253 seconds
description	nw_elf.exe tried to sleep 121 seconds, actually delayed analysis time by 121 seconds

Creates executable files on the filesystem (3 events)

file	C:\Windows\Temp\Seel.exe
file	C:\Windows\Temp\nw_elf.exe
file	c:\TXGJ.exe

Drops a binary and executes it (2 events)

file	C:\Windows\Temp\Seel.exe
file	C:\Windows\Temp\nw_elf.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (26 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000110 process_name: mobsync.exe process_identifier: 2540	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000110 process_name: pw.exe process_identifier: 1852	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000110 process_name: taskhost.exe process_identifier: 2576	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000110 process_name: nw_elf.exe process_identifier: 1756	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000460 process_name: nw_elf.exe process_identifier: 5177421		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000480 process_name: nw_elf.exe process_identifier: 6357091		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000488 process_name: nw_elf.exe process_identifier: 6815860		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000048c process_name: nw_elf.exe process_identifier: 7667815		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000494 process_name: nw_elf.exe process_identifier: 7209061		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000049c process_name: nw_elf.exe process_identifier: 5374032		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004a0 process_name: e process_identifier: 7471201		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004ac process_name: nw_elf.exe process_identifier: 7667821		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004b0 process_name: nw_elf.exe process_identifier: 7274605		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004b4 process_name: nw_elf.exe process_identifier: 5439553		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004b8 process_name: nw_elf.exe process_identifier: 7602290		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004bc process_name: nw_elf.exe process_identifier: 5439555		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004c8 process_name: nw_elf.exe process_identifier: 4522030		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004d0 process_name: nw_elf.exe process_identifier: 3670069		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004d4 process_name: at.exe process_identifier: 6684781		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004d8 process_name: nw_elf.exe process_identifier: 7536756		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004dc process_name: nw_elf.exe process_identifier: 4784233		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004e0 process_name: nw_elf.exe process_identifier: 7471170		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004e4 process_name: nw_elf.exe process_identifier: 7143542		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004f8 process_name: nw_elf.exe process_identifier: 3014736		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000500 process_name: nw_elf.exe process_identifier: 6619219		0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000508 process_name: nw_elf.exe process_identifier: 6619238		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 434176 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Expresses interest in specific running processes (1 event)

process

seel.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 51 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000016c process_name: nw_elf.exe process_identifier: 6684769		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000428 process_name: nw_elf.exe process_identifier: 3014768		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000042c process_name: nw_elf.exe process_identifier: 7274573		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000430 process_name: nw_elf.exe process_identifier: 5046390		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000450 process_name: nw_elf.exe process_identifier: 7536688		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000454 process_name: nw_elf.exe process_identifier: 6619246		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000458 process_name: nw_elf.exe process_identifier: 6881397		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000045c process_name: nw_elf.exe process_identifier: 7602277		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000460 process_name: nw_elf.exe process_identifier: 5177421		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000464 process_name: nw_elf.exe process_identifier: 5046338		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000468 process_name: nw_elf.exe process_identifier: 6619235		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000046c process_name: nw_elf.exe process_identifier: 4456552		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000470 process_name: nw_elf.exe process_identifier: 6553705		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000474 process_name: nw_elf.exe process_identifier: 6815859		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000478 process_name: nw_elf.exe process_identifier: 6619251		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000047c process_name: nw_elf.exe process_identifier: 6684769		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000480 process_name: nw_elf.exe process_identifier: 6357091		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000484 process_name: nw_elf.exe process_identifier: 7733331		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000488 process_name: nw_elf.exe process_identifier: 6815860		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000048c process_name: nw_elf.exe process_identifier: 7667815		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000490 process_name: nw_elf.exe process_identifier: 6619251		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000494 process_name: nw_elf.exe process_identifier: 7209061		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000498 process_name: nw_elf.exe process_identifier: 3014768		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x0000049c process_name: nw_elf.exe process_identifier: 5374032		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004a0 process_name: e process_identifier: 7471201		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004a4 process_name: nw_elf.exe process_identifier: 6619251		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004a8 process_name: nw_elf.exe process_identifier: 7733331		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004ac process_name: nw_elf.exe process_identifier: 7667821		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004b0 process_name: nw_elf.exe process_identifier: 7274605		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004b4 process_name: nw_elf.exe process_identifier: 5439553		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004b8 process_name: nw_elf.exe process_identifier: 7602290		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004bc process_name: nw_elf.exe process_identifier: 5439555		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004c0 process_name: nw_elf.exe process_identifier: 4390992		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004c4 process_name: nw_elf.exe process_identifier: 6553705		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004c8 process_name: nw_elf.exe process_identifier: 4522030		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004cc process_name: nw_elf.exe process_identifier: 6619182		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004d0 process_name: nw_elf.exe process_identifier: 3670069		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004d4 process_name: at.exe process_identifier: 6684781		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004d8 process_name: nw_elf.exe process_identifier: 7536756		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004dc process_name: nw_elf.exe process_identifier: 4784233		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004e0 process_name: nw_elf.exe process_identifier: 7471170		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004e4 process_name: nw_elf.exe process_identifier: 7143542		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004e8 process_name: nw_elf.exe process_identifier: 6553715		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004ec process_name: nw_elf.exe process_identifier: 7864421		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004f0 process_name: process_identifier: 7733362		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004f4 process_name: nw_elf.exe process_identifier: 3342387		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004f8 process_name: nw_elf.exe process_identifier: 3014736		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x000004fc process_name: nw_elf.exe process_identifier: 7471220		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000500 process_name: nw_elf.exe process_identifier: 6619219		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000504 process_name: nw_elf.exe process_identifier: 4980808		0	0

Communicates with host for which no DNS query was performed (5 events)

host	103.119.1.139
host	139.155.178.173
host	154.38.97.86
host	154.38.97.90
host	34.97.69.225

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXFF947DFE

reg_value

C:\Windows\XXXXXXFF947DFE\svchsot.exe

Creates known Nitol/ServStart files, registry keys and/or mutexes (1 event)

regkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mnopqr Tuvwxyab Def

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 7, 2021, 8:22 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

Creates known Zegost files, registry changes and/or mutexes (1 event)

mutex

AAAAAArrCmva6ysr2utKe9rrSwqa6mr7Wvnw==

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

103.119.1.139:1987

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Lionic	Trojan.Win32.Generic.luIV
Elastic	malicious (high confidence)
MicroWorld-eScan	MemScan:Trojan.GenericKDZ.41799
FireEye	MemScan:Trojan.GenericKDZ.41799
CAT-QuickHeal	Backdoor.Zegost.B
ALYac	MemScan:Trojan.GenericKDZ.41799
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 003564d61 )
Alibaba	Backdoor:Win32/Dorv.3cbd692b
K7GW	Trojan ( 003564d61 )
CrowdStrike	win/malicious_confidence_100% (W)
Baidu	Win32.Trojan.Dialer.d
Cyren	W32/Zegost.MYEI-4034
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Generickdz-6957625-0
Kaspersky	HEUR:Trojan.Win32.Farfli.gen
BitDefender	MemScan:Trojan.GenericKDZ.41799
NANO-Antivirus	Trojan.Win32.Scar.bcbyug
Avast	Win32:Dropper-JQQ [Drp]
Rising	Trojan.Win32.Lebag.b (CLASSIC:kymU42TVl6k57ri73oekkQ)
Ad-Aware	MemScan:Trojan.GenericKDZ.41799
Sophos	Mal/Generic-R
Comodo	TrojWare.Win32.Agent.PDSB@4q3i1w
DrWeb	Trojan.SpyBot.592
TrendMicro	BKDR_ZEGOST.AD
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.fc
Emsisoft	MemScan:Trojan.GenericKDZ.41799 (B)
Ikarus	Trojan.Win32.Dialer
Jiangmin	Trojan/Dialer.mgr
Avira	HEUR/AGEN.1111186
Antiy-AVL	Trojan/Generic.ASBOL.B06
Kingsoft	Win32.Heur.KVM003.a.(kcloud)
Microsoft	Trojan:Win32/Dorv.A
ZoneAlarm	HEUR:Trojan.Win32.Farfli.gen
GData	Win32.Trojan.PSE.116AAFE
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Dialer.C4622825
McAfee	Artemis!FBCE6A701988
MAX	malware (ai score=84)
Malwarebytes	Backdoor.Farfli
Zoner	Trojan.Win32.22067
TrendMicro-HouseCall	BKDR_ZEGOST.AD
Tencent	Win32.Trojan.Dialer.Egyg
Yandex	Trojan.GenAsa!pd90PKR7MRk
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Farfli.PZ!tr
BitDefenderTheta	AI:Packer.EEAC388A20

Semt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All