Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 9, 2021, 9:48 a.m.	Sept. 9, 2021, 9:50 a.m.

Size	158.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`4b6041ec1313e10979cbe1d154d87352`
SHA256	`a1619735fbaec9312f45078025ff45630fead8f14509ac0a400dbfd0a922ec17`
CRC32	`EFD48BD2`
ssdeep	`3072:MQIulEKbfgrauF4fBJyJhNineUpdhE51ddj/:KulEOgeTfWJueLT`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

360.exe "C:\Users\test22\AppData\Local\Temp\360.exe"
2456
- Yqoyyue.exe "C:\Program Files (x86)\Microsoft Dzgths\Yqoyyue.exe"
  2524

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
180.215.215.189	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 180.215.215.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49163 -> 180.215.215.189:80	2008974	ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))	Possibly Unwanted Program Detected

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://180.215.215.189/NetSyst81.dll

Performs some HTTP requests (1 event)

request

GET http://180.215.215.189/NetSyst81.dll

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 9, 2021, 9:48 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:48 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:48 a.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:48 a.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (44 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052ff8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052ff8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052ff8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052ff8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052d78

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052d78

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052d78

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052d78

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00052d78

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00051e78

size

0x0000029a

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00051e78

size

0x0000029a

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000531e0

size

0x00000142

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000531e0

size

0x00000142

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000531e0

size

0x00000142

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000531e0

size

0x00000142

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542f0

size

0x00000024

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00053328

size

0x00000018

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00053328

size

0x00000018

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000530b0

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000530b0

size

0x00000022

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00051d38

size

0x0000001e

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\NetSyst81.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Sept. 9, 2021, 9:48 a.m.	service_start_name: start_type: 2 password: display_name: Umddhq saeennvctepyoxptku filepath: C:\Program Files (x86)\Microsoft Dzgths\Yqoyyue.exe service_name: Wsihvh eajichvz filepath_r: C:\Program Files (x86)\Microsoft Dzgths\Yqoyyue.exe desired_access: 983551 service_handle: 0x005fabd0 error_control: 0 service_type: 272 service_manager_handle: 0x005fac70	1	6269904	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00026600', u'virtual_address': u'0x00031000', u'entropy': 7.924577507653505, u'name': u'UPX1', u'virtual_size': u'0x00027000'}

entropy

7.92457750765

description

A section with a high entropy has been found

entropy

0.977707006369

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

180.215.215.189

Installs itself for autorun at Windows startup (1 event)

service_name

Wsihvh eajichvz

service_path

C:\Program Files (x86)\Microsoft Dzgths\Yqoyyue.exe

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doris.269
CAT-QuickHeal	Trojan.Redosdru.16432
ALYac	Gen:Variant.Doris.269
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Backdoor:Win32/Zlob.180910
K7GW	Trojan-Downloader ( 004af0dd1 )
Cybereason	malicious.c1313e
Baidu	Win32.Trojan-Downloader.Agent.cw
Cyren	W32/Redosdru.J.gen!Eldorado
Symantec	Downloader.Domar
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.AVF
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Mikey-9845197-0
Kaspersky	Trojan-Downloader.Win32.Agent.hfuc
BitDefender	Gen:Variant.Doris.269
NANO-Antivirus	Trojan.Win32.Farfli.drygpe
Avast	FileRepMalware
Rising	Downloader.Agent!1.D0E4 (CLASSIC)
Ad-Aware	Gen:Variant.Doris.269
Sophos	Mal/Generic-R + Mal/PdfExDr-B
TrendMicro	BKDR_ZEGOST.SM17
McAfee-GW-Edition	GenericRXHG-SQ!AFAE616411F2
FireEye	Generic.mg.4b6041ec1313e109
Emsisoft	Gen:Variant.Doris.269 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan/Generic.begpr
Avira	TR/ATRAPS.Gen4
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Generic.ASBOL.193E
Microsoft	Trojan:Win32/Redosdru.AA
ZoneAlarm	Trojan-Downloader.Win32.Agent.gen
GData	Gen:Variant.Doris.269
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Redosdru.R158810
Acronis	suspicious
McAfee	GenericRXAA-AA!4B6041EC1313
VBA32	BScope.Trojan.Redosdru
Malwarebytes	Malware.AI.4082780567
TrendMicro-HouseCall	BKDR_ZEGOST.SM17
Tencent	Malware.Win32.Gencirc.10b6a27f
Yandex	Trojan.GenAsa!yDUr0gAcJT4
Ikarus	Trojan-Downloader.Win32.Wintrim
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Agent.BLT!tr
BitDefenderTheta	Gen:NN.ZexaF.34126.jmGfai6arAob
AVG	FileRepMalware

360.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All