Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 2, 2021, 12:52 p.m.	Oct. 2, 2021, 12:58 p.m.

Size	62.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3a5b7d5f6a117df62b659581127ff18c`
SHA256	`18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3`
CRC32	`E11D8BF8`
ssdeep	`768:jbz3IhpglwpDEq2m0j6Tf8V4Ie7ZZa3R1fb961vNPrl7sJnCJ0uZN:n4+wpDElm2IAUZZo1fbs1RVsZCJ0Y`
Yara	Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

tfhm2.exe "C:\Users\test22\AppData\Local\Temp\tfhm2.exe"
2648

Name	Response	Post-Analysis Lookup
caiyundf.cn	A 103.45.185.68	103.45.185.68

IP Address	Status	Action
103.45.185.68	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Foreign language identified in PE resource (6 events)

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011448

size

0x00000196

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011448

size

0x00000196

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011448

size

0x00000196

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011828

size

0x000002d0

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document text

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011190

size

0x0000028b

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011770

size

0x000000b6

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Oct. 2, 2021, 12:52 p.m.	service_start_name: start_type: 2 password: display_name: System Remote Data Simulation Layer filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "CYSRDSL" service_name: CYSRDSL filepath_r: %SystemRoot%\System32\svchost.exe -k "CYSRDSL" desired_access: 983551 service_handle: 0x00554b78 error_control: 0 service_type: 272 service_manager_handle: 0x00554c18	1	5589880	0

Installs itself for autorun at Windows startup (2 events)

service_name	CYSRDSL				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "CYSRDSL"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CYSRDSL\Parameters\ServiceDll				reg_value	C:\Windows\system32\20949468.txt

tfhm2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All