Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2021, 7:44 a.m.	Nov. 18, 2021, 8:22 a.m.

Size	152.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b99700a45b29cd93558629b868d1f0c1`
SHA256	`39dbb39daeee65821ae18be140e9216e0abfd779a3f83d800a44f51944abb810`
CRC32	`D59C5704`
ssdeep	`3072:1PRYtO5lVp7qLNO6wmChmxay+knN49N4ei:1PRRHVp7oRnxFNnN4v4e`
Yara	Antivirus - Contains references to security software PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

office.exe "C:\Users\test22\AppData\Local\Temp\office.exe"
2764

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.145.229.184	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

A process attempted to delay the analysis task. (1 event)

description

office.exe tried to sleep 155 seconds, actually delayed analysis time by 112 seconds

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000260f0

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263d8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263f0

size

0x000003c8

Communicates with host for which no DNS query was performed (1 event)

host

45.145.229.184

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCSHOST

reg_value

C:\Users\test22\AppData\Local\Temp\office.exe

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.KeyLogger.16086
MicroWorld-eScan	DeepScan:Generic.Zegost.2CC36880
CAT-QuickHeal	Backdoor.Farfli.K4
ALYac	DeepScan:Generic.Zegost.2CC36880
Cylance	Unsafe
Zillya	Trojan.Jorik.Win32.213867
K7AntiVirus	Trojan ( 0001140e1 )
K7GW	Trojan ( 0001140e1 )
Cybereason	malicious.45b29c
Arcabit	DeepScan:Generic.Zegost.2CC36880
BitDefenderTheta	AI:Packer.4C07792D20
Cyren	W32/KillAV.AU.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Farfli.AIY
TrendMicro-HouseCall	BKDR_ZEGOST.SM46
ClamAV	Win.Dropper.Gh0stRAT-9834598-0
Kaspersky	Trojan.Win32.Jorik.Zegost.hrc
BitDefender	DeepScan:Generic.Zegost.2CC36880
NANO-Antivirus	Trojan.Win32.Jorik.bxnwcp
Avast	Win32:Downloader-UAD [Trj]
Rising	Backdoor.Farfli!1.A1B3 (CLASSIC)
Ad-Aware	DeepScan:Generic.Zegost.2CC36880
TACHYON	Trojan/W32.Jorik.155648.BF
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Farfli.NJ@567zkg
Baidu	Win32.Trojan.Farfli.g
VIPRE	BehavesLike.Win32.Malware.rwx (mx-v)
TrendMicro	BKDR_ZEGOST.SM46
McAfee-GW-Edition	GenericRXEL-PJ!B99700A45B29
FireEye	Generic.mg.b99700a45b29cd93
Emsisoft	DeepScan:Generic.Zegost.2CC36880 (B)
Ikarus	Backdoor.Win32.Farfli
Jiangmin	Trojan/Jorik.iafr
eGambit	Trojan.Generic
Avira	HEUR/AGEN.1124185
Antiy-AVL	Trojan/Generic.ASMalwS.A0C27
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Microsoft	Backdoor:Win32/Farfli.BG
GData	DeepScan:Generic.Zegost.2CC36880
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Dialer.R34383
Acronis	suspicious
McAfee	GenericRXEL-PJ!B99700A45B29
MAX	malware (ai score=88)
VBA32	BScope.Trojan.SvcHorse.01643
Malwarebytes	Backdoor.Farfli
APEX	Malicious
Tencent	Backdoor.Win32.Gh0st.bc

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	45.145.229.184:3322
dead_host	192.168.56.101:49162

office.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All