Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 13, 2021, 10:24 a.m.	Dec. 13, 2021, 10:30 a.m.

Size	572.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0d21e9df45836f78fdae66d8238a9192`
SHA256	`731060123f54913fd00829525c774a0da5f8041b4885e4239d219578c73daa77`
CRC32	`8D9BD4BD`
ssdeep	`6144:iV+u0bUDMT2EDFjj4bflswu/jtLFVgT/WOfrtNswrEH7fYP7yQKO+3Y1tMmbWs:Ob3MKbflsw0t5VgLWYtHraOh+3Y12wW`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

test.exe "C:\Users\test22\AppData\Local\Temp\test.exe"
2368

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
112.124.10.130	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	SKINMAGIC
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Dec. 13, 2021, 10:24 a.m.	process_identifier: 2368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory Dec. 13, 2021, 10:24 a.m.	process_identifier: 2368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10026000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 13, 2021, 10:24 a.m.	process_identifier: 2368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1003b000 process_handle: 0xffffffff		3221225713
NtAllocateVirtualMemory Dec. 13, 2021, 10:24 a.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (33 events)

name

SKINMAGIC

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00095958

size

0x0000baad

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a15c8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a15c8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1fa0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1fa0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1fa0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1fa0

size

0x00000144

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094610

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094610

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094610

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094610

size

0x000008a8

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1c90

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1c90

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1c90

size

0x000000e2

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a29e8

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1680

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094eb8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094eb8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094eb8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094eb8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00095698

size

0x000002c0

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1408

size

0x00000082

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 13, 2021, 10:24 a.m.	process_identifier: 2368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 73728 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0001b000', u'virtual_address': u'0x00064000', u'entropy': 7.300220839462918, u'name': u'.data', u'virtual_size': u'0x0002eb08'}

entropy

7.30022083946

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

112.124.10.130

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

112.124.10.130:5555

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader33.34006
MicroWorld-eScan	Trojan.GenericKD.38214989
FireEye	Generic.mg.0d21e9df45836f78
CAT-QuickHeal	Backdoor.ZegostRI.S13133422
McAfee	GenericRXAA-AA!0D21E9DF4583
Cylance	Unsafe
Zillya	Trojan.GenKryptik.Win32.46545
Sangfor	Trojan.Win32.Farfli.CNM
K7AntiVirus	Trojan ( 0053e6c01 )
Alibaba	Backdoor:Win32/Zegost.edeb5b00
K7GW	Trojan ( 0053e6c01 )
Cybereason	malicious.f45836
BitDefenderTheta	Gen:NN.ZexaF.34084.Jq0@aOXYz4jb
Cyren	W32/Lotok.B.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Farfli.CNM
TrendMicro-HouseCall	TROJ_GEN.R002C0DL621
Paloalto	generic.ml
ClamAV	Win.Dropper.Gh0stRAT-9783913-0
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
BitDefender	Trojan.GenericKD.38214989
NANO-Antivirus	Trojan.Win32.GenKryptik.hjbzvv
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11c1b94e
Ad-Aware	Trojan.GenericKD.38214989
Sophos	Mal/Generic-S + Troj/AutoG-HT
Comodo	TrojWare.Win32.Aebot.EF@4ye0hx
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DL621
McAfee-GW-Edition	BehavesLike.Win32.Worm.hh
SentinelOne	Static AI - Malicious PE
Emsisoft	Trojan.GenericKD.38214989 (B)
Ikarus	Trojan.Win32.Injector
Jiangmin	Trojan.Generic.gsmfx
Avira	TR/AD.Farfli.kkgpz
Antiy-AVL	Trojan/Generic.ASMalwS.30496E3
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Backdoor:Win32/Zegost.CQ!bit
Gridinsoft	Backdoor.Win32.Farfli.dd!i
Arcabit	Trojan.Generic.D2471D4D
GData	Trojan.GenericKD.38214989
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Zegost.R334775
VBA32	BScope.Backdoor.Lotok
ALYac	Trojan.GenericKD.38214989
TACHYON	Backdoor/W32.Lotok.585728
Malwarebytes	Backdoor.Farfli
APEX	Malicious

test.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All