Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 14, 2023, 5:24 p.m.	March 14, 2023, 5:32 p.m.

Size	621.1KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`1a5fed7b02d73b3589cebd2394fe7ce9`
SHA256	`d46dbbb40bf11bda9b1aa74d9d2550a73ab0ae6008270c2c541153cd4974a3dd`
CRC32	`C46204FB`
ssdeep	`12288:0MDDEEuqctaY5effnWQ7x7dJsPMR1F4fWDNo5F/oJBprSqYeJGDH12AlgC9h:0MDoTqctaY5effnW8RDsXOvvYp19lgCf`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

xinxin.exe "C:\Users\test22\AppData\Local\Temp\xinxin.exe"
2572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.127.249.135	Active	Moloch
103.143.12.157	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	0\x00sp0
section	1\x00sp1
section	2\x00sp2
section	3\x00ext
section	4\x00data
section	5\x00ata

The executable uses a known packer (1 event)

packer

MoleBox V2.3X -> MoleStudio.com

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1490944 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (28 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161f90

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161f90

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016dd34

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016dd34

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001686f4

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001686f4

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001686f4

size

0x000000e2

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690f8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016d610

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016d634

size

0x00000418

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 14, 2023, 5:24 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 565248 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00084200', u'virtual_address': u'0x0016d000', u'entropy': 7.995601039465846, u'name': u'1\\x00sp1', u'virtual_size': u'0x00085000'}

entropy

7.99560103947

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000b800', u'virtual_address': u'0x001f3000', u'entropy': 7.897492717575501, u'name': u'3\\x00ext', u'virtual_size': u'0x00011daf'}

entropy

7.89749271758

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x00206000', u'entropy': 7.977916949474003, u'name': u'5\\x00ata', u'virtual_size': u'0x00007198'}

entropy

7.97791694947

description

A section with a high entropy has been found

entropy

0.994017094017

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	121.127.249.135
host	103.143.12.157

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	DeepScan:Generic.KillMBR.A.CA367F88
McAfee	Artemis!1A5FED7B02D7
VIPRE	DeepScan:Generic.KillMBR.A.CA367F88
Sangfor	Backdoor.Win32.Agent.Vl3w
Alibaba	Backdoor:Win32/Farfli.75a6c6f9
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	DeepScan:Generic.KillMBR.A.CA367F88
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.Generic
BitDefender	DeepScan:Generic.KillMBR.A.CA367F88
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.1187ee35
Emsisoft	DeepScan:Generic.KillMBR.A.CA367F88 (B)
DrWeb	BackDoor.Farfli.131
TrendMicro	TROJ_GEN.R002C0DCD23
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1a5fed7b02d73b35
Sophos	Troj/Farfli-DW
Ikarus	Trojan.Crypt
Avira	TR/Crypt.XPACK.Gen
Gridinsoft	Pack.Win32.Gen.bot!ep-45894
Xcitium	Backdoor.Win32.Popwin.~IQ@ogvrk
Microsoft	Backdoor:Win32/Farfli.AX
ViRobot	Trojan.Win.Z.Farfli.636034
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	DeepScan:Generic.KillMBR.A.CA367F88
Google	Detected
AhnLab-V3	Backdoor/Win.Farfli.C5393627
VBA32	BScope.Backdoor.Farfli
ALYac	DeepScan:Generic.KillMBR.A.CA367F88
MAX	malware (ai score=80)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0DCD23
Rising	Backdoor.Gh0st!1.DF86 (CLASSIC)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.PALLASNET.H
BitDefenderTheta	Gen:NN.ZexaF.36344.MyxaaaLAL0bb
AVG	Win32:BackdoorX-gen [Trj]
Panda	Trj/CI.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (48 events)

dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49202
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49162
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49203
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49198
dead_host	192.168.56.101:49200
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49204
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49195
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49199
dead_host	192.168.56.101:49201
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49210
dead_host	103.143.12.157:1523
dead_host	192.168.56.101:49164
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49187
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49183

xinxin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All