Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 24, 2023, 6:07 p.m.	March 24, 2023, 6:12 p.m.

Size	114.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`f1ec2cf6256a7c8543586065a07da47a`
SHA256	`8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895`
CRC32	`8CEA5CEA`
ssdeep	`3072:yyETbqC8r+DfEnMIXRyGcCHwuWWDPD6QbF6sRa:DEyifMXfcCQ+DOpC`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature

huilang.exe "C:\Users\test22\AppData\Local\Temp\huilang.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
81.68.216.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 81.68.216.37:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49161 -> 81.68.216.37:80	2022550	ET MALWARE Possible Malicious Macro DL EXE Feb 2016	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 81.68.216.37:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 81.68.216.37:80	2022550	ET MALWARE Possible Malicious Macro DL EXE Feb 2016	A Network Trojan was detected
TCP 81.68.216.37:80 -> 192.168.56.101:49161	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 81.68.216.37:80 -> 192.168.56.101:49163	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 81.68.216.37:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 81.68.216.37:80 -> 192.168.56.101:49163	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 81.68.216.37:80 -> 192.168.56.101:49163	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 81.68.216.37:80 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 81.68.216.37:80 -> 192.168.56.101:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 81.68.216.37:80 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 81.68.216.37:80 -> 192.168.56.101:49161	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 81.68.216.37:80 -> 192.168.56.101:49161	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 81.68.216.37:80 -> 192.168.56.101:49161	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 81.68.216.37:80 -> 192.168.56.101:49161	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2023, 6:07 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://81.68.216.37/server.exe

Performs some HTTP requests (1 event)

request

GET http://81.68.216.37/server.exe

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 24, 2023, 6:07 p.m.	total_number_of_free_bytes: 13210783744 free_bytes_available: 13210783744 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	c:\server.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA March 24, 2023, 6:07 p.m.	service_start_name: start_type: 2 password: display_name: Avvwtr oufstato filepath: C:\Program Files (x86)\Kcyyqug.exe service_name: Rslgtd zpzigmqw filepath_r: C:\Program Files (x86)\Kcyyqug.exe desired_access: 983551 service_handle: 0x00315c08 error_control: 1 service_type: 272 service_manager_handle: 0x002efe38	1	3234824	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\server[1].exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 2736	1	1
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 2840	1	1
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 24, 2023, 6:07 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001c200', u'virtual_address': u'0x00045000', u'entropy': 7.781435870732857, u'name': u'UPX1', u'virtual_size': u'0x0001d000'}

entropy

7.78143587073

description

A section with a high entropy has been found

entropy

0.995575221239

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0
Process32NextW March 24, 2023, 6:07 p.m.	snapshot_handle: 0x000003e4 process_name: server.exe process_identifier: 7733362		0	0

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

81.68.216.37

Installs itself for autorun at Windows startup (1 event)

service_name

Rslgtd zpzigmqw

service_path

C:\Program Files (x86)\Kcyyqug.exe

Expresses interest in specific running processes (2 events)

process	huilang.exe
process: potential process injection target	explorer.exe

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Lionic	Trojan.Win32.Generic.loFa
MicroWorld-eScan	DeepScan:Generic.Malware.Lco.C9305D62
ClamAV	Win.Dropper.Farfli-9950039-0
CAT-QuickHeal	Trojan.Farfli
ALYac	DeepScan:Generic.Malware.Lco.C9305D62
VIPRE	DeepScan:Generic.Malware.Lco.C9305D62
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00562edc1 )
Alibaba	Backdoor:Win32/Farfli.3bff50a1
K7GW	Trojan ( 00562edc1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	DeepScan:Generic.Malware.Lco.C9305D62
Cyren	W32/Trojan.LBET-0583
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Kryptik.HCAH
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.Win32.Farfli.gen
BitDefender	DeepScan:Generic.Malware.Lco.C9305D62
NANO-Antivirus	Trojan.Win32.Kryptik.jmvgmk
ViRobot	Trojan.Win.Z.Kryptik.116736.D
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Backdoor.Win32.farfli.zf
Sophos	Troj/Farfli-EA
DrWeb	Trojan.Siggen11.63246
Zillya	Trojan.Kryptik.Win32.3717602
TrendMicro	TROJ_GEN.R002C0DCH23
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f1ec2cf6256a7c85
Emsisoft	DeepScan:Generic.Malware.Lco.C9305D62 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Farfli.eqx
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=88)
Antiy-AVL	GrayWare/Win32.Kryptik.ffp
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	Backdoor.Win32.Farfli.FK@7jqjxo
Microsoft	Trojan:Win32/Farfli.CT!MTB
GData	DeepScan:Generic.Malware.Lco.C9305D62
Google	Detected
AhnLab-V3	Trojan/Win.OX.C4976986
McAfee	Artemis!F1EC2CF6256A
TACHYON	Trojan/W32.Agent.385024.ADI
VBA32	Trojan.Farfli
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0DCH23
Rising	Trojan.Kryptik!1.E27A (CLOUD)
Yandex	Trojan.GenAsa!gBhknYBDYco

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49187
dead_host	81.68.216.37:52

huilang.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All