popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

666.exe

Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 2, 2023, 8:57 a.m. April 2, 2023, 9 a.m.
Size 621.1KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 ba82f3818c68b163d9e4ad26aff88911
SHA256 d8f5ab16727edf68166c9f7973dcf87d3a563fefcb013154ccbd81367677a2cd
CRC32 8EA79AA3
ssdeep 12288:HUDDEEuqctaY5effnWQ7x7dJsPMR1F4fWDNo5F/oJBprSqYeJGDK12pl:HUDoTqctaY5effnW8RDsXOvvYU1cl
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.42.31.22 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section 0\x00sp0
section 1\x00sp1
section 2\x00sp2
section 3\x00ext
section 4\x00data
section 5\x00ata
packer MoleBox V2.3X -> MoleStudio.com
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1490944
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056d000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00630000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name RT_CURSOR language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00161f90 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00161f90 size 0x000000b4
name RT_BITMAP language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016820c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016820c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016820c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016820c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016820c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016820c size 0x00000144
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016dd34 size 0x00000128
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016dd34 size 0x00000128
name RT_DIALOG language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001686f4 size 0x000000e2
name RT_DIALOG language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001686f4 size 0x000000e2
name RT_DIALOG language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001686f4 size 0x000000e2
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690d4 size 0x00000024
name RT_GROUP_CURSOR language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001690f8 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016d610 size 0x00000022
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016d634 size 0x00000418
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 565248
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00084200', u'virtual_address': u'0x0016d000', u'entropy': 7.995640055701172, u'name': u'1\\x00sp1', u'virtual_size': u'0x00085000'} entropy 7.9956400557 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000b800', u'virtual_address': u'0x001f3000', u'entropy': 7.897667563737331, u'name': u'3\\x00ext', u'virtual_size': u'0x00011daf'} entropy 7.89766756374 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001c00', u'virtual_address': u'0x00206000', u'entropy': 7.977916949474003, u'name': u'5\\x00ata', u'virtual_size': u'0x00007198'} entropy 7.97791694947 description A section with a high entropy has been found
entropy 0.994017094017 description Overall entropy of this PE file is high
host 103.42.31.22
dead_host 103.42.31.22:1523
Lionic Trojan.Win32.Magania.tsiP
Elastic malicious (high confidence)
MicroWorld-eScan DeepScan:Generic.KillMBR.A.BE7A7792
FireEye Generic.mg.ba82f3818c68b163
CAT-QuickHeal Trojan.Magania
McAfee GenericRXAA-FA!BA82F3818C68
Malwarebytes Backdoor.GhostRat
Sangfor Backdoor.Win32.Farfli.Vcac
K7AntiVirus Trojan ( 005a17661 )
Alibaba Backdoor:Win32/Farfli.af61bd1e
K7GW Trojan ( 005a17661 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit DeepScan:Generic.KillMBR.A.BE7A7792
BitDefenderTheta Gen:NN.ZexaF.36344.MyxaayOIvgib
VirIT Trojan.Win32.Genus.ODZ
Cyren W32/S-68bad4f1!Eldorado
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of Generik.MQDTQKY
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender DeepScan:Generic.KillMBR.A.BE7A7792
Avast Win32:Malware-gen
Tencent Malware.Win32.Gencirc.1187ee35
Sophos Troj/Farfli-DW
F-Secure Trojan.TR/Crypt.XPACK.Gen2
DrWeb BackDoor.Farfli.131
VIPRE DeepScan:Generic.KillMBR.A.BE7A7792
TrendMicro TROJ_GEN.R002C0DCN23
McAfee-GW-Edition BehavesLike.Win32.Generic.jc
Trapmine malicious.high.ml.score
Emsisoft DeepScan:Generic.KillMBR.A.BE7A7792 (B)
SentinelOne Static AI - Suspicious PE
Avira TR/Crypt.XPACK.Gen2
Gridinsoft Trojan.Win32.Gen.bot
Xcitium Backdoor.Win32.Popwin.~IQ@ogvrk
Microsoft Backdoor:Win32/Farfli.AX
ViRobot Trojan.Win.Z.Farfli.636025
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData DeepScan:Generic.KillMBR.A.BE7A7792
Google Detected
AhnLab-V3 Backdoor/Win.Farfli.C5393627
VBA32 BScope.Backdoor.Farfli
ALYac DeepScan:Generic.KillMBR.A.BE7A7792
MAX malware (ai score=86)
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R002C0DCN23
Rising Backdoor.Gh0st!1.DF86 (CLOUD)