Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 4, 2023, 5:10 p.m.	April 4, 2023, 5:12 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`245ef358e384f40caf1c178b4825f029`
SHA256	`9a5e9c343569f8b246585d9ebdb19a62e83116e988454ff74e9d6f18d182bc1c`
CRC32	`940DF862`
ssdeep	`24576:tIDoTqctaY5effnW8RDsXOvvYG1OArRYfPQcmzeznyG0B:tyoTpE/WwDIGOAYf2KyrB`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

0002.exe "C:\Users\test22\AppData\Local\Temp\0002.exe"
2040
- cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\0002.exe > nul
  2084
  - PING.EXE ping -n 2 127.0.0.1
    2204

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
192.253.237.20	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 4, 2023, 5:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	0\x00sp0
section	1\x00sp1
section	2\x00sp2
section	3\x00ext
section	4\x00data
section	5\x00ata

The executable uses a known packer (1 event)

packer

MoleBox V2.3X -> MoleStudio.com

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1490944 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (28 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161f90

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161f90

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016820c

size

0x00000144

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016dd34

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016dd34

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001686f4

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001686f4

size

0x000000e2

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001686f4

size

0x000000e2

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690d4

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001690f8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016d610

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0016d634

size

0x00000418

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA April 4, 2023, 5:10 p.m.	service_start_name: start_type: 2 password: display_name: Stumnf Hiyarstk Mefgxyaq Stlm filepath: C:\Windows\System32\Deuvn.exe -auto service_name: Phiyab Tumno filepath_r: C:\Windows\System32\Deuvn.exe -auto desired_access: 18 service_handle: 0x0076a698 error_control: 0 service_type: 16 service_manager_handle: 0x0076a648	1	7775896	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\0002.exe > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\0002.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 4, 2023, 5:10 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 565248 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00084200', u'virtual_address': u'0x0016d000', u'entropy': 7.9956980613884685, u'name': u'1\\x00sp1', u'virtual_size': u'0x00085000'}

entropy

7.99569806139

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000b800', u'virtual_address': u'0x001f3000', u'entropy': 7.897586156877972, u'name': u'3\\x00ext', u'virtual_size': u'0x00011daf'}

entropy

7.89758615688

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x00206000', u'entropy': 7.977916949474003, u'name': u'5\\x00ata', u'virtual_size': u'0x00007198'}

entropy

7.97791694947

description

A section with a high entropy has been found

entropy

0.994017094017

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 2 127.0.0.1
cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\0002.exe > nul

Communicates with host for which no DNS query was performed (1 event)

host

192.253.237.20

Installs itself for autorun at Windows startup (1 event)

service_name

Phiyab Tumno

service_path

C:\Windows\System32\Deuvn.exe -auto

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\0002.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2040 resumed a thread in remote process 2084
NtResumeThread April 4, 2023, 5:10 p.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2084	1	0	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.Magania.4!c
tehtris	Generic.Malware
DrWeb	BackDoor.Farfli.131
MicroWorld-eScan	DeepScan:Generic.KillMBR.A.85BE6D5D
FireEye	Generic.mg.245ef358e384f40c
McAfee	Artemis!245EF358E384
Cylance	unsafe
Zillya	Trojan.Magania.Win32.74783
Sangfor	Trojan.Win32.Agent.An34
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	Backdoor:Win32/Zegost.db114489
K7GW	Riskware ( 00584baa1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	DeepScan:Generic.KillMBR.A.85BE6D5D
BitDefenderTheta	Gen:NN.ZexaF.36132.mzxaaWwAKpab
VirIT	Trojan.Win32.Genus.ODZ
Cyren	W32/S-68bad4f1!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Generik.NVMRNID
Cynet	Malicious (score: 100)
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	DeepScan:Generic.KillMBR.A.85BE6D5D
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.1187ee35
Emsisoft	DeepScan:Generic.KillMBR.A.85BE6D5D (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen2
VIPRE	DeepScan:Generic.KillMBR.A.85BE6D5D
TrendMicro	TROJ_GEN.R002C0DCU23
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Trapmine	malicious.high.ml.score
Sophos	Troj/Farfli-DW
Ikarus	Trojan.Crypt
Avira	TR/Crypt.XPACK.Gen2
Gridinsoft	Pack.Win32.Gen.bot!ep-45894
Xcitium	Backdoor.Win32.Popwin.~IQ@ogvrk
Microsoft	Backdoor:Win32/Zegost.KM!MTB
ViRobot	Trojan.Win.Z.Killmbr.1245747
ZoneAlarm	VHO:Trojan-GameThief.Win32.Magania.gen
GData	DeepScan:Generic.KillMBR.A.85BE6D5D
Google	Detected
AhnLab-V3	Backdoor/Win.Farfli.C5393627
VBA32	BScope.Backdoor.Farfli
ALYac	DeepScan:Generic.KillMBR.A.85BE6D5D
MAX	malware (ai score=82)
Malwarebytes	Backdoor.GhostRat
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R002C0DCU23
Rising	Backdoor.Gh0st!1.DF86 (CLOUD)

0002.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All