Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 7, 2023, 4:38 p.m.	April 7, 2023, 4:40 p.m.

Size	32.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bb8563b2aa2335abe99a45888e2a47d1`
SHA256	`555ff1532b71d6001e270b74611c6ce556eeb422fd8366941e88b141dd200ae9`
CRC32	`101E93A4`
ssdeep	`384:uTkWKqDfSFnhadpwhmC+GIYVgg1l+JHnjbIla6U4t9yN1O4dT:uNjLOnhaQhKBgiJHIl04KzZdT`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software

server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
1708

Name	Response	Post-Analysis Lookup
www.jz3366.top	A 111.173.117.71	111.173.117.71

IP Address	Status	Action
111.173.117.71	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2023, 4:38 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.jz3366.top

description

Generic top level domain TLD

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (34 events)

Time & API	Arguments	Status	Return
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: mobsync.exe process_identifier: 1440	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: pw.exe process_identifier: 524	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: wsqmcons.exe process_identifier: 792	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: cmd.exe process_identifier: 1020	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: SearchProtocolHost.exe process_identifier: 416	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: server.exe process_identifier: 1708	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: pw.exe process_identifier: 2052	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: schtasks.exe process_identifier: 2116	1	1
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 7602224		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000264 process_name: conhost.exe process_identifier: 7536688		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000025c process_name: conhost.exe process_identifier: 7536752		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000234 process_name: conhost.exe process_identifier: 3014768		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000230 process_name: conhost.exe process_identifier: 7274573		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000228 process_name: conhost.exe process_identifier: 5046390		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 6815859		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 6881397		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 7602277		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 6619235		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000274 process_name: conhost.exe process_identifier: 4456552		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000278 process_name: conhost.exe process_identifier: 7536758		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 6684769		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000280 process_name: conhost.exe process_identifier: 4390992		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000284 process_name: process_identifier: 5439572		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000288 process_name: conhost.exe process_identifier: 6619182		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000028c process_name: conhost.exe process_identifier: 6553715		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000290 process_name: conhost.exe process_identifier: 5046338		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000294 process_name: conhost.exe process_identifier: 6619246		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000298 process_name: conhost.exe process_identifier: 6750273		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000029c process_name: conhost.exe process_identifier: 7471220		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002a0 process_name: conhost.exe process_identifier: 7733331		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002a4 process_name: conhost.exe process_identifier: 4980808		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002a8 process_name: conhost.exe process_identifier: 6619251		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002ac process_name: process_identifier: 7733362		0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002b0 process_name: conhost.exe process_identifier: 6553705		0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (25 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000264 process_name: conhost.exe process_identifier: 7536688		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000025c process_name: conhost.exe process_identifier: 7536752		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000234 process_name: conhost.exe process_identifier: 3014768		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000230 process_name: conhost.exe process_identifier: 7274573		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000228 process_name: conhost.exe process_identifier: 5046390		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 6815859		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 6881397		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 7602277		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 6619235		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000274 process_name: conhost.exe process_identifier: 4456552		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000278 process_name: conhost.exe process_identifier: 7536758		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 6684769		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000280 process_name: conhost.exe process_identifier: 4390992		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000284 process_name: process_identifier: 5439572		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000288 process_name: conhost.exe process_identifier: 6619182		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000028c process_name: conhost.exe process_identifier: 6553715		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000290 process_name: conhost.exe process_identifier: 5046338		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000294 process_name: conhost.exe process_identifier: 6619246		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x00000298 process_name: conhost.exe process_identifier: 6750273		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x0000029c process_name: conhost.exe process_identifier: 7471220		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002a0 process_name: conhost.exe process_identifier: 7733331		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002a4 process_name: conhost.exe process_identifier: 4980808		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002a8 process_name: conhost.exe process_identifier: 6619251		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002ac process_name: process_identifier: 7733362		0	0
Process32NextW April 7, 2023, 4:38 p.m.	snapshot_handle: 0x000002b0 process_name: conhost.exe process_identifier: 6553705		0	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Lotok.4!c
MicroWorld-eScan	Gen:Variant.Tedy.131801
CAT-QuickHeal	Backdoor.LotokPMF.S22207093
McAfee	GenericRXAA-FA!BB8563B2AA23
Malwarebytes	Trojan.BitCoinMiner
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win32/Venik.b4a60988
K7GW	Trojan ( 0052cdd61 )
K7AntiVirus	Trojan ( 0052cdd61 )
Arcabit	Trojan.Tedy.D202D9
BitDefenderTheta	AI:Packer.DE6B7CE41E
Cyren	W32/KillAV.AU.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Farfli.CVB
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Generic-6305873-0
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
BitDefender	Gen:Variant.Tedy.131801
NANO-Antivirus	Trojan.Win32.Lotok.jrwrll
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bab93e
Emsisoft	Gen:Variant.Tedy.131801 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
VIPRE	Gen:Variant.Tedy.131801
TrendMicro	BKDR_ZEGOST.SM37
McAfee-GW-Edition	BehavesLike.Win32.Injector.nm
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.bb8563b2aa2335ab
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Lotok.aao
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Backdoor]/Win32.Lotok
Xcitium	TrojWare.Win32.Farfli.BLH@6lj6he
Microsoft	Trojan:Win32/Venik.SIB!MTB
ViRobot	Trojan.Win.Z.Lotok.32768.B
ZoneAlarm	HEUR:Backdoor.Win32.Lotok.gen
GData	Win32.Trojan.Farfli.P
Google	Detected
AhnLab-V3	Backdoor/Win.Zegost.R438653
VBA32	BScope.TrojanPSW.Cimuz.B
ALYac	Gen:Variant.Tedy.131801
TACHYON	Backdoor/W32.Lotok.32768.C
Cylance	unsafe

server.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All