Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 22, 2023, 8:42 a.m.	April 22, 2023, 8:53 a.m.

Size	32.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0d34a5f97ae366a48c3c47017004d1bc`
SHA256	`be95bccc949fa88be42961ff957d0012faea53f51b71bf75d88044945b78b932`
CRC32	`90F174B7`
ssdeep	`384:uTkWKqDfSFnhadpwhmC+GIYVgg1l+JHnjbIla6U4t9yN1x4dT:uNjLOnhaQhKBgiJHIl04KzGdT`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Malicious_Library_Zero - Malicious_Library

server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
2556

Name	Response	Post-Analysis Lookup
www.jz3366.top	A 211.101.237.65	211.101.237.65

IP Address	Status	Action
164.124.101.2	Active	Moloch
211.101.237.65	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 22, 2023, 8:42 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000025c process_name: pw.exe process_identifier: 2328	1	1
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000025c process_name: wsqmcons.exe process_identifier: 2364	1	1
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000025c process_name: taskhost.exe process_identifier: 2372	1	1
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000025c process_name: server.exe process_identifier: 2556	1	1
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000025c process_name: schtasks.exe process_identifier: 2616	1	1
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000025c process_name: conhost.exe process_identifier: 2624	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (25 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 7536688		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 7536752		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000230 process_name: conhost.exe process_identifier: 3014768		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000022c process_name: conhost.exe process_identifier: 7274573		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000224 process_name: conhost.exe process_identifier: 5046390		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000254 process_name: conhost.exe process_identifier: 6815859		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000264 process_name: conhost.exe process_identifier: 6881397		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 7602277		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 6619235		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 4456552		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000274 process_name: conhost.exe process_identifier: 7536758		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000278 process_name: conhost.exe process_identifier: 6684769		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 4390992		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000280 process_name: process_identifier: 5439572		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000284 process_name: conhost.exe process_identifier: 6619182		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000288 process_name: conhost.exe process_identifier: 6553715		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000028c process_name: conhost.exe process_identifier: 5046338		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000290 process_name: conhost.exe process_identifier: 6619246		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000294 process_name: conhost.exe process_identifier: 6750273		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x00000298 process_name: conhost.exe process_identifier: 7471220		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x0000029c process_name: conhost.exe process_identifier: 7733331		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x000002a0 process_name: conhost.exe process_identifier: 4980808		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x000002a4 process_name: conhost.exe process_identifier: 6619251		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x000002a8 process_name: process_identifier: 7733362		0	0
Process32NextW April 22, 2023, 8:42 a.m.	snapshot_handle: 0x000002ac process_name: conhost.exe process_identifier: 6553705		0	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Lotok.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Tedy.131801
CAT-QuickHeal	Backdoor.LotokPMF.S22207093
McAfee	GenericRXAA-FA!0D34A5F97AE3
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 0052cdd61 )
Alibaba	Backdoor:Win32/Venik.b4a60988
K7GW	Trojan ( 0052cdd61 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Tedy.D202D9
VirIT	Trojan.Win32.Genus.PUS
Cyren	W32/KillAV.AU.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Farfli.CVB
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Generic-6305873-0
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
BitDefender	Gen:Variant.Tedy.131801
NANO-Antivirus	Trojan.Win32.Lotok.jrwrll
ViRobot	Trojan.Win.Z.Lotok.32768.D
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bab93e
TACHYON	Backdoor/W32.Lotok.32768.C
Emsisoft	Gen:Variant.Tedy.131801 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
VIPRE	Gen:Variant.Tedy.131801
TrendMicro	BKDR_ZEGOST.SM37
McAfee-GW-Edition	BehavesLike.Win32.Injector.nm
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.0d34a5f97ae366a4
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Lotok.aao
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Lotok
Xcitium	TrojWare.Win32.Farfli.BLH@6lj6he
Microsoft	Trojan:Win32/Venik.SIB!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Lotok.gen
GData	Win32.Trojan.Farfli.P
Google	Detected
AhnLab-V3	Backdoor/Win.Zegost.R438653
BitDefenderTheta	AI:Packer.DE6B7CE41E
ALYac	Gen:Variant.Tedy.131801
MAX	malware (ai score=89)
VBA32	BScope.TrojanPSW.Cimuz.B

server.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All