Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 20, 2023, 4:18 p.m.	May 20, 2023, 4:23 p.m.

Size	116.0KB
Type	PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5	`71c46a859f0729eb66d3fe7a9ae4c4e4`
SHA256	`999eafb11d2d8990f7a5b5b86f4052b8705a8fe0d21ea806d25bcffd54173e73`
CRC32	`CEC0A4C2`
ssdeep	`1536:STHyv5Zb8g9D720iWDrrZDvvyBnzD6nMVV4J1C2cffcWQVGsC/MY:dvj7biWDRvvKPyHyfcW2GsC/H`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win_Backdoor_Farfli - gives threat-actors several options of gaining access to the affected system. Malicious_Library_Zero - Malicious_Library IsDLL - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer Antivirus - Contains references to security software

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\datelog.dll,
2056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\datelog.dll,fuckyou
184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
216.83.59.17	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2023, 4:18 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2023, 4:18 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74411000 process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

216.83.59.17

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
DrWeb	BackDoor.Farfli.171
MicroWorld-eScan	Generic.Malware.LcPfoPk!134.207C2B57
ALYac	Generic.Malware.LcPfoPk!134.207C2B57
Malwarebytes	Backdoor.Farfli
Zillya	Trojan.Farfli.Win32.40952
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (D)
Alibaba	Backdoor:Win32/Farfli.d8f496a4
K7GW	Trojan ( 00569b3c1 )
K7AntiVirus	Trojan ( 00569b3c1 )
Arcabit	Generic.Malware.LcPfoPk!134.207C2B57
BitDefenderTheta	Gen:NN.ZedlaF.36196.hu4@aGIbXmdi
Cyren	W32/Farfli.GW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Farfli.DAV
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Gh0stRAT-7696262-0
Kaspersky	Backdoor.Win32.Zegost.mttqq
BitDefender	Generic.Malware.LcPfoPk!134.207C2B57
NANO-Antivirus	Trojan.Win32.Zegost.jowlpx
Avast	Win32:Farfli-BH [Trj]
Tencent	Backdoor.Win32.Zegost.ha
Ad-Aware	Generic.Malware.LcPfoPk!134.207C2B57
Emsisoft	Generic.Malware.LcPfoPk!134.207C2B57 (B)
F-Secure	Backdoor.BDS/Zegost.klzeimd
Baidu	Win32.Backdoor.Farfli.b
VIPRE	Generic.Malware.LcPfoPk!134.207C2B57
TrendMicro	TROJ_GEN.R002C0DEI23
McAfee-GW-Edition	BehavesLike.Win32.Ransomware.ch
FireEye	Generic.mg.71c46a859f0729eb
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Zegost.atw
Avira	BDS/Zegost.klzeimd
Antiy-AVL	Trojan/Win32.Farfli
Microsoft	Trojan:Win32/Farfli.BN!MTB
GData	Generic.Malware.LcPfoPk!134.207C2B57
Google	Detected
AhnLab-V3	Trojan/Win32.Magania.R66525
McAfee	GenericRXRX-EK!71C46A859F07
MAX	malware (ai score=88)
VBA32	Backdoor.Zegost
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R002C0DEI23
Rising	Backdoor.Agent!1.9E1E (CLASSIC)
Ikarus	Trojan.Win32.Farfli

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 91 events)

dead_host	192.168.56.103:49252
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49205
dead_host	192.168.56.103:49208
dead_host	192.168.56.103:49229
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49232
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49249
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49230
dead_host	192.168.56.103:49245
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49250
dead_host	192.168.56.103:49196
dead_host	216.83.59.17:7001
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49220
dead_host	192.168.56.103:49227
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49246
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49212
dead_host	192.168.56.103:49217
dead_host	192.168.56.103:49236
dead_host	192.168.56.103:49243
dead_host	192.168.56.103:49253
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49209
dead_host	192.168.56.103:49218
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49233
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49254
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49231
dead_host	192.168.56.103:49234
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49251
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49200
dead_host	192.168.56.103:49221
dead_host	192.168.56.103:49224
dead_host	192.168.56.103:49162
dead_host	192.168.56.103:49247
dead_host	192.168.56.103:49177

datelog.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All