Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2023, 7:37 a.m.	June 7, 2023, 7:42 a.m.

Size	308.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ee9f9565049005c3fc1dfd32db706ef8`
SHA256	`41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28`
CRC32	`D71CBC3F`
ssdeep	`3072:gIH9W+aUwWAKRpHFeyYMPg0GQx/KD9tlnZ9OrsL1z17toIhRXIB7NE4:gIHaXW3HFOMsZYM1znexE`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

88999.exe "C:\Users\test22\AppData\Local\Temp\88999.exe"
2552
- Evnagqb.com "C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com"
  2672

Name	Response	Post-Analysis Lookup
users.qzone.qq.com	A 58.250.136.113	58.250.136.113

IP Address	Status	Action
103.97.178.89	Active	Moloch
107.151.204.57	Active	Moloch
164.124.101.2	Active	Moloch
58.250.136.113	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 58.250.136.113:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 107.151.204.57:9985	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 107.151.204.57:9985 -> 192.168.56.101:49162	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 58.250.136.113:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 58.250.136.113:443	C=US, O=DigiCert Inc, CN=DigiCert Secure Site CN CA G3	C=CN, ST=Guangdong Province, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, CN=*.qzone.qq.com	95:32:d9:7d:91:4a:63:96:66:10:b3:ab:36:27:f3:23:ab:62:48:32
TLSv1 192.168.56.101:49172 58.250.136.113:443	None	None	None

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
suspicious_features	GET method with no useragent header				suspicious_request	GET https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Performs some HTTP requests (2 events)

request	GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
request	GET https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (5 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000488a0

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048b88

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048ba0

size

0x00000310

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048ec0

size

0x0000000a

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00048ec0

size

0x0000000a

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\NetSyst96.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\88999.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 7, 2023, 7:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 7, 2023, 7:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 7, 2023, 7:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Communicates with host for which no DNS query was performed (2 events)

host	103.97.178.89
host	107.151.204.57

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wsrumt tcbexrcx

reg_value

C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com

Network activity contains more than one unique useragent (2 events)

process	88999.exe				useragent	Mozilla/4.0 (compatible)
process	Evnagqb.com				useragent

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Doina.1006
ClamAV	Win.Downloader.Farfli-6453698-0
ALYac	Gen:Variant.Doina.1006
Malwarebytes	Malware.AI.3684796095
Zillya	Downloader.Agent.Win32.511221
Sangfor	Downloader.Win32.Farfli.Vbpn
K7AntiVirus	Trojan-Downloader ( 004bbd681 )
Alibaba	TrojanDownloader:Win32/Farfli.14f706e2
K7GW	Trojan-Downloader ( 004bbd681 )
Cybereason	malicious.504900
Arcabit	Trojan.Doina.D3EE
BitDefenderTheta	Gen:NN.ZexaF.36250.tC0@amHpmRfj
Cyren	W32/ABRisk.ECGH-9361
Symantec	Scr.Malcode!gen
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.AYB
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Gen:Variant.Doina.1006
ViRobot	Trojan.Win.Z.Doina.315392
Avast	Win32:Trojan-gen
Rising	Backdoor.Generic!8.CE (TFE:5:n1IpeG8SmSG)
Emsisoft	Gen:Variant.Doina.1006 (B)
F-Secure	Trojan.TR/Dldr.Agent.bzxds
Baidu	Win32.Trojan-Downloader.Agent.jm
VIPRE	Gen:Variant.Doina.1006
TrendMicro	BKDR_ZEGOST.SM17
McAfee-GW-Edition	BehavesLike.Win32.Infected.fm
FireEye	Generic.mg.ee9f9565049005c3
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Agent.bzxds
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Backdoor]/Win32.BigBadWolf.a
Gridinsoft	Trojan.Win32.Gen.bot
Xcitium	Backdoor.Win32.Farfli.CWO@7jrzut
Microsoft	TrojanDownloader:Win32/Farfli.F!bit
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	Gen:Variant.Doina.1006
Google	Detected
AhnLab-V3	Backdoor/Win.Zegost.C5434894
McAfee	Artemis!EE9F95650490
VBA32	BScope.TrojanDownloader.Farfli
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	BKDR_ZEGOST.SM17

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49166
dead_host	107.151.204.57:2020

88999.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All