Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 8, 2023, 1:44 p.m.	June 8, 2023, 1:46 p.m.

Size	376.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d8c387e22a23fcdac8444ff9d43ebef8`
SHA256	`0d58634b6a27b0bf1f79c7a60dbcbc342bf08481cee3f535313c9351b7a8690d`
CRC32	`E2F56A29`
ssdeep	`6144:ROyLEbWaR5Cc/8JFmuy4ixRDDDDhlbGYzaQ:cUaWaR5v/6q7RG`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

hostdll.exe "C:\Users\test22\AppData\Local\Temp\hostdll.exe"
2548

Name	Response	Post-Analysis Lookup
imtieken.top	A 152.32.138.112	152.32.138.112

IP Address	Status	Action
152.32.138.112	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 8, 2023, 1:44 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

InstallShield 2000

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

imtieken.top

description

Generic top level domain TLD

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 8, 2023, 1:44 p.m.	total_number_of_free_bytes: 13320368128 free_bytes_available: 13320368128 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (37 events)

Time & API	Arguments	Status	Return
Process32FirstW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: [System Process] process_identifier: 0	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: System process_identifier: 4	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: smss.exe process_identifier: 224	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: services.exe process_identifier: 444	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: pw.exe process_identifier: 988	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: mobsync.exe process_identifier: 2272	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: pw.exe process_identifier: 2316	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: taskhost.exe process_identifier: 2364	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 2548	1	1
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 8, 2023, 1:44 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0
Process32NextW June 8, 2023, 1:44 p.m.	snapshot_handle: 0x00000250 process_name: hostdll.exe process_identifier: 7602291		0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vuzrqe

reg_value

C:\Users\test22\AppData\Local\Temp\hostdll.exe

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Farfli.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zegost.53
FireEye	Generic.mg.d8c387e22a23fcda
CAT-QuickHeal	Trojan.FarfliRI.S27090835
McAfee	GenericRXLP-OX!D8C387E22A23
Cylance	unsafe
VIPRE	Gen:Variant.Zegost.53
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00562edc1 )
Alibaba	Backdoor:Win32/Farfli.60395a02
K7GW	Trojan ( 00562edc1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zegost.53
VirIT	Trojan.Win32.GenusB.DGCY
Cyren	W32/Trojan.LBET-0583
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HCAH
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Trojan.Zegost-9971776-0
Kaspersky	HEUR:Backdoor.Win32.Farfli.gen
BitDefender	Gen:Variant.Zegost.53
NANO-Antivirus	Trojan.Win32.Kryptik.jmvgmk
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Backdoor.Win32.farfli.zf
Sophos	Troj/Farfli-EA
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.Siggen11.63246
Zillya	Trojan.Kryptik.Win32.3701711
TrendMicro	TROJ_GEN.R002C0DF623
McAfee-GW-Edition	BehavesLike.Win32.Downloader.fz
Trapmine	suspicious.low.ml.score
Emsisoft	Gen:Variant.Zegost.53 (B)
Ikarus	Win32.Outbreak
Jiangmin	Backdoor.Farfli.eqx
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Backdoor]/Win32.Farfli
Xcitium	Backdoor.Win32.Farfli.FK@7jqjxo
Microsoft	Trojan:Win32/Farfli.CT!MTB
ViRobot	Trojan.Win.Z.Farfli.385024.FX
ZoneAlarm	HEUR:Backdoor.Win32.Farfli.gen
GData	Gen:Variant.Zegost.53
Google	Detected
AhnLab-V3	Malware/Win32.RL_Generic.R299466
VBA32	Trojan.Farfli
ALYac	Gen:Variant.Zegost.53
TACHYON	Trojan/W32.Agent.385024.ADI

hostdll.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All