Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 16, 2023, 10:18 a.m.	Aug. 16, 2023, 10:20 a.m.

Size	672.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`294fab1523dc3b50cbcc120e67946a5b`
SHA256	`31a88f1273d29300652ece4ce7d5eeef39b404dd628c59c2c327b0333bf33c36`
CRC32	`DD02EDD4`
ssdeep	`12288:veD27Sdt6DA+v7tdOmzsrFczvPE7QlSEvB:hSbsA+vuTFczvPeQlSEp`
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
139.196.224.137	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054650

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054650

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542a8

size

0x000000bc

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000542a8

size

0x000000bc

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054a60

size

0x0000003a

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054778

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000547a0

size

0x000002c0

Communicates with host for which no DNS query was performed (1 event)

host

139.196.224.137

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

139.196.224.137:8080

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Lionic	Trojan.Win32.Generic.mxIB
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Cud.Gen.1
FireEye	Generic.mg.294fab1523dc3b50
CAT-QuickHeal	Trojan.Redosdru.18844
McAfee	Farfli!294FAB1523DC
Cylance	unsafe
VIPRE	Trojan.Cud.Gen.1
Sangfor	Downloader.Win32.Farfli.Vz4w
K7AntiVirus	Trojan-Downloader ( 004fefdf1 )
Alibaba	Backdoor:Win32/Farfli.13c
K7GW	Trojan-Downloader ( 004fefdf1 )
Cybereason	malicious.523dc3
Arcabit	Trojan.Cud.Gen.1
VirIT	Trojan.Win32.Dnldr36.DJLG
Symantec	Scr.Malcode!gen
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.CWO
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Downloader.Farfli-6453698-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.Cud.Gen.1
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10b3640b
TACHYON	Backdoor/W32.Agent.688196
Emsisoft	Trojan.Cud.Gen.1 (B)
F-Secure	Heuristic.HEUR/AGEN.1358071
DrWeb	Trojan.DownLoader36.59104
Zillya	Downloader.Agent.Win32.335022
TrendMicro	BKDR_ZEGOST.SM17
McAfee-GW-Edition	Farfli!294FAB1523DC
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Farfli
Jiangmin	Backdoor.Generic.ajkp
Avira	HEUR/AGEN.1358071
Antiy-AVL	Trojan[Backdoor]/Win32.BigBadWolf.a
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Xcitium	TrojWare.Win32.TrojanDownloader.Farfli.CWO@7k0rzk
Microsoft	TrojanDownloader:Win32/Farfli.F!bit
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	Trojan.Cud.Gen.1
Google	Detected
AhnLab-V3	Malware/Win32.RL_Generic.R369242
BitDefenderTheta	Gen:NN.ZexaF.36196.Qq3@aGEzvJhb
MAX	malware (ai score=86)
VBA32	BScope.TrojanDownloader.Farfli
Malwarebytes	Backdoor.Farfli
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	BKDR_ZEGOST.SM17

2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All