popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mm.txt

UPX Malicious Library OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 24, 2023, 9:22 a.m. Aug. 24, 2023, 9:25 a.m.
Size 139.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d79de8432d47642e80a50eee453fbe4b
SHA256 e00306ee3b76d9ad5e64c10e76a2871777d2542fc13d95340f8628fcd648dd8c
CRC32 02BAF4BA
ssdeep 3072:z5fOjUw72Uy+Omjd/OAyUE5d5y8JBVV/dqXg61:z5WI/kOzAeEXg61
Yara
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
47.111.23.242 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 47.111.23.242:80 2034581 ET HUNTING Terse Request for .txt - Likely Hostile Potentially Bad Traffic
TCP 47.111.23.242:80 -> 192.168.56.101:49161 2045860 ET HUNTING Rejetto HTTP File Sever Response A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://47.111.23.242/m.txt
request GET http://47.111.23.242/m.txt
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13325426688
free_bytes_available: 13325426688
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024208 size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00024670 size 0x00000084
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000192b0 size 0x000002c0
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x00000404
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: wininit.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: winlogon.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: services.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: lsass.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 724
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 784
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 832
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: audiodg.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: spoolsv.exe
process_identifier: 324
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 1048
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: srvany.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: KMService.exe
process_identifier: 1436
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: conhost.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: taskhost.exe
process_identifier: 1600
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: sppsvc.exe
process_identifier: 1820
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: dwm.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: explorer.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mobsync.exe
process_identifier: 2272
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: pw.exe
process_identifier: 2316
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: taskhost.exe
process_identifier: 2344
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 2544
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 81920
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: mm.txt
process_identifier: 7602222
0 0
host 47.111.23.242
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Farfli.4!c
MicroWorld-eScan Trojan.GenericKD.68870364
FireEye Generic.mg.d79de8432d47642e
McAfee Artemis!D79DE8432D47
Cylance unsafe
Sangfor Backdoor.Win32.Farfli.V91a
BitDefenderTheta Gen:NN.ZexaF.36350.iu0@aaIMVeoj
Cyren W32/ABRisk.TEMW-0121
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Backdoor.Win32.Farfli.gen
BitDefender Trojan.GenericKD.68870364
Avast Win32:Malware-gen
Tencent Win32.Backdoor.Farfli.Msmw
Emsisoft Trojan.GenericKD.68870364 (B)
F-Secure Backdoor.BDS/Farfli.svrdu
DrWeb BackDoor.Farfli.171
VIPRE Trojan.GenericKD.68870364
McAfee-GW-Edition Artemis!Trojan
Sophos Generic Reputation PUA (PUA)
Avira BDS/Farfli.svrdu
Microsoft Program:Win32/Wacapew.C!ml
ZoneAlarm HEUR:Backdoor.Win32.Farfli.gen
GData Trojan.GenericKD.68870364
Google Detected
Acronis suspicious
MAX malware (ai score=88)
Malwarebytes Generic.Malware/Suspicious
Rising Trojan.Generic@AI.97 (RDML:nUy1rbAQszNm3EV/aXWAfg)
Fortinet W32/PossibleThreat
AVG Win32:Malware-gen
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_90% (W)