popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Server.exe

UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 6, 2023, 5:19 p.m. Sept. 6, 2023, 5:26 p.m.
Size 63.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 fe262ce1be6d20d9bb8cd378a73d5a3f
SHA256 0b4eb7fdae7e90c0bd0dbfc7552865ba6d7dcd03e77efd91b5e246c71f9f2f7c
CRC32 0B20162A
ssdeep 1536:z+YpZTtGuYKKiRQhEyPD4WnWl0clFBfxwfXUmeKX2o:JptpRQhvPDPW+clFB54eK
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
lqwljs.cn
lqwljs.top
IP Address Status Action
164.124.101.2 Active Moloch
182.42.105.12 Active Moloch
194.147.140.199 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic

Suricata TLS

No Suricata TLS

domain lqwljs.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: SSDKSRV Discovery Service
filepath: C:\Program Files (x86)\Terms.exe
service_name: Rskasq emsggyks
filepath_r: C:\Program Files (x86)\Terms.exe
desired_access: 983551
service_handle: 0x0028bee0
error_control: 1
service_type: 272
service_manager_handle: 0x0028bf80
1 2670304 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 53248
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0000f800', u'virtual_address': u'0x00050000', u'entropy': 7.931953261797111, u'name': u'UPX1', u'virtual_size': u'0x00010000'} entropy 7.9319532618 description A section with a high entropy has been found
entropy 0.992 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
section UPX2 description Section name indicates UPX
host 182.42.105.12
host 194.147.140.199
service_name Rskasq emsggyks service_path C:\Program Files (x86)\Terms.exe
Bkav W32.AIDetectMalware
Elastic malicious (moderate confidence)
DrWeb Trojan.MulDrop20.1002
MicroWorld-eScan DeepScan:Generic.Rincux2.BF14C98E
CAT-QuickHeal Trojan.FarfliRI.S28114709
Malwarebytes Malware.AI.3333506357
Zillya Trojan.Injector.Win32.1533186
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan ( 004d3cae1 )
K7GW Trojan ( 004d3cae1 )
Cybereason malicious.1be6d2
Arcabit DeepScan:Generic.Rincux2.BF14C98E
BitDefenderTheta AI:Packer.20D6963A1E
Cyren W32/Farfli.FU.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.CJVZ
Cynet Malicious (score: 100)
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Backdoor.Win32.Farfli.gen
BitDefender DeepScan:Generic.Rincux2.BF14C98E
NANO-Antivirus Trojan.Win32.Farfli.jowqxn
F-Secure Heuristic.HEUR/AGEN.1359717
VIPRE DeepScan:Generic.Rincux2.BF14C98E
McAfee-GW-Edition BehavesLike.Win32.Generic.kc
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.fe262ce1be6d20d9
Emsisoft DeepScan:Generic.Rincux2.BF14C98E (B)
Avira HEUR/AGEN.1359717
MAX malware (ai score=82)
Antiy-AVL Trojan/Win32.Injector
Xcitium TrojWare.Win32.Magania.F@7jjkv4
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm HEUR:Backdoor.Win32.Farfli.gen
GData DeepScan:Generic.Rincux2.BF14C98E
Google Detected
Acronis suspicious
VBA32 BScope.Backdoor.Farfli
TACHYON Backdoor/W32.Farfli.380928.F
Cylance unsafe
APEX Malicious
Rising Trojan.Generic@AI.100 (RDML:gCV1hYbBbdDlu0DAyHzW9w)
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Zard.30!tr
AVG Win32:RATX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_70% (D)
dead_host 192.168.56.101:49191
dead_host 192.168.56.101:49202
dead_host 192.168.56.101:49231
dead_host 192.168.56.101:49165
dead_host 192.168.56.101:49242
dead_host 192.168.56.101:49176
dead_host 192.168.56.101:49237
dead_host 192.168.56.101:49193
dead_host 182.42.105.12:2022
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49228
dead_host 192.168.56.101:49247
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49198
dead_host 192.168.56.101:49209
dead_host 192.168.56.101:49204
dead_host 192.168.56.101:49217
dead_host 192.168.56.101:49244
dead_host 192.168.56.101:49170
dead_host 192.168.56.101:49187
dead_host 192.168.56.101:49214
dead_host 192.168.56.101:49227
dead_host 192.168.56.101:49222
dead_host 192.168.56.101:49233
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49184
dead_host 192.168.56.101:49203
dead_host 192.168.56.101:49224
dead_host 192.168.56.101:49166
dead_host 192.168.56.101:49243
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49238
dead_host 192.168.56.101:49194
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49200
dead_host 192.168.56.101:49240
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49199
dead_host 192.168.56.101:49210
dead_host 192.168.56.101:49205
dead_host 192.168.56.101:49218
dead_host 192.168.56.101:49171
dead_host 192.168.56.101:49196
dead_host 192.168.56.101:49215
dead_host 192.168.56.101:49223
dead_host 192.168.56.101:49234
dead_host 192.168.56.101:49168
dead_host 192.168.56.101:49185
dead_host 192.168.56.101:49212