Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 7, 2023, 11:33 a.m.	Dec. 7, 2023, 11:48 a.m.

Size	716.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`10b4dbfc7d9c04e82aff9f6845eabdc7`
SHA256	`9d544fa5ef49d521c1aaf3b0ddcaa3f268a6c0c8c3e048a6b1b4f0b505ebea64`
CRC32	`2831128C`
ssdeep	`6144:8sJTwyyCznLTllS74YQot39HTidBTaKHDoehYpgEHNQSM:8yTrvLaFGiwYe9t`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

libcurl.exe "C:\Users\test22\AppData\Local\Temp\libcurl.exe"
1792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
123.249.25.73	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2023, 11:31 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Foreign language identified in PE resource (25 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ad880

size

0x00004fd8

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064498

size

0x00000468

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b2940

size

0x000000da

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b28c8

size

0x00000078

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b28c8

size

0x00000078

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00064900

size

0x00000076

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b2a20

size

0x000003a0

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Dec. 7, 2023, 11:31 a.m.	service_start_name: start_type: 2 password: display_name: Nopqrs Uvwxyabc Efghijkl Nopq filepath: C:\Windows\lspvou.exe service_name: Nopqrs filepath_r: C:\Windows\lspvou.exe desired_access: 983551 service_handle: 0x00546d28 error_control: 0 service_type: 272 service_manager_handle: 0x00546df0	1	5532968	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 7, 2023, 11:31 a.m.	process_identifier: 1792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

123.249.25.73

Installs itself for autorun at Windows startup (1 event)

service_name

Nopqrs

service_path

C:\Windows\lspvou.exe

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Farfli.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Cylance	unsafe
VIPRE	Gen:Variant.Graftor.491778
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 005565491 )
BitDefender	Gen:Variant.Graftor.491778
K7GW	Trojan ( 005565491 )
Cybereason	malicious.355891
Arcabit	Trojan.Graftor.D78102
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EGZV
APEX	Malicious
Kaspersky	HEUR:Backdoor.Win32.Farfli.gen
Alibaba	Backdoor:Win32/GhostRatCrypt.442ba13b
NANO-Antivirus	Trojan.Win32.Farfli.kersya
ViRobot	Trojan.Win.Z.Injector.733284.C
MicroWorld-eScan	Gen:Variant.Graftor.491778
Avast	Win32:Trojan-gen
Tencent	Malware.Win32.Gencirc.10bf4534
TACHYON	Backdoor/W32.Farfli.733284
Emsisoft	Gen:Variant.Graftor.491778 (B)
F-Secure	Heuristic.HEUR/AGEN.1369660
DrWeb	Trojan.MulDrop24.10288
Zillya	Trojan.Injector.Win32.1719364
TrendMicro	TROJ_GEN.R002C0DL223
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.10b4dbfc7d9c04e8
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Jiangmin	Backdoor.Farfli.hij
Webroot	W32.Malware.Gen
Google	Detected
Avira	HEUR/AGEN.1369660
Antiy-AVL	Trojan/Win32.Injector
Kingsoft	Win32.Hack.Farfli.gen
Microsoft	Trojan:Win32/GhostRatCrypt.GA!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Farfli.gen
GData	Win32.Trojan.PSE.155F78N
Varist	W32/ABRisk.XBKU-7525
AhnLab-V3	Trojan/Win.GhostRatCrypt.C5537283
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36608.Sq1@aSH0VQfb
ALYac	Gen:Variant.Graftor.491778
MAX	malware (ai score=86)
VBA32	BScope.Trojan.Fsysna
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/GdSda.A

libcurl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All