Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 3, 2024, 8:48 a.m.	June 3, 2024, 8:51 a.m.

Size	740.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`db4468bcb2b2a4831714f107451eebfd`
SHA256	`ac1cb4f0374e4b3d51174dc6b1546430c5202d9e34ad7ab2d7dc94fc69e4597b`
CRC32	`522506BF`
ssdeep	`12288:YvJZtqNl8GkWnUYYshJQQI3U3gAd0lpd0nLvwUbvwTjP:jl8GVUnshikvd0/d0nbtLOb`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet OS_Processor_Check_Zero - OS Processor Check

S1.exe "C:\Users\test22\AppData\Local\Temp\S1.exe"
2544
- rundll32.exe C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen c:\bd_logo1.png
  2664

Name	Response	Post-Analysis Lookup
www.baidu.com	CNAME www.a.shifen.com A 119.63.197.151 A 119.63.197.139 CNAME www.wshifen.com	119.63.197.139

IP Address	Status	Action
119.63.197.151	Active	Moloch
149.88.76.85	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 119.63.197.151:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 119.63.197.151:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	97:42:d5:98:27:d6:22:88:cf:59:c3:ff:75:86:8d:d5:d3:12:a0:af

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 3, 2024, 8:48 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 3, 2024, 8:48 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

GOOGLEUPDATEAPPLICATIONCOMMANDS

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72524000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003cc process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2324	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003cc process_name: wsqmcons.exe process_identifier: 2352	1	1
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003cc process_name: taskhost.exe process_identifier: 2360	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 3, 2024, 8:48 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00078000', u'virtual_address': u'0x00046000', u'entropy': 7.3531047080987095, u'name': u'.rsrc', u'virtual_size': u'0x00078000'}

entropy

7.3531047081

description

A section with a high entropy has been found

entropy

0.652173913043

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (28 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003cc process_name: S1.exe process_identifier: 7602224		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000003c process_name: S1.exe process_identifier: 7536688		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003dc process_name: S1.exe process_identifier: 3014768		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003e0 process_name: S1.exe process_identifier: 7274573		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003e4 process_name: S1.exe process_identifier: 5046390		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003e8 process_name: S1.exe process_identifier: 6815859		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003ec process_name: S1.exe process_identifier: 6881397		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003f0 process_name: S1.exe process_identifier: 7602277		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003f4 process_name: S1.exe process_identifier: 6619235		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003f8 process_name: S1.exe process_identifier: 4456552		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x000003fc process_name: S1.exe process_identifier: 7536758		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000404 process_name: S1.exe process_identifier: 6684769		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000408 process_name: S1.exe process_identifier: 4390992		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000410 process_name: process_identifier: 5439572		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000418 process_name: S1.exe process_identifier: 6619182		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000041c process_name: S1.exe process_identifier: 6553715		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000420 process_name: S1.exe process_identifier: 5046338		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000424 process_name: S1.exe process_identifier: 6619246		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000414 process_name: S1.exe process_identifier: 6750273		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000430 process_name: S1.exe process_identifier: 7471220		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000042c process_name: S1.exe process_identifier: 7733331		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000434 process_name: S1.exe process_identifier: 4980808		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000428 process_name: S1.exe process_identifier: 6619251		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000484 process_name: S1.exe process_identifier: 7864421		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000488 process_name: S1.exe process_identifier: 3342387		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x0000048c process_name: S1.exe process_identifier: 3014722		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000490 process_name: process_identifier: 7733362		0	0
Process32NextW June 3, 2024, 8:48 a.m.	snapshot_handle: 0x00000494 process_name: S1.exe process_identifier: 6553705		0	0

Communicates with host for which no DNS query was performed (1 event)

host

149.88.76.85

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.Common.E6E75C04
Lionic	Trojan.Win32.Zegost.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Worm.bc
ALYac	Gen:Variant.Mikey.139915
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.139915
Sangfor	Backdoor.Win32.Zegost.V3dj
K7AntiVirus	Trojan ( 0057f0631 )
BitDefender	Gen:Variant.Mikey.139915
K7GW	Trojan ( 0057f0631 )
Cybereason	malicious.cb2b2a
Arcabit	Trojan.Mikey.D2228B
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Farfli.CTQ
APEX	Malicious
McAfee	GenericRXAA-AA!DB4468BCB2B2
Avast	Win32:Trojan-gen
ClamAV	Win.Dropper.Gh0stRAT-9896744-0
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
NANO-Antivirus	Trojan.Win32.Farfli.ixtqnh
MicroWorld-eScan	Gen:Variant.Mikey.139915
Rising	Trojan.Agent!1.F7B0 (CLASSIC)
Emsisoft	Gen:Variant.Mikey.139915 (B)
DrWeb	Trojan.MulDrop18.34457
Zillya	Trojan.GenKryptik.Win32.101507
TrendMicro	BKDR_ZEGOST.SM51
McAfeeD	ti!AC1CB4F0374E
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.db4468bcb2b2a483
Sophos	Troj/Farfli-EV
Ikarus	Win32.Outbreak
Jiangmin	Trojan.Generic.hredl
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.Farfli.ivvfa
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Backdoor]/Win32.Zegost
Kingsoft	Win32.Hack.Generic.a
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Xcitium	TrojWare.Win32.Agent.PDSB@4q3i1w
Microsoft	Backdoor:Win32/Zegost.CQ!bit
ZoneAlarm	HEUR:Backdoor.Win32.Lotok.gen
GData	Win32.Worm.Palevo.02QQBW
Varist	W32/KillAV.AU.gen!Eldorado
AhnLab-V3	Backdoor/Win.Zegost.R522712
BitDefenderTheta	Gen:NN.ZexaF.36806.Uq0@a0G1I1pi
TACHYON	Backdoor/W32.Lotok.757760

S1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All