Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:53 a.m.	June 16, 2024, 9:55 a.m.

Size	48.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7d8056785948284e8f6b89004886c936`
SHA256	`f59d23fcb44d07bd1cfc3852bc17b60cc4c35a21a66125953d6f5f697131a521`
CRC32	`0DE8374D`
ssdeep	`768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67ChPC:Ub1MsHz3JDwhyWr+N95OTga6R`
Yara	Malicious_Library_Zero - Malicious_Library hide_executable_file - Hide executable file PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

8989.exe "C:\Users\test22\AppData\Local\Temp\8989.exe"
2556
- cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\8989.exe"
  2672
  - PING.EXE ping 127.0.0.1 -n 1
    2744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
8.138.116.47	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:53 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b598

size

0x000001c6

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b570

size

0x00000022

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\20461485.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 16, 2024, 9:53 a.m.	service_start_name: start_type: 2 password: display_name: System Remote Data Simulation Layer filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "SRDSL" service_name: SRDSL filepath_r: %SystemRoot%\System32\svchost.exe -k "SRDSL" desired_access: 983551 service_handle: 0x002848b8 error_control: 0 service_type: 272 service_manager_handle: 0x00284958	1	2640056	0

Creates a suspicious process (2 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\8989.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\8989.exe"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\8989.exe
file	C:\Users\test22\AppData\Local\Temp\20461485.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:53 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\8989.exe" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: schtasks.exe process_identifier: 2608	1	1	0
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: conhost.exe process_identifier: 2616	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\8989.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\8989.exe"
cmdline	ping 127.0.0.1 -n 1

Communicates with host for which no DNS query was performed (1 event)

host

8.138.116.47

Installs itself for autorun at Windows startup (2 events)

service_name	SRDSL				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "SRDSL"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SRDSL\Parameters\ServiceDll				reg_value	C:\Users\test22\AppData\Local\Temp\20461485.dll

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.YoungLotus.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Younglotus.20397
Skyhigh	BackDoor-FCWQ!7D8056785948
Cylance	Unsafe
VIPRE	Gen:Heur.RI.1
Sangfor	Backdoor.Win32.Farfli.Vpkj
K7AntiVirus	Trojan ( 0055e3e41 )
BitDefender	Gen:Heur.RI.1
K7GW	Trojan ( 0055e3e41 )
Cybereason	malicious.859482
Arcabit	Trojan.RI.1
VirIT	Backdoor.Win32.Generic.JUY
Symantec	SMG.Heur!gen
ESET-NOD32	Win32/Farfli.BGW
APEX	Malicious
McAfee	BackDoor-FCWQ!7D8056785948
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Dropper.Gh0stRAT-7073897-1
Kaspersky	Trojan.Win32.YoungLotus.t
Alibaba	Backdoor:Win32/YoungLotus.13c1f9fa
NANO-Antivirus	Trojan.Win32.YoungLotus.dpanmc
SUPERAntiSpyware	Trojan.Agent/Gen-Zusy
MicroWorld-eScan	Gen:Heur.RI.1
Rising	Trojan.Farfli!1.C639 (KTSE)
Emsisoft	Gen:Heur.RI.1 (B)
F-Secure	Trojan.TR/AD.Farfli.qqkhu
DrWeb	Trojan.DownLoader12.47777
Zillya	Trojan.YoungLotus.Win32.4
TrendMicro	BKDR_ZEGOST.SM29
McAfeeD	ti!F59D23FCB44D
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.7d8056785948284e
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Jiangmin	Trojan/YoungLotus.e
Webroot	Trojan.Younglotus
Google	Detected
Avira	TR/AD.Farfli.qqkhu
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	malware.kb.a.922
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.YoungLotus.TCM@5ruomd
Microsoft	Backdoor:Win32/Venik!pz
ZoneAlarm	Trojan.Win32.YoungLotus.t
GData	Gen:Heur.RI.1
Varist	W32/S-0f55ee81!Eldorado

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 events)

dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49169
dead_host	8.138.116.47:8989
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49172

8989.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All