Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:53 a.m.	June 16, 2024, 9:55 a.m.

Size	48.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2b6bdd0a18e76a5df3a867a49f951125`
SHA256	`b6e1c130d2b9f81e9457197727bb12e29093f29bf80408c2351bbad8cf821d4f`
CRC32	`1EE8FF0F`
ssdeep	`768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67ahPC:Ub1MsHz3JDwhyWr+N95OTga6Z`
Yara	Malicious_Library_Zero - Malicious_Library hide_executable_file - Hide executable file PE_Header_Zero - PE File Signature IsPE32 - (no description)

999999.exe "C:\Users\test22\AppData\Local\Temp\999999.exe"
1540
- cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\999999.exe"
  2088
  - PING.EXE ping 127.0.0.1 -n 1
    2172

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
111.229.102.8	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:53 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b598

size

0x000001c6

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b570

size

0x00000022

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\27714954.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 16, 2024, 9:53 a.m.	service_start_name: start_type: 2 password: display_name: System Data Simulation Layser filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "Simullatis" service_name: Simullatis filepath_r: %SystemRoot%\System32\svchost.exe -k "Simullatis" desired_access: 983551 service_handle: 0x00514978 error_control: 0 service_type: 272 service_manager_handle: 0x00514a18	1	5327224	0

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\999999.exe"
cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\999999.exe"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\999999.exe
file	C:\Users\test22\AppData\Local\Temp\27714954.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:53 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\999999.exe" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: mobsync.exe process_identifier: 1552	1	1	0
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: SearchProtocolHost.exe process_identifier: 204	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\999999.exe"
cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\999999.exe"
cmdline	ping 127.0.0.1 -n 1

Communicates with host for which no DNS query was performed (1 event)

host

111.229.102.8

Installs itself for autorun at Windows startup (2 events)

service_name	Simullatis				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "Simullatis"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Simullatis\Parameters\ServiceDll				reg_value	C:\Users\test22\AppData\Local\Temp\27714954.dll

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

111.229.102.8:4577

File has been identified by 69 AntiVirus engines on VirusTotal as malicious (50 out of 69 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.YoungLotus.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Younglotus.20397
Skyhigh	BackDoor-FCWQ!2B6BDD0A18E7
Cylance	Unsafe
VIPRE	Gen:Heur.RI.1
Sangfor	Backdoor.Win32.Farfli.V63r
K7AntiVirus	Trojan ( 0055e3e41 )
BitDefender	Gen:Heur.RI.1
K7GW	Trojan ( 0055e3e41 )
Cybereason	malicious.a18e76
Arcabit	Trojan.RI.1
VirIT	Backdoor.Win32.Generic.JUY
Symantec	SMG.Heur!gen
tehtris	Generic.Malware
ESET-NOD32	Win32/Farfli.BGW
APEX	Malicious
McAfee	BackDoor-FCWQ!2B6BDD0A18E7
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Dropper.Gh0stRAT-7073897-1
Kaspersky	Trojan.Win32.YoungLotus.t
Alibaba	Backdoor:Win32/YoungLotus.e63479da
NANO-Antivirus	Trojan.Win32.YoungLotus.dpanmc
SUPERAntiSpyware	Trojan.Agent/Gen-Zusy
MicroWorld-eScan	Gen:Heur.RI.1
Rising	Backdoor.Farfli!1.C639 (CLASSIC)
Emsisoft	Gen:Heur.RI.1 (B)
F-Secure	Trojan.TR/AD.Farfli.qqkhu
DrWeb	Trojan.DownLoader12.47777
Zillya	Trojan.YoungLotus.Win32.4
TrendMicro	BKDR_ZEGOST.SM29
McAfeeD	ti!B6E1C130D2B9
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.2b6bdd0a18e76a5d
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Farfli
Jiangmin	Trojan/YoungLotus.e
Webroot	Trojan.Younglotus
Google	Detected
Avira	TR/AD.Farfli.qqkhu
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	malware.kb.a.993
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.YoungLotus.TCM@5ruomd
Microsoft	Backdoor:Win32/Venik!pz
ZoneAlarm	Trojan.Win32.YoungLotus.t
GData	Gen:Heur.RI.1

999999.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All