Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:53 a.m.	June 16, 2024, 10:15 a.m.

Size	60.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dcaab6548f0017f413d032fac6449fc1`
SHA256	`7e64b2f168f2c50ce409c142cf7294ec847d633e82481ac2326ef2a49c2b6680`
CRC32	`BF087E92`
ssdeep	`768:3e1iZNbQAKrWGOkGQeN70ZqL37MKBBmbUt4:36iZNer5GQvk0at`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

DhlServer.exe "C:\Users\test22\AppData\Local\Temp\DhlServer.exe"
1188
- svchosts.exe "C:\Program Files (x86)\svchosts.exe"
  2132

Name	Response	Post-Analysis Lookup
gwyk.sp168.tv	A 156.241.4.189	156.241.4.189

IP Address	Status	Action
156.241.4.189	Active	Moloch
164.124.101.2	Active	Moloch
38.147.172.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 156.241.4.189:7744 -> 192.168.56.103:49161	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 16, 2024, 9:53 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 9:53 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 9:53 a.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 9:53 a.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\8.77.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 16, 2024, 9:53 a.m.	service_start_name: start_type: 2 password: display_name: Windows Audioo filepath: C:\Program Files (x86)\svchosts.exe service_name: AudioSrvs filepath_r: C:\Program Files (x86)\svchosts.exe desired_access: 983551 service_handle: 0x00526f48 error_control: 0 service_type: 272 service_manager_handle: 0x00526fe8	1	5402440	0

Creates a suspicious process (2 events)

cmdline	"C:\Program Files (x86)\svchosts.exe"
cmdline	C:\Program Files (x86)\svchosts.exe

Communicates with host for which no DNS query was performed (1 event)

host

38.147.172.248

Installs itself for autorun at Windows startup (1 event)

service_name

AudioSrvs

service_path

C:\Program Files (x86)\svchosts.exe

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Redosdru.a!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Redosdru.18846
Skyhigh	Trojan-FKFK!DCAAB6548F00
ALYac	Trojan.Downloader.JSWJ
Cylance	Unsafe
VIPRE	Trojan.Downloader.JSWJ
Sangfor	Downloader.Win32.Agent.V0o6
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
BitDefender	Trojan.Downloader.JSWJ
K7GW	Trojan-Downloader ( 0055e3da1 )
Cybereason	malicious.48f001
Arcabit	Trojan.Downloader.JSWJ
Baidu	Win32.Trojan-Downloader.Agent.cw
VirIT	Trojan.Win32.Generic.EQQ
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.AVU
APEX	Malicious
McAfee	Trojan-FKFK!DCAAB6548F00
Avast	Win32:Dropper-OHP [Trj]
Kaspersky	Trojan-Downloader.Win32.Tiny.cun
Alibaba	Backdoor:Win32/Zlob.180910
NANO-Antivirus	Trojan.Win32.Agent.dqsnyd
MicroWorld-eScan	Trojan.Downloader.JSWJ
Rising	Downloader.Agent!8.B23 (TFE:5:bHLCrSFEsjS)
Emsisoft	Trojan.Downloader.JSWJ (B)
F-Secure	Heuristic.HEUR/AGEN.1325693
DrWeb	BackDoor.Siggen.58849
Zillya	Downloader.Tiny.Win32.25914
TrendMicro	BKDR_ZEGOST.SM17
McAfeeD	ti!7E64B2F168F2
FireEye	Generic.mg.dcaab6548f0017f4
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Jiangmin	TrojanDropper.Dorgam.kg
Google	Detected
Avira	HEUR/AGEN.1325693
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Backdoor]/Win32.BigBadWolf.a
Kingsoft	malware.kb.a.1000
Gridinsoft	Adware.Win32.Downloader.vb!s1
Xcitium	TrojWare.Win32.Farfli.BJQ@5t8o8c
Microsoft	Trojan:Win32/Redosdru.AB
ZoneAlarm	Trojan-Downloader.Win32.Tiny.cun
GData	Trojan.Downloader.JSWJ
Varist	W32/Trojan.JNNA-3426
AhnLab-V3	Trojan/Win32.Downloader.R148588
BitDefenderTheta	Gen:NN.ZexaF.36806.duX@a8fOpEf

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.103:49164
dead_host	156.241.4.189:10091
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49166

DhlServer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All