Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2024, 3:12 p.m.	Sept. 22, 2024, 3:17 p.m.

Size	383.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d2b9d12a630cf96b6d4da31de2af0e35`
SHA256	`1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644`
CRC32	`56C4219C`
ssdeep	`6144:AqCZTnLLdb+8pBPokBwJMxlbFpRM2cbM9fgb2KmoFNiODlOTwrOnPdplzVLlWQxf:Ab5DbPowllDRf9Ib2JONfUcri1RcQP2S`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2548
- cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\svchost.exe > nul
  2628
  - PING.EXE ping -n 2 127.0.0.1
    2752

Name	Response	Post-Analysis Lookup
ref.tbfull.com	A 47.76.175.95	47.76.175.95

IP Address	Status	Action
150.158.102.191	Active	Moloch
164.124.101.2	Active	Moloch
47.76.175.95	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2024, 3:12 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 22, 2024, 3:12 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713	0
NtProtectVirtualMemory Sept. 22, 2024, 3:12 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 344064 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10162000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document text

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00061058

size

0x0000028b

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Sept. 22, 2024, 3:12 p.m.	service_start_name: start_type: 2 password: display_name: Qijabc Uvwopghi Bcdtumno Hija filepath: C:\Windows\System32\Arstl.exe -auto service_name: Euvwop Hijbc filepath_r: C:\Windows\System32\Arstl.exe -auto desired_access: 18 service_handle: 0x0057c080 error_control: 0 service_type: 16 service_manager_handle: 0x0057c030	1	5750912	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\svchost.exe > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\svchost.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005f600', u'virtual_address': u'0x00001000', u'entropy': 7.875712132280748, u'name': u'.data', u'virtual_size': u'0x0005f415'}

entropy

7.87571213228

description

A section with a high entropy has been found

entropy

0.997385620915

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\svchost.exe > nul
cmdline	ping -n 2 127.0.0.1

Communicates with host for which no DNS query was performed (1 event)

host

150.158.102.191

Installs itself for autorun at Windows startup (1 event)

service_name

Euvwop Hijbc

service_path

C:\Windows\System32\Arstl.exe -auto

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2628
NtResumeThread Sept. 22, 2024, 3:12 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2628	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

47.76.175.95:14996

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lbym
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.ZRI.S12023332
Skyhigh	BehavesLike.Win32.Generic.fc
ALYac	Dump:Generic.KillMBR.A.3821C283
Cylance	Unsafe
VIPRE	Dump:Generic.KillMBR.A.3821C283
Sangfor	Backdoor.Win32.Farfli.V78s
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Dump:Generic.KillMBR.A.3821C283
K7GW	Trojan ( 005800661 )
K7AntiVirus	Trojan ( 005800661 )
Arcabit	Dump:Generic.KillMBR.A.3821C283
VirIT	Trojan.Win32.Rootkit.BGPI
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Farfli.DBU
APEX	Malicious
Avast	Win32:BackdoorX-gen [Trj]
ClamAV	Win.Trojan.Farfli-7639977-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Farfli.effa9c6f
NANO-Antivirus	Trojan.Win32.Farfli.henrej
MicroWorld-eScan	Dump:Generic.KillMBR.A.3821C283
Rising	Backdoor.Farfli!1.E02F (CLASSIC)
Emsisoft	Dump:Generic.KillMBR.A.3821C283 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Rootkit.22030
Zillya	Trojan.Farfli.Win32.34496
TrendMicro	TROJ_GEN.R002C0DHB24
McAfeeD	ti!1D83BDBA4198
CTX	exe.trojan.farfli
Sophos	Troj/Farfli-EB
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.d2b9d12a630cf96b
Jiangmin	Backdoor.Farfli.dmf
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Win32.Farfli.ctt
Kingsoft	Win32.Hack.Convagent.gen
Microsoft	Backdoor:Win32/Farfli.BF!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Convagent.gen
GData	Dump:Generic.KillMBR.A.3821C283
Varist	W32/Farfli.GY.gen!Eldorado
AhnLab-V3	Downloader/Win.WQ.C5657779
McAfee	GenericRXKB-WQ!D2B9D12A630C
DeepInstinct	MALICIOUS
VBA32	Trojan.Rootkit

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All