Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:14 a.m.	Sept. 30, 2024, 11:38 a.m.

Size	420.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`56fd972f1d650272de4508513de8a27d`
SHA256	`01246ce06d56da2b83f49063e5277f08ba6a693646f8d388ae7da4caec915853`
CRC32	`B1F04739`
ssdeep	`12288:n/cUoABfJFsQCvVj/CHNmZzCXK6g8eB0jOiaTfE:/cUNsQsj/aNUC6MeB0jOi2`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2556
- svchost.exe "C:\Windows\svchost.exe"
  2616

Name	Response	Post-Analysis Lookup
r.pengyou.com	A 0.0.0.1	0.0.0.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
27.25.134.180	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 30, 2024, 11:14 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3198976 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:14 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:14 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3198976 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:14 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030e000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00094030

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

DOS executable (COM)

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000944ac

size

0x00000084

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

DOS executable (COM)

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000944ac

size

0x00000084

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00099938

size

0x000002f8

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Sept. 30, 2024, 11:14 a.m.	service_start_name: start_type: 2 password: display_name: svchost filepath: C:\Windows\svchost.exe service_name: svchost filepath_r: C:\Windows\svchost.exe desired_access: 983551 service_handle: 0x00904ba8 error_control: 0 service_type: 272 service_manager_handle: 0x00904b08	1	9456552	0

Creates a suspicious process (2 events)

cmdline	C:\Windows\svchost.exe
cmdline	"C:\Windows\svchost.exe"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00066400', u'virtual_address': u'0x00032000', u'entropy': 7.742003989036729, u'name': u'UPX1', u'virtual_size': u'0x00067000'}

entropy

7.74200398904

description

A section with a high entropy has been found

entropy

0.991515151515

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2024, 11:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 30, 2024, 11:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 30, 2024, 11:14 a.m.	thread_identifier: 2620 thread_handle: 0x00000234 process_identifier: 2616 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\svchost.exe track: 1 command_line: "C:\Windows\svchost.exe" filepath_r: C:\Windows\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000238	1	1	0
ShellExecuteExW Sept. 30, 2024, 11:14 a.m.	show_type: 5 filepath_r: C:\Windows\svchost.exe parameters: filepath: C:\Windows\svchost.exe	1	1	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

27.25.134.180

Installs itself for autorun at Windows startup (1 event)

service_name

svchost

service_path

C:\Windows\svchost.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

27.25.134.180:81

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Farfli.4!c
Cynet	Malicious (score: 100)
Skyhigh	GenericRXIH-FL!D954277AF911
ALYac	Trojan.GenericKD.73942699
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73942699
Sangfor	Backdoor.Win32.Pcclient.V59y
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Trojan.GenericKD.73942699
K7GW	Trojan ( 0050ed721 )
K7AntiVirus	Trojan ( 005677151 )
Arcabit	Trojan.Generic.D46846AB
VirIT	Trojan.Win32.Genus.IYD
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	Win32/Farfli.BGG
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Malware.Deepscan-6972384-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Farfli.21e9718e
NANO-Antivirus	Trojan.Win32.GenKryptik.fslxzc
MicroWorld-eScan	Trojan.GenericKD.73942699
Rising	Backdoor.PcClient!8.119 (TFE:5:UqIb3HcQmoG)
Emsisoft	Trojan.GenericKD.73942699 (B)
F-Secure	Trojan.TR/AVI.Fusing.edcss
Zillya	Trojan.GenKryptik.Win32.31798
TrendMicro	TROJ_GEN.R011C0DHJ24
McAfeeD	ti!01246CE06D56
CTX	exe.trojan.farfli
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
FireEye	Generic.mg.56fd972f1d650272
Jiangmin	Trojan.Generic.bacrz
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AVI.Fusing.edcss
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	malware.kb.b.945
Xcitium	Malware@#2kcufmflc0qlr
Microsoft	Backdoor:Win32/PcClient
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKD.73942699
Varist	W32/ABTrojan.FSIQ-6638
AhnLab-V3	Malware/Win32.Generic.C3325320
McAfee	Artemis!56FD972F1D65
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan-GameThief.Magania
Malwarebytes	Malware.AI.4120661445

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All