Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 13, 2024, 1:56 p.m.	Nov. 13, 2024, 2:21 p.m.

Size	140.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`200488185d59ab372448732e08da1b50`
SHA256	`1722be3ca7c30055c94f37b865d6f3554c934b23a59f3c1adb7c093473ee0521`
CRC32	`40D3B455`
ssdeep	`1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

svhost.exe "C:\Users\test22\AppData\Local\Temp\svhost.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
108.181.157.69	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Nov. 13, 2024, 1:56 p.m.	service_start_name: start_type: 2 password: display_name: Ghijkl Nopqrstu Wxyabcde Ghij filepath: C:\Windows\Ghijkl.exe service_name: Ghijkl Nopqrstu filepath_r: C:\Windows\Ghijkl.exe desired_access: 983551 service_handle: 0x0089d138 error_control: 0 service_type: 272 service_manager_handle: 0x0089d188	1	9031992	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x000000c0 process_name: wsqmcons.exe process_identifier: 2348	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x000000c0 process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x000000c0 process_name: svhost.exe process_identifier: 6553710		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 13, 2024, 1:56 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 13, 2024, 1:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

108.181.157.69

Installs itself for autorun at Windows startup (1 event)

service_name

Ghijkl Nopqrstu

service_path

C:\Windows\Ghijkl.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

108.181.157.69:80

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Glomaru.lXMS
Cynet	Malicious (score: 100)
Skyhigh	GenericRXTR-OV!200488185D59
McAfee	GenericRXTR-OV!200488185D59
Cylance	Unsafe
VIPRE	Dump:Generic.KillMBR.A.EA885338
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dump:Generic.KillMBR.A.EA885338
K7GW	Trojan ( 005a74e61 )
K7AntiVirus	Trojan ( 005a74e61 )
Arcabit	Dump:Generic.KillMBR.A.EADD825A
VirIT	Trojan.Win32.Genus.RTX
Symantec	Trojan!im
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/FatalRAT.A
APEX	Malicious
Avast	Win32:GenMalicious-JHS [Trj]
ClamAV	Win.Trojan.Killmbr-10022828-0
Kaspersky	HEUR:Backdoor.Win32.Generic
Alibaba	Backdoor:Win32/Zegost.13a2a26d
NANO-Antivirus	Trojan.Win32.Farfli.itwbcp
MicroWorld-eScan	Dump:Generic.KillMBR.A.EA885338
Rising	Trojan.Kryptik!1.AAD1 (CLASSIC)
Emsisoft	Dump:Generic.KillMBR.A.EA885338 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	BackDoor.Fatal.67
Zillya	Backdoor.Generic.Win32.31304
McAfeeD	ti!1722BE3CA7C3
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.200488185d59ab37
Jiangmin	Backdoor.Generic.ckgk
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan[Backdoor]/MSIL.Zegost
Kingsoft	malware.kb.a.999
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.Agent.PDSB@4q3i1w
Microsoft	Backdoor:MSIL/Zegost.GG!MTB
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Dump:Generic.KillMBR.A.EA885338
Varist	W32/Agent.EWL.gen!Eldorado
AhnLab-V3	Trojan/Win.LVbg.R553633
VBA32	BScope.Backdoor.Farfli
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.Farfli

svhost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All