Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 13, 2024, 1:57 p.m.	Nov. 13, 2024, 2:13 p.m.

Size	611.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`75cdc74befd8c953ee2c022bd8366633`
SHA256	`fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d`
CRC32	`CD754BB7`
ssdeep	`12288:nFpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQ:nFmShDrngEUkDaiJfpSaoNRpMCe8CM8T`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

svchot%20-%20%E5%89%AF%E6%9C%AC.exe "C:\Users\test22\AppData\Local\Temp\svchot%20-%20%E5%89%AF%E6%9C%AC.exe"
1072
- cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\SVCHOT~1.EXE > nul
  2068
  - PING.EXE ping -n 2 127.0.0.1
    2204

Name	Response	Post-Analysis Lookup
facai7777777.ydns.eu		202.181.25.108

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 13, 2024, 1:57 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Foreign language identified in PE resource (13 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017e1d0

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017e1d0

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017e1d0

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017e1d0

size

0x000008a8

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017eb80

size

0x000006d4

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017eb80

size

0x000006d4

name

RT_STRING

language

LANG_CHINESE

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017f5f0

size

0x0000004c

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017ea78

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017ea78

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017ea78

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017ea78

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00183bd8

size

0x0000030c

name

None

language

LANG_CHINESE

filetype

COM executable for DOS

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017f568

size

0x00000082

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Nov. 13, 2024, 1:57 p.m.	service_start_name: start_type: 2 password: display_name: Dtldtl Dumdumdu Mevmevme Vnfv filepath: C:\Windows\System32\Gwogw.exe -auto service_name: Gwogwo Hxpgx filepath_r: C:\Windows\System32\Gwogw.exe -auto desired_access: 18 service_handle: 0x00726a28 error_control: 0 service_type: 16 service_manager_handle: 0x007269d8	1	7498280	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\SVCHOT~1.EXE > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\svchot%20-%20%E5%89%AF%E6%9C%AC.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 13, 2024, 1:57 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 606208 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00097800', u'virtual_address': u'0x000eb000', u'entropy': 7.962831396959184, u'name': u'UPX1', u'virtual_size': u'0x00098000'}

entropy

7.96283139696

description

A section with a high entropy has been found

entropy

0.992628992629

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 2 127.0.0.1
cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\SVCHOT~1.EXE > nul

Installs itself for autorun at Windows startup (1 event)

service_name

Gwogwo Hxpgx

service_path

C:\Windows\System32\Gwogw.exe -auto

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 resumed a thread in remote process 2068
NtResumeThread Nov. 13, 2024, 1:57 p.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2068	1	0	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.Common.37FA0469
Lionic	Trojan.Win32.Farfli.4!c
Cynet	Malicious (score: 100)
Skyhigh	GenericRXQT-CN!112D697F1352
ALYac	Gen:Variant.Graftor.739982
Cylance	Unsafe
VIPRE	Gen:Variant.Graftor.739982
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Variant.Strictor.293846
K7GW	Trojan ( 00588f971 )
K7AntiVirus	Trojan ( 00588f971 )
Arcabit	Trojan.Graftor.DB4A8E
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Kryptik.HMVR
APEX	Malicious
Avast	Win32:BackdoorX-gen [Trj]
ClamAV	Win.Trojan.Mikey-9862566-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Backdoor:Win32/Farfli.69bfc34b
NANO-Antivirus	Trojan.Win32.Farfli.kcsyie
MicroWorld-eScan	Gen:Variant.Strictor.293846
Rising	Backdoor.Farfli!8.B4 (TFE:5:QpcLiJjSqn)
Emsisoft	Gen:Variant.Strictor.293846 (B)
F-Secure	Heuristic.HEUR/AGEN.1370115
DrWeb	BackDoor.Farfli.131
Zillya	Trojan.Kryptik.Win32.4879272
TrendMicro	TROJ_GEN.R002C0DKA24
McAfeeD	ti!FDA844B16B91
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.farfli
Sophos	Troj/Farfli-DW
Ikarus	Backdoor.Win32.Zegost
FireEye	Generic.mg.75cdc74befd8c953
Jiangmin	Trojan.MSIL.Zapchast.ab
Google	Detected
Avira	HEUR/AGEN.1370115
Antiy-AVL	Trojan[Backdoor]/Win32.Farfli
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Backdoor:Win32/Farfli!pz
ViRobot	Trojan.Win.Z.Farfli.626176.M
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	Gen:Variant.Strictor.293846
Varist	W32/Kryptik.HEN.gen!Eldorado
AhnLab-V3	Backdoor/Win.Zegost.C5057370
McAfee	Artemis!75CDC74BEFD8
TACHYON	Backdoor/W32.Farfli.1507328.B
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Malware.AI.2016846304

svchot%20-%20%E5%89%AF%E6%9C%AC.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All