Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 5, 2025, 10:09 a.m.	March 5, 2025, 10:11 a.m.

Size	32.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6a3d1e12057da9877676b1c9e4ab03ac`
SHA256	`1cc6dfe8e95533de1a28242e412434f0a94f3e59fb6e4625babda6ad57f049e4`
CRC32	`25EB601D`
ssdeep	`384:wTkWKqDfSFnhadpwhmC+GIYVgg1l+JHnjbIla6U4t9yN1W4dT:wNjLOnhaQhKBgiJHIl04KzhdT`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Antivirus - Contains references to security software IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
1492

Name	Response	Post-Analysis Lookup
www.jz3366.top	A 103.205.252.29	103.205.252.29

IP Address	Status	Action
103.205.252.29	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 5, 2025, 10:09 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.jz3366.top

description

Generic top level domain TLD

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (33 events)

Time & API	Arguments	Status	Return
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: mobsync.exe process_identifier: 288	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: taskhost.exe process_identifier: 872	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: cmd.exe process_identifier: 2032	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 516	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: SearchFilterHost.exe process_identifier: 1256	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: server.exe process_identifier: 1492	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: pw.exe process_identifier: 2080	1	1
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000260 process_name: pw.exe process_identifier: 7602224		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000264 process_name: pw.exe process_identifier: 7536688		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000025c process_name: pw.exe process_identifier: 7536752		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000234 process_name: pw.exe process_identifier: 3014768		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000230 process_name: pw.exe process_identifier: 7274573		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000228 process_name: pw.exe process_identifier: 5046390		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 6815859		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000268 process_name: pw.exe process_identifier: 6881397		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000026c process_name: pw.exe process_identifier: 7602277		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000270 process_name: pw.exe process_identifier: 6619235		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000274 process_name: pw.exe process_identifier: 4456552		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000278 process_name: pw.exe process_identifier: 7536758		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 6684769		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000280 process_name: pw.exe process_identifier: 4390992		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000284 process_name: process_identifier: 5439572		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000288 process_name: pw.exe process_identifier: 6619182		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000028c process_name: pw.exe process_identifier: 6553715		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000290 process_name: pw.exe process_identifier: 5046338		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000294 process_name: pw.exe process_identifier: 6619246		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 6750273		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000029c process_name: pw.exe process_identifier: 7471220		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002a0 process_name: pw.exe process_identifier: 7733331		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002a4 process_name: pw.exe process_identifier: 4980808		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002a8 process_name: pw.exe process_identifier: 6619251		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002ac process_name: process_identifier: 7733362		0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002b0 process_name: pw.exe process_identifier: 6553705		0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (25 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000264 process_name: pw.exe process_identifier: 7536688		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000025c process_name: pw.exe process_identifier: 7536752		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000234 process_name: pw.exe process_identifier: 3014768		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000230 process_name: pw.exe process_identifier: 7274573		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000228 process_name: pw.exe process_identifier: 5046390		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 6815859		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000268 process_name: pw.exe process_identifier: 6881397		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000026c process_name: pw.exe process_identifier: 7602277		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000270 process_name: pw.exe process_identifier: 6619235		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000274 process_name: pw.exe process_identifier: 4456552		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000278 process_name: pw.exe process_identifier: 7536758		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 6684769		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000280 process_name: pw.exe process_identifier: 4390992		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000284 process_name: process_identifier: 5439572		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000288 process_name: pw.exe process_identifier: 6619182		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000028c process_name: pw.exe process_identifier: 6553715		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000290 process_name: pw.exe process_identifier: 5046338		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000294 process_name: pw.exe process_identifier: 6619246		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 6750273		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x0000029c process_name: pw.exe process_identifier: 7471220		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002a0 process_name: pw.exe process_identifier: 7733331		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002a4 process_name: pw.exe process_identifier: 4980808		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002a8 process_name: pw.exe process_identifier: 6619251		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002ac process_name: process_identifier: 7733362		0	0
Process32NextW March 5, 2025, 10:09 a.m.	snapshot_handle: 0x000002b0 process_name: pw.exe process_identifier: 6553705		0	0

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Farfli.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.LotokPMF.S22207093
Skyhigh	BehavesLike.Win32.Backdoor.nm
ALYac	Generic.Dacic.D657E169.A.19937B4D
Cylance	Unsafe
VIPRE	Generic.Dacic.D657E169.A.19937B4D
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.Dacic.D657E169.A.19937B4D
K7GW	Trojan ( 0052cdd61 )
K7AntiVirus	Trojan ( 0052cdd61 )
Arcabit	Generic.Dacic.D657E169.A.19937B4D
VirIT	Trojan.Win32.Genus.PUS
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of Win32/Farfli.CVB
APEX	Malicious
Avast	Win32:BackdoorX-gen [Trj]
ClamAV	Win.Trojan.Generic-6305873-0
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
Alibaba	Backdoor:Win32/Venik.f1d721e1
NANO-Antivirus	Trojan.Win32.Lotok.jrwrll
MicroWorld-eScan	Generic.Dacic.D657E169.A.19937B4D
Rising	Backdoor.Lotok!8.111D5 (TFE:5:VE56F3v74yI)
Emsisoft	Generic.Dacic.D657E169.A.19937B4D (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
DrWeb	BackDoor.Siggen2.4986
Zillya	Trojan.Farfli.Win32.95245
TrendMicro	BKDR_ZEGOST.SM37
McAfeeD	Real Protect-LS!6A3D1E12057D
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.farfli
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.6a3d1e12057da987
Jiangmin	Backdoor.Lotok.aao
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Lotok
Kingsoft	malware.kb.a.1000
Xcitium	TrojWare.Win32.Farfli.BLH@6lj6he
Microsoft	Trojan:Win32/Venik.SIB!MTB
ViRobot	Trojan.Win.Z.Lotok.32768.C
GData	Win32.Trojan.Farfli.P
Varist	W32/KillAV.AU.gen!Eldorado
AhnLab-V3	Backdoor/Win.Zegost.R438655
McAfee	GenericRXAA-FA!6A3D1E12057D
TACHYON	Backdoor/W32.Lotok.32768.C

server.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All