Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 5, 2024, 4:37 p.m.	Feb. 5, 2024, 4:41 p.m.

Size	384.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1af97bb3b7d31c81534bc48a84021f32`
SHA256	`7c7edaf79218ec77462a5097f6860347b905b01ea8c1bc807f6731847770d9b2`
CRC32	`666239BD`
ssdeep	`6144:4Gyne2Ko9cK2OHnV7D2djek72aTALaFIm85ZDOFBjb/8o05NYXafC2IxFVD:Pm78gnV/2okya+bFOfv8t5NY12GFR`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

IP.exe "C:\Users\test22\AppData\Local\Temp\IP.exe"
2564
- Ejehkof.bat "C:\Program Files (x86)\Microsoft Otoruy\Ejehkof.bat"
  2624

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
192.151.244.144	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 5, 2024, 4:37 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3198976 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2024, 4:37 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2024, 4:37 p.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3198976 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 5, 2024, 4:37 p.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030e000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0005e100

size

0x000025a8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000606a8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000606c0

size

0x000002f8

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Feb. 5, 2024, 4:37 p.m.	service_start_name: start_type: 2 password: display_name: Ujtwzd uuaahuuscwlehhnkol filepath: C:\Program Files (x86)\Microsoft Otoruy\Ejehkof.bat service_name: Wsjmpt kkppwjtr filepath_r: C:\Program Files (x86)\Microsoft Otoruy\Ejehkof.bat desired_access: 983551 service_handle: 0x00616c50 error_control: 0 service_type: 272 service_manager_handle: 0x00616bb0	1	6384720	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00056000', u'virtual_address': u'0x00007000', u'entropy': 7.938995551259385, u'name': u'.data', u'virtual_size': u'0x00056240'}

entropy

7.93899555126

description

A section with a high entropy has been found

entropy

0.905263157895

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 5, 2024, 4:37 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Feb. 5, 2024, 4:37 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

192.151.244.144

Installs itself for autorun at Windows startup (1 event)

service_name

Wsjmpt kkppwjtr

service_path

C:\Program Files (x86)\Microsoft Otoruy\Ejehkof.bat

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Zegost.mxwo
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	PUA.MacriRI.S17487091
Skyhigh	BehavesLike.Win32.Backdoor.fc
ALYac	Trojan.GenericKD.36604148
Cylance	unsafe
VIPRE	Trojan.GenericKD.36604148
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.36604148
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.7abc59
Arcabit	Trojan.Generic.D22E88F4
VirIT	Trojan.Win32.Agent_r.BCR
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Farfli.BGG
APEX	Malicious
McAfee	BackDoor-FDSP!1AF97BB3B7D3
Avast	Win32:CrypterX-gen [Trj]
Kaspersky	Trojan-DDoS.Win32.Macri.chj
Alibaba	DDoS:Win32/Farfli.f2e0305a
NANO-Antivirus	Trojan.Win32.Macri.epixwy
MicroWorld-eScan	Trojan.GenericKD.36604148
Rising	Trojan.Win32.Lebag.b!0.188BB3 (KTSE)
Emsisoft	Trojan.Farfli (A)
F-Secure	Trojan.TR/FileCoder.NW
DrWeb	BackDoor.Farfli.96
Zillya	Tool.Macri.Win32.1527
TrendMicro	BKDR_ZEGOST.SMCK
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1af97bb3b7d31c81
Sophos	Troj/AutoG-FH
Ikarus	Trojan.Win32.Farfli
Jiangmin	TrojanDDoS.Macri.nl
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/FileCoder.NW
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	Win32.Troj.Undef.a
Gridinsoft	Trojan.Win32.Keylogger.vl!i
Xcitium	TrojWare.Win32.TrojanDownloader.Redosdru.FG@6j5x7c
Microsoft	Backdoor:Win32/Farfli!pz
ViRobot	Trojan.Win32.U.Banker.400048
ZoneAlarm	Trojan-DDoS.Win32.Macri.chj
GData	Trojan.GenericKD.36604148
Varist	W32/Deepscan.KFVF-7759
AhnLab-V3	Trojan/Win32.Dialer.R23969

IP.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All