Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 17, 2024, 10:03 a.m.	March 17, 2024, 10:12 a.m.

Size	572.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6a7dbf9cf7f21fd9e36a8f946a9ba32b`
SHA256	`be5e172e023a252269fcfff738377c0ee3de397bee7d44c21d002457ad2ce510`
CRC32	`6BED3919`
ssdeep	`12288:nruM9FNatyT3gNCpOdn/uVcZNJ7QD7HZ5rbx:q+atynpOd/HzJO7HX`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win_Backdoor_GhostRAT_Zero - Win Backdoor GhostRAT UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Xzserver.exe "C:\Users\test22\AppData\Local\Temp\Xzserver.exe"
1460

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
1.92.90.232	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 1.92.90.232:8000	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 1.92.90.232:8000	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 1.92.90.232:8000	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 1.92.90.232:8000 -> 192.168.56.103:49161	2048478	ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive	A Network Trojan was detected

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

InstallShield 2000

The file contains an unknown PE resource name possibly indicative of a packer (8 events)

resource name	00526EC220243100352
resource name	085513A620243100353
resource name	7BFA3F1B20243100353
resource name	CE16F6A220243100352
resource name	FC0E79B320243100352
resource name	HOST
resource name	SCR
resource name	SYS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 15, 2024, 7 a.m.	stacktrace: Host+0x14c @ 0x10002bfc exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Host-0x1307 exception.address: 0x100017a9 registers.esp: 1637344 registers.edi: 1638040 registers.eax: 1 registers.ebp: 1637396 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1971270869 registers.ecx: 1648	1	0	0
__exception__ March 15, 2024, 7 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637344 registers.edi: 1638040 registers.eax: 1447909480 registers.ebp: 1637396 registers.edx: 22104 registers.ebx: 0 registers.esi: 1971270869 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory March 15, 2024, 7 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory March 15, 2024, 7 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100fa000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 15, 2024, 7 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10120000 process_handle: 0xffffffff		3221225713
NtAllocateVirtualMemory March 15, 2024, 7 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

Xzserver.exe tried to sleep 159 seconds, actually delayed analysis time by 159 seconds

Foreign language identified in PE resource (37 events)

name

SCR

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00059d30

size

0x0001d03d

name

SYS

language

LANG_CHINESE

filetype

DOS executable (COM)

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00076d70

size

0x00008b40

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008df48

size

0x00000468

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008e998

size

0x00000134

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008ebac

size

0x00000084

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008ebac

size

0x00000084

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008ebac

size

0x00000084

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0008ec30

size

0x00000398

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: mobsync.exe process_identifier: 536	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: pw.exe process_identifier: 1872	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: wsqmcons.exe process_identifier: 880	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: taskhost.exe process_identifier: 2040	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: sdclt.exe process_identifier: 1792	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: cmd.exe process_identifier: 1532	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: SearchProtocolHost.exe process_identifier: 1720	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: conhost.exe process_identifier: 316	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: SearchFilterHost.exe process_identifier: 1608	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: Xzserver.exe process_identifier: 1460	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: pw.exe process_identifier: 2052	1	1
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x000000b8 process_name: pw.exe process_identifier: 7471220		0
Process32NextW March 15, 2024, 7 a.m.	snapshot_handle: 0x00000100 process_name: pw.exe process_identifier: 6684769		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 15, 2024, 7 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 434176 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00031000', u'virtual_address': u'0x00025000', u'entropy': 6.916460607775499, u'name': u'.data', u'virtual_size': u'0x00032988'}

entropy

6.91646060778

description

A section with a high entropy has been found

entropy

0.345070422535

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

xzserver.exe

Communicates with host for which no DNS query was performed (1 event)

host

1.92.90.232

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX4FBB9E52

reg_value

C:\Windows\XXXXXX4FBB9E52\svchsot.exe

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 15, 2024, 7 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637344 registers.edi: 1638040 registers.eax: 1447909480 registers.ebp: 1637396 registers.edx: 22104 registers.ebx: 0 registers.esi: 1971270869 registers.ecx: 10	1	0	0

Creates known Zegost files, registry changes and/or mutexes (1 event)

mutex

AAAAAArr2msb2mr72xsLGpp6+vr58=

File has been identified by 68 AntiVirus engines on VirusTotal as malicious (50 out of 68 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lNr1
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Aksula.A
Skyhigh	GenericRXER-EK!6A7DBF9CF7F2
ALYac	Gen:Trojan.Redosdru.!o!.1
Cylance	unsafe
VIPRE	Gen:Trojan.Redosdru.!o!.1
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 0055e3e41 )
BitDefender	Gen:Trojan.Redosdru.!o!.1
K7GW	Trojan ( 0055e3e41 )
Cybereason	malicious.cf7f21
Arcabit	Trojan.Redosdru.!o!.1
Baidu	Win32.Trojan.Dialer.a
VirIT	Backdoor.Win32.Generic.BAA
Symantec	SMG.Heur!gen
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Farfli.XB
APEX	Malicious
McAfee	GenericRXER-EK!6A7DBF9CF7F2
Avast	Win32:Dropper-JQQ [Drp]
ClamAV	Win.Malware.Generickdz-6957625-0
Kaspersky	Trojan-Spy.Win32.Agent.cdfh
Alibaba	TrojanDownloader:Win32/Farfli.add155f9
NANO-Antivirus	Trojan.Win32.Dwn.rkaxu
MicroWorld-eScan	Gen:Trojan.Redosdru.!o!.1
Rising	Backdoor.Zegost!1.9CDE (CLASSIC)
Emsisoft	Gen:Trojan.Redosdru.!o!.1 (B)
F-Secure	Backdoor.BDS/Zegost.bmnya
DrWeb	Trojan.DownLoader5.49351
Zillya	Trojan.Dialer.Win32.12199
TrendMicro	BKDR_ZEGOST.SM34
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.6a7dbf9cf7f21fd9
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Dialer
Jiangmin	TrojanSpy.Agent.tst
Webroot	W32.Trojan.Gen
Google	Detected
Avira	BDS/Zegost.bmnya
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Spy]/Win32.Agent.cdfh
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.Kryptik.BHFS@56cp6y
Microsoft	Backdoor:Win32/Farfli!pz
ViRobot	Trojan.Win32.A.Agent.430080.A
ZoneAlarm	Trojan-Spy.Win32.Agent.cdfh

Xzserver.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All