Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:53 a.m.	June 16, 2024, 10:06 a.m.

Size	48.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`483fe860119307c2f9e2f7ed4caadc81`
SHA256	`acee72d648216217f6208a6d648767f06252a72aa3a8f4bf88de049eecb27c23`
CRC32	`94E295F7`
ssdeep	`768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67dhPC:Ub1MsHz3JDwhyWr+N95OTga6u`
Yara	Malicious_Library_Zero - Malicious_Library hide_executable_file - Hide executable file PE_Header_Zero - PE File Signature IsPE32 - (no description)

360setr.exe "C:\Users\test22\AppData\Local\Temp\360setr.exe"
2560
- cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\360setr.exe"
  2652
  - PING.EXE ping 127.0.0.1 -n 1
    2736

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
111.229.102.8	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:53 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b598

size

0x000001c6

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b570

size

0x00000022

Creates executable files on the filesystem (1 event)

file	C:\Program Files (x86)\Google\25261313.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 16, 2024, 9:53 a.m.	service_start_name: start_type: 2 password: display_name: Systerm Remocte Data Ssimfulation Ldayews filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "Remoctds" service_name: Remoctds filepath_r: %SystemRoot%\System32\svchost.exe -k "Remoctds" desired_access: 983551 service_handle: 0x004948c8 error_control: 0 service_type: 272 service_manager_handle: 0x00494968	1	4802760	0

Creates a suspicious process (2 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\360setr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\360setr.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\360setr.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:53 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\360setr.exe" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: 360setr.exe process_identifier: 7536688		0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\360setr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\360setr.exe"
cmdline	ping 127.0.0.1 -n 1

Communicates with host for which no DNS query was performed (1 event)

host

111.229.102.8

Installs itself for autorun at Windows startup (2 events)

service_name	Remoctds				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "Remoctds"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Remoctds\Parameters\ServiceDll				reg_value	C:\Program Files (x86)\Google\25261313.dll

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\360setr.exe

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.YoungLotus.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Younglotus.20397
ALYac	Dropped:Generic.Downloader.Nadrac.1.ACD8F610
Cylance	Unsafe
VIPRE	Dropped:Generic.Downloader.Nadrac.1.ACD8F610
Sangfor	Backdoor.Win32.Farfli.Vd4m
K7AntiVirus	Trojan ( 0055e3e41 )
K7GW	Trojan ( 0055e3e41 )
Cybereason	malicious.011930
VirIT	Backdoor.Win32.Generic.JUY
Symantec	SMG.Heur!gen
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Farfli.BGW
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Gh0stRAT-7073897-1
Alibaba	Backdoor:Win32/YoungLotus.6c2814ca
NANO-Antivirus	Trojan.Win32.YoungLotus.dpanmc
SUPERAntiSpyware	Trojan.Agent/Gen-Zusy
MicroWorld-eScan	Trojan.GenericKD.73138109
Emsisoft	Trojan.GenericKD.73138109 (B)
F-Secure	Trojan.TR/AD.Farfli.qqkhu
DrWeb	Trojan.DownLoader12.47777
McAfeeD	ti!ACEE72D64821
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.483fe860119307c2
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Farfli
Avira	TR/AD.Farfli.qqkhu
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	Win32.Trojan.YoungLotus.t
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.YoungLotus.TCM@5ruomd
Arcabit	Trojan.Generic.D45BFFBD
ViRobot	Trojan.Win.Z.Younglotus.49152.E
Microsoft	Backdoor:Win32/Venik!pz
AhnLab-V3	Trojan/Win32.Agent.R128989
BitDefenderTheta	Gen:NN.ZexaF.36806.dm0@aq6CFGjf
Malwarebytes	Malware.AI.4194114185
Zoner	Trojan.Win32.97590
TrendMicro-HouseCall	BKDR_ZEGOST.SM29
Tencent	Malware.Win32.Gencirc.10b39405
Fortinet	W32/Farfli.BGW!tr
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Backdoor:Win/Farfli

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 events)

dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49174
dead_host	111.229.102.8:8938
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49172

360setr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All