popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

md1_1eaf.exe

VMProtect PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 23, 2021, 9:04 a.m. June 23, 2021, 9:06 a.m.
Size 725.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0f3560389b1ca2df45c12958c4f1c58e
SHA256 489e46fa54d173eef788b5a954f2f99157652f506298b551015174ef1e38b005
CRC32 E0E6D369
ssdeep 12288:r1z+Y38koYW/BFq/AnoIte43zGjiZksGELPeQ8YIO8:xz+Y38kzW/B9n5ttZasGEay8
Yara
  • PE_Header_Zero - PE File Signature
  • VMProtect_Zero - VMProtect packed file
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .vmp0
section .vmp1
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
md1_1eaf+0x4621 @ 0x404621
md1_1eaf+0x117e @ 0x40117e
md1_1eaf+0x95640 @ 0x495640
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 50 0c 50 8b ce e8 c1 31 00 00 8b c6 5e 5d c2
exception.symbol: md1_1eaf+0x45e6
exception.instruction: call dword ptr [eax + 0xc]
exception.module: md1_1eaf.exe
exception.exception_code: 0xc0000005
exception.offset: 17894
exception.address: 0x4045e6
registers.esp: 1638132
registers.edi: 26
registers.eax: 0
registers.ebp: 1638136
registers.edx: 2130566132
registers.ebx: 34
registers.esi: 5327628
registers.ecx: 5327444
1 0 0
section {u'size_of_data': u'0x000b5000', u'virtual_address': u'0x00130000', u'entropy': 7.948070530262025, u'name': u'.vmp1', u'virtual_size': u'0x000b4f5c'} entropy 7.94807053026 description A section with a high entropy has been found
entropy 0.999309868875 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46526255
McAfee RDN/Generic.rp
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Alibaba TrojanPSW:Win32/Generic.4fcc5b37
Cybereason malicious.ba2a99
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/PSW.Agent.OLG
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Banker.Win32.Passteal.lq
BitDefender Trojan.GenericKD.46526255
Ad-Aware Trojan.GenericKD.46526255
Emsisoft Trojan.GenericKD.46526255 (B)
F-Secure Heuristic.HEUR/AGEN.1114952
McAfee-GW-Edition BehavesLike.Win32.Generic.bc
FireEye Generic.mg.0f3560389b1ca2df
Sophos Generic ML PUA (PUA)
GData Trojan.GenericKD.46526255
eGambit Unsafe.AI_Score_94%
Avira HEUR/AGEN.1114952
Kingsoft Win32.Troj.Banker.(kcloud)
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm Trojan-Banker.Win32.Passteal.lq
Microsoft Trojan:Win32/Wacatac.B!ml
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C4524180
BitDefenderTheta Gen:NN.ZexaF.34758.TyW@a4qHnhm
MAX malware (ai score=84)
Rising Trojan.Generic@ML.95 (RDML:ffsBpWagsfu/7ThmRExy/w)
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Passteal.LQ!tr
Webroot W32.Trojan.Gen
AVG Win32:Trojan-gen
Avast Win32:Trojan-gen
CrowdStrike win/malicious_confidence_100% (W)