Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.15 04:11
[CEO 보안칼럼] “다윗은 언제나 골리...
11.15 04:11
자민경 달팽이 크림, PX 누적 판매 1...
11.15 04:11
라쿠텐·쉽너지, 일본 역직구 판매자 위한...
11.15 04:11
명지대, 서울마이칼리지 점프업 사업 ‘서...
11.15 04:11
JioStar Eyes India Str...
11.15 04:11
Meta to Appeal Orders ...
11.15 04:11
Bitfinex Hacker Senten...
11.15 04:11
KISA, ‘그놈 목소리’를 학습한 AI...
11.15 04:11
Android Malware & ...
11.15 03:11
국내 최대 애니메이션 X 게임 축제 'A...

Summary | ZeroBOX

.svchost.exe

Generic Malware Malicious Packer UPX PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2021, 5:03 p.m.	Aug. 4, 2021, 5:05 p.m.

Size	261.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`177cda5816d2c89f89a888d821b7cfdc`
SHA256	`0d9b27baeb38f29add3246d1e1a58bd197269176f0a7a79f062efbc21b0ccf6d`
CRC32	`99D86F49`
ssdeep	`1536:taUdNqn30JarWf4YPubvlMiH0giPHfUHT6WW5jUqFSAapUf4y:Js3SmKimPHfg/3gv`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file IsPE32 - (no description)

.svchost.exe "C:\Users\test22\AppData\Local\Temp\.svchost.exe"
872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 4, 2021, 5:03 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:03 p.m.	process_identifier: 872 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x00038300

size

0x00000314

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
BitDefenderTheta	Gen:NN.ZevbaF.34058.qm1@amSSyYob
APEX	Malicious
Cynet	Malicious (score: 100)
SentinelOne	Static AI - Suspicious PE
CrowdStrike	win/malicious_confidence_70% (W)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 4, 2021, 5:03 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00440000 process_handle: 0xffffffff	1	0	0