popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

conhost.exe

UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 14, 2021, 3:53 p.m. Sept. 14, 2021, 3:56 p.m.
Size 125.5KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 86ec1c19a29d25b109102faa921c7796
SHA256 a390e37424852274a627183769d43e7015e88fbb02e54d1b2b8367abdc18ec7e
CRC32 77C52025
ssdeep 3072:6S5MV1iKq6X2yFaw98p+jcgkLXYlfr/gmSEYLVi:6SnYFaw98p+AjLYtgmSxM
Yara
  • UPX_Zero - UPX packed file
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
xmr.f2pool.com
A 203.107.32.162
CNAME gf.f2pool.com
203.107.32.162
IP Address Status Action
154.91.1.118 Active Moloch
164.124.101.2 Active Moloch
203.107.32.162 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://154.91.1.118/WinRing0x64.sys
suspicious_features Connection to IP address suspicious_request GET http://154.91.1.118/java.exe
request GET http://154.91.1.118/WinRing0x64.sys
request GET http://154.91.1.118/java.exe
description conhost.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
file C:\Users\test22\AppData\Local\Temp\java.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000088
process_name: mobsync.exe
process_identifier: 2824
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000088
process_name: pw.exe
process_identifier: 2360
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000088
process_name: conhost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000294
process_name: java.exe
process_identifier: 2256
1 1 0

Process32NextW

 snapshot_handle: 0x00000000000002a0
process_name: cmd.exe
process_identifier: 1808
1 1 0

Process32NextW

 snapshot_handle: 0x00000000000002a0
process_name: conhost.exe
process_identifier: 1120
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $5:nüq[¯q[¯q[¯q[¯}[¯V{¯t[¯V}¯p[¯Vm¯r[¯Vq¯p[¯V|¯p[¯Vx¯p[¯Richq[¯PEd†Á&‹Hð"  PpdP<`À@`Ðp  p.textÆ h.rdata|  @H.data0@È.pdata`@@HINIT"P â.rsrcÀ`@B
request_handle: 0x0000000000cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $³u2‰÷\Ú÷\Ú÷\ÚCˆ­Úú\ÚCˆ¯ÚD\ÚCˆ®Ú×\Úi´›Úó\Ú¥|_Ûþ\Ú¥|Yۈ\Ú¥|XÛÒ\ÚR}XÛå\ÚCˆ³Úø\Ú÷]ÚØ\ÚR}UÛ_\ÚR}£Úö\Ú÷ËÚö\ÚR}^Ûö\ÚRich÷\ÚPEd†°•5að" ðP< 9E`<@`E`$UEŒPE$DàÍ°VE€EE(°EEUPX0P<€àUPX1ð`<è@à.rsrcPEì@À3.94UPX! $ sŠß\‚†I×[EŸÙ¨I#2
request_handle: 0x0000000000cc000c
1 1 0
section {u'size_of_data': u'0x0001ee00', u'virtual_address': u'0x00036000', u'entropy': 7.990786737437224, u'name': u'UPX1', u'virtual_size': u'0x0001f000'} entropy 7.99078673744 description A section with a high entropy has been found
entropy 0.991967871486 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000294
process_name: java.exe
process_identifier: 2256
0 0

Process32NextW

 snapshot_handle: 0x0000000000000290
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000298
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x000000000000029c
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002a0
process_name: conhost.exe
process_identifier: 1120
0 0

Process32NextW

 snapshot_handle: 0x00000000000002a4
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002a8
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002ac
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002b0
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002b4
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000001ec
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000220
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002b8
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002bc
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c0
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c4
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c8
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002cc
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002d0
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002d4
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002d8
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002dc
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002e0
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002e4
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002e8
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002ec
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002f0
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002f4
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002f8
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x00000000000002fc
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000300
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000304
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000260
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000264
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000308
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x000000000000030c
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000314
process_name: taskhost.exe
process_identifier: 1204
0 0

Process32NextW

 snapshot_handle: 0x0000000000000318
process_name: taskhost.exe
process_identifier: 1204
0 0
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
host 154.91.1.118
file C:\Users\test22\AppData\Local\Temp\java.exe
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
-1073741789 0
Lionic Trojan.Win64.Miner.4!c
Cynet Malicious (score: 100)
McAfee RDN/Generic Downloader.x
Malwarebytes Trojan.Downloader
Alibaba TrojanDownloader:Win64/Miner.082b4b06
K7GW Trojan-Downloader ( 005799521 )
K7AntiVirus Trojan-Downloader ( 005799521 )
Arcabit Trojan.Generic.D23D31A6
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win64/TrojanDownloader.Agent.IY
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win64.Miner.anow
BitDefender Trojan.GenericKD.37564838
MicroWorld-eScan Trojan.GenericKD.37564838
Avast Win64:Trojan-gen
Ad-Aware Trojan.GenericKD.37564838
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win64.Dropper.cc
FireEye Generic.mg.86ec1c19a29d25b1
Emsisoft Trojan.GenericKD.37564838 (B)
Ikarus Trojan-Downloader.Win64.Agent
Avira TR/Dldr.Agent.avkgp
Gridinsoft Trojan.Win64.Downloader.sa
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm Trojan.Win64.Miner.anow
GData Trojan.GenericKD.37564838
ALYac Trojan.GenericKD.37564838
MAX malware (ai score=86)
Cylance Unsafe
Tencent Win64.Trojan-downloader.Agent.Edei
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Malicious_Behavior.SBX
AVG Win64:Trojan-gen
Panda Trj/CI.A