popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

svchost.exe

Malicious Library VMProtect UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 13, 2021, 7:43 p.m. Oct. 13, 2021, 7:45 p.m.
Size 6.0MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 340d0f2a160733b307bbe9434dd8b701
SHA256 af277cb89f2f2144810957f7ae9fa55f6df4bb097780a8e36d8d97d1c9cec0d3
CRC32 0F4130F9
ssdeep 98304:yqlTteVpNQ2bDCrDzXxoez8Z4pgw93f4lwc/IqEvQP/ghRinibYB8:JlTsWTxLRwlbYQP/g+ib
Yara
  • IsPE64 - (no description)
  • VMProtect_Zero - VMProtect packed file
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
section text
section data
section .vmp0
section .vmp1
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.instruction_r:
        90 68 6c c1 03 87 e8 8e a9 12 00 68 01 5d c6 76
        

      
        exception.instruction:
        nop
        

      
        exception.module:
        svchost.exe
        

      
        exception.exception_code:
        0x80000004
        

      
        exception.offset:
        10082733
        

      
        exception.address:
        0x14099d9ad
        

      
    
  
    
      
        registers.r14:
        0
        

      
        registers.r15:
        0
        

      
        registers.rcx:
        3735929054
        

      
        registers.rsi:
        0
        

      
        registers.r10:
        3379073877
        

      
        registers.rbx:
        0
        

      
        registers.rsp:
        4390992
        

      
        registers.r11:
        84
        

      
        registers.r8:
        655420
        

      
        registers.r9:
        43840
        

      
        registers.rdx:
        361
        

      
        registers.r12:
        0
        

      
        registers.rbp:
        4390704
        

      
        registers.rdi:
        0
        

      
        registers.rax:
        2157714738
        

      
        registers.r13:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x005f2e00', u'virtual_address': u'0x00505000', u'entropy': 7.918376329034214, u'name': u'.vmp1', u'virtual_size': u'0x005f2c80'}
                                        
                                    
                                        
                                            entropy
                                            7.91837632903
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            entropy
                                            0.999671781406
                                        
                                    
                                        
                                            description
                                            Overall entropy of this PE file is high
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                            section
                                            .vmp0
                                        
                                    
                                        
                                    
                                        
                                            description
                                            Section name indicates VMProtect
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            section
                                            .vmp1
                                        
                                    
                                        
                                    
                                        
                                            description
                                            Section name indicates VMProtect
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Lionic
                                    Trojan.Win32.Bulz.4!c
                                    
                                


                            

                        

                            

                                

                                    Elastic
                                    malicious (high confidence)
                                    
                                


                            

                        

                            

                                

                                    MicroWorld-eScan
                                    Gen:Variant.Bulz.475950
                                    
                                


                            

                        

                            

                                

                                    FireEye
                                    Generic.mg.340d0f2a160733b3
                                    
                                


                            

                        

                            

                                

                                    ALYac
                                    Gen:Variant.Bulz.475950
                                    
                                


                            

                        

                            

                                

                                    Malwarebytes
                                    Malware.AI.3978763394
                                    
                                


                            

                        

                            

                                

                                    K7AntiVirus
                                    Riskware ( 0040eff71 )
                                    
                                


                            

                        

                            

                                

                                    K7GW
                                    Riskware ( 0040eff71 )
                                    
                                


                            

                        

                            

                                

                                    Symantec
                                    Trojan.Gen.MBT
                                    
                                


                            

                        

                            

                                

                                    APEX
                                    Malicious
                                    
                                


                            

                        

                            

                                

                                    BitDefender
                                    Gen:Variant.Bulz.475950
                                    
                                


                            

                        

                            

                                

                                    Avast
                                    Win64:Malware-gen
                                    
                                


                            

                        

                            

                                

                                    Ad-Aware
                                    Gen:Variant.Bulz.475950
                                    
                                


                            

                        

                            

                                

                                    Emsisoft
                                    Gen:Variant.Bulz.475950 (B)
                                    
                                


                            

                        

                            

                                

                                    McAfee-GW-Edition
                                    BehavesLike.Win64.Injector.tc
                                    
                                


                            

                        

                            

                                

                                    Sophos
                                    Generic ML PUA (PUA)
                                    
                                


                            

                        

                            

                                

                                    Microsoft
                                    Trojan:Win32/Tnega!ml
                                    
                                


                            

                        

                            

                                

                                    GData
                                    Gen:Variant.Bulz.475950
                                    
                                


                            

                        

                            

                                

                                    Cynet
                                    Malicious (score: 100)
                                    
                                


                            

                        

                            

                                

                                    McAfee
                                    Artemis!340D0F2A1607
                                    
                                


                            

                        

                            

                                

                                    MAX
                                    malware (ai score=85)
                                    
                                


                            

                        

                            

                                

                                    TrendMicro-HouseCall
                                    TROJ_GEN.R002H09IJ21
                                    
                                


                            

                        

                            

                                

                                    SentinelOne
                                    Static AI - Suspicious PE
                                    
                                


                            

                        

                            

                                

                                    Fortinet
                                    W32/PossibleThreat
                                    
                                


                            

                        

                            

                                

                                    AVG
                                    Win64:Malware-gen
                                    
                                


                            

                        

                            

                                

                                    CrowdStrike
                                    win/malicious_confidence_80% (W)