popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

.svchost.exe

UPX Malicious Library GIF Format PE64 .NET DLL PNG Format PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 20, 2022, 10:33 a.m. May 20, 2022, 10:51 a.m.
Size 641.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 ac5b584f655fe8280f459f224cc7fdfb
SHA256 790d6dc689fab0f9bde9560c06f27fcfa6a146c87bc4ffd412847b0723b0c276
CRC32 237F842A
ssdeep 12288:g3LA8X9TfpyOIm4i5CPnRp3VuQDYA0XZmbZuUkWhUs1NBS2:g3M8XlfwLi5CJp3wQEA4mwRGNc2
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.176.113.85 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Int64Op+0x12e0 system+0x2c59 @ 0x74302c59
Call+0x77 Int64Op-0xeb system+0x188e @ 0x7430188e
+0x2166 @ 0x402166
+0x13a8 @ 0x4013a8
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 81 7e 2c 33 33 33 33 74 11 6a 57 ff 15 0c 10 2e
exception.instruction: cmp dword ptr [esi + 0x2c], 0x33333333
exception.exception_code: 0xc0000005
exception.symbol: CryptDestroyHash+0x1d CryptSignHashW-0x168 cryptsp+0x59a2
exception.address: 0x742e59a2
registers.esp: 60423040
registers.edi: 1949308951
registers.eax: 60423076
registers.ebp: 60423092
registers.edx: 0
registers.ebx: 0
registers.esi: 41
registers.ecx: 1982324582
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a52000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74305000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2792
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03a20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\clretwrc.dll
file C:\Users\test22\AppData\Local\Temp\CALCIFUGAL.lnk
file C:\Users\test22\AppData\Local\Temp\lang-1109.dll
file C:\Users\test22\AppData\Local\Temp\SharpDX.DXGI.dll
file C:\Users\test22\AppData\Local\Temp\nsaE2BF.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\lang-1026.dll
file C:\Users\test22\AppData\Local\Temp\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Local\Temp\unmg.dll
file C:\Users\test22\AppData\Local\Temp\CALCIFUGAL.lnk
file C:\Users\test22\AppData\Local\Temp\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Local\Temp\lang-1109.dll
file C:\Users\test22\AppData\Local\Temp\nsaE2BF.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\SharpDX.DXGI.dll
file C:\Users\test22\AppData\Local\Temp\unmg.dll
file C:\Users\test22\AppData\Local\Temp\lang-1026.dll
host 103.176.113.85
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.GuLoader.a!c
MicroWorld-eScan Trojan.GenericKD.50310877
FireEye Trojan.GenericKD.50310877
ALYac Trojan.GenericKD.50310877
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 005903451 )
Alibaba TrojanDownloader:Win32/GuLoader.cdb60e59
K7GW Trojan ( 005903451 )
Cybereason malicious.2817ab
Cyren W32/Trojan.HVNA-9307
Symantec Trojan.Gen.2
Elastic malicious (high confidence)
ESET-NOD32 NSIS/Injector.ASH
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Downloader.Win32.GuLoader.gen
BitDefender Trojan.GenericKD.50310877
Avast FileRepMalware [Misc]
Tencent Win32.Trojan-downloader.Guloader.Lnxz
Ad-Aware Trojan.GenericKD.50310877
Emsisoft Trojan.GenericKD.50310877 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.jc
Sophos Mal/Generic-S
Jiangmin Trojan.Fsysna.niv
Webroot W32.Trojan.Gen
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Script/Phonzy.C!ml
GData Trojan.GenericKD.50310877
AhnLab-V3 Trojan/Win.Wacatac.C5133102
McAfee Artemis!AC5B584F655F
MAX malware (ai score=85)
TrendMicro-HouseCall TROJ_GEN.R002H0DEJ22
Ikarus Trojan.MSIL.Inject
AVG FileRepMalware [Misc]