popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vvglma

ELF AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 11, 2022, 3:56 p.m. Dec. 11, 2022, 3:58 p.m.
Size 178.4KB
Type ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
MD5 8fbfd27bf0d03b04e409876711ae1925
SHA256 b834031099391abd42f95f8015f800844d6ea957031e8119bf6d01a186d2b4d3
CRC32 228EA3A6
ssdeep 3072:1y2nr8o8yeL+/NzVIknxi5fkfQdDf2GBlLZalWJAAd3R03g10fPOLVPz8oJU3X:X8Geme2w5fsQTlkWJAAd3R0wEPOLVPzu
Yara
  • IsELF - Executable and Linking Format executable file (Linux/Unix)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
file c:\program files\mozilla firefox\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x744b0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74191000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74521000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74091000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74301000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden
Process injection Process 2060 resumed a thread in remote process 2208
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000290
suspend_count: 1
process_identifier: 2208
1 0 0
Elastic Linux.Trojan.Gafgyt
MicroWorld-eScan Gen:Variant.Trojan.Linux.Gafgyt.5
FireEye Gen:Variant.Trojan.Linux.Gafgyt.5
McAfee Linux/Gafgyt.u
VIPRE Gen:Variant.Trojan.Linux.Gafgyt.5
Arcabit Trojan.Trojan.Linux.Gafgyt.5
VirIT Linux.BackDoor.Fgt.LX
Cyren E64/Gafgyt.C.gen!Camelot
ESET-NOD32 a variant of Linux/Gafgyt.AEA
TrendMicro-HouseCall Backdoor.Linux.GAFGYT.SMMR1
Avast ELF:Agent-AYQ [Trj]
ClamAV Unix.Trojan.Gafgyt-6981154-0
Kaspersky HEUR:Backdoor.Linux.Gafgyt.az
BitDefender Gen:Variant.Trojan.Linux.Gafgyt.5
Tencent Trojan.Linux.Mirai.tqe
Ad-Aware Gen:Variant.Trojan.Linux.Gafgyt.5
Sophos Linux/DDoS-BI
DrWeb Linux.Siggen.9999
TrendMicro Backdoor.Linux.GAFGYT.SMMR1
McAfee-GW-Edition Linux/Gafgyt.u
Emsisoft Gen:Variant.Trojan.Linux.Gafgyt.5 (B)
Ikarus Trojan.Linux.Gafgyt
Avast-Mobile ELF:DDoS-S [Trj]
Antiy-AVL Trojan[Backdoor]/Linux.Gafgyt.AMV
Microsoft Backdoor:Linux/DemonBot.Aa!MTB
ZoneAlarm HEUR:Backdoor.Linux.Gafgyt.az
GData Linux.Trojan.Gafgyt.B
Google Detected
AhnLab-V3 Linux/Gafgyt.Gen9
BitDefenderTheta Gen:NN.Mirai.36106
ALYac Gen:Variant.Trojan.Linux.Gafgyt.5
MAX malware (ai score=84)
Rising Backdoor.Gafgyt/Linux!1.CD3E (CLASSIC)
SentinelOne Static AI - Malicious ELF
Fortinet ELF/Mirai.AYU!tr
AVG ELF:Agent-AYQ [Trj]