Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 2, 2023, 9:52 a.m.	Aug. 2, 2023, 10:11 a.m.

Size	4.0MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`3258deefff3ca70f3dfa3e67067ca611`
SHA256	`11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c`
CRC32	`C8370839`
ssdeep	`98304:kIk6g0kDf8CFjiD+THrrTfmqWAfheTYC521KuM96+/xnVA:3K0skC1k+THrrTf/c5ekwgVA`
Yara	UPX_Zero - UPX packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature MPRESS_Zero - MPRESS packed file

taskhostclp.exe "C:\Users\test22\AppData\Local\Temp\taskhostclp.exe"
1508

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WAV

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 2, 2023, 9:45 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895 stacktrace+0x84 memdup-0x1af @ 0x749a0470 hook_in_monitor+0x45 lde-0x133 @ 0x749942ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb taskhostclp+0x1fcb05 @ 0x36cb05 GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0 taskhostclp+0x7ccfff @ 0x93cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0 taskhostclp+0x93e000 @ 0xaae000 taskhostclp+0x1000 @ 0x171000 taskhostclp+0x7c93ec @ 0x9393ec 0x7fffffd6000 taskhostclp+0x93f085 @ 0xaaf085 0x7fffffd6000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77710895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 14742776 registers.rsi: 11198464 registers.r10: 0 registers.rbx: 1996238576 registers.rsp: 14745096 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 14744120 registers.r12: 0 registers.rbp: 0 registers.rdi: 1507695 registers.rax: 14742456 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 2, 2023, 9:45 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895
stacktrace+0x84 memdup-0x1af @ 0x749a0470
hook_in_monitor+0x45 lde-0x133 @ 0x749942ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb
taskhostclp+0x1fcb05 @ 0x36cb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0
taskhostclp+0x7ccfff @ 0x93cfff
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0
taskhostclp+0x93e000 @ 0xaae000
taskhostclp+0x1000 @ 0x171000
taskhostclp+0x7c93ec @ 0x9393ec
0x7fffffd6000
taskhostclp+0x93f085 @ 0xaaf085
0x7fffffd6000

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77710895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 14742776
registers.rsi: 11198464
registers.r10: 0
registers.rbx: 1996238576
registers.rsp: 14745096
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 14744120
registers.r12: 0
registers.rbp: 0
registers.rdi: 1507695
registers.rax: 14742456
registers.r13: 0

Foreign language identified in PE resource (1 event)

name

WAV

language

LANG_PORTUGUESE

filetype

empty

sublanguage

SUBLANG_PORTUGUESE

offset

0x008524a8

size

0x0001f934

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00400400', u'virtual_address': u'0x00001000', u'entropy': 7.999958125267896, u'name': u'.MPRESS1', u'virtual_size': u'0x0093e000'}

entropy

7.99995812527

description

A section with a high entropy has been found

entropy

0.996836982968

description

Overall entropy of this PE file is high

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.Common.0866F2AF
MicroWorld-eScan	Trojan.GenericKD.68420277
Sangfor	Trojan.Win32.Gencbl.Vdk8
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D41402B5
Cyren	W64/ABRisk.JATR-4766
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenCBL.DLB
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	Trojan-Banker.Win32.ClipBanker.yzr
BitDefender	Trojan.GenericKD.68420277
Avast	Win64:PWSX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Hjgl
Emsisoft	Trojan.GenericKD.68420277 (B)
McAfee-GW-Edition	Artemis
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.3258deefff3ca70f
Sophos	Mal/Generic-S
Avira	TR/Spy.Banker.bzgeb
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.GenCBL
Gridinsoft	Malware.Win64.Laplas.bot
Microsoft	Trojan:Win32/Malgent!MSR
ZoneAlarm	Trojan-Banker.Win32.ClipBanker.yzr
GData	Trojan.GenericKD.68420277
Google	Detected
McAfee	Artemis!3258DEEFFF3C
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DGT23
Rising	Trojan.GenCBL!8.12138 (CLOUD)
Ikarus	Trojan-Spy.LaplasClipper
Fortinet	W32/Agent.A611!tr
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

taskhostclp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All