Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
random.exe
09.21 02:09
sdhsfd.exe
09.21 02:09
66edb89bc4073_crypted....
09.21 02:09
66ed33772bbe7_vdfhsjf1...
09.21 02:09
game.exe
09.21 02:09
66ebb3bf78bd6_Send.exe...
09.21 02:09
66ed33717e4c1_vfdshfda...
09.21 02:09
random.exe
09.21 02:09
66ed336eac985_vdfhssfd...
09.21 02:09
66ed7ef071886_crypted....

Latest News
09.21 05:09
Ausfallzeiten gegen nu...
09.21 05:09
There’s No Lower Spec ...
09.21 05:09
[PASCON 2024-영상] 박재민 엔...
09.21 04:09
[PASCON 2024-영상] SK쉴더스...
09.21 04:09
[PASCON 2024-영상] 윤영 익스...
09.21 03:09
[PASCON 2024] 옥타코 이재형 ...
09.21 03:09
[PASCON 2024] S2W 김재기 ...
09.21 02:09
[PASCON 2024-영상] 탈레스 “...
09.21 02:09
Get Your Lisp On With ...
09.21 02:09
Zombie Construction Si...

Summary | ZeroBOX

conhost.exe

UPX Malicious Library PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 5, 2023, 7:40 a.m.	Oct. 5, 2023, 7:44 a.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`61783b2ff3dd193f54e4b5e01a43841d`
SHA256	`ebf59ab1dac230d1c4adf5739746d1c670574019ceec6a22cccdfd021aa4a7f1`
CRC32	`7FB09B38`
ssdeep	`49152:nQ5yD6fqkJ/FxK9K4iJtIyuKJQlC+hX/GmfNboj9GZ3GORb5:nQ5E6fqkJjaZytlJQ9hZNbeJOb`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

conhost.exe "C:\Users\test22\AppData\Local\Temp\conhost.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 5, 2023, 7:40 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x76fdf559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x76fdf639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x76f8df95 free+0x39 memcpy-0x43 msvcrt+0x98cd @ 0x760b98cd conhost+0x13a9 @ 0x4013a9 conhost+0x115f @ 0x40115f conhost+0x6abc @ 0x406abc exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x76fde667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x76fde653 registers.esp: 1636712 registers.edi: 1637248 registers.eax: 1636728 registers.ebp: 1636832 registers.edx: 0 registers.ebx: 0 registers.esi: 6422528 registers.ecx: 2147483647	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetectMalware
McAfee	Artemis!61783B2FF3DD
Malwarebytes	Trojan.Dropper
Cyren	W32/Dropper.EM.gen!Eldorado
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Packed.7Zip.AI
ClamAV	Win.Keylogger.Gencbl-9969771-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Gridinsoft	Ransom.Win32.Wacatac.sa
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
Cylance	unsafe
CrowdStrike	win/malicious_confidence_60% (W)