popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

gate3.exe

Generic Malware VMProtect Anti_VM PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 29, 2024, 1:22 p.m. July 29, 2024, 1:53 p.m.
Size 2.6MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 1cbf0540443b57f70f8f09dfb0386d94
SHA256 559b465bc7a517cdac15770e26da966a6e3ffb6235ad949bc9e9a66c7dc656bb
CRC32 5D206DC9
ssdeep 49152:E8afu8EKK1U6JIdcaKhkzF7H21z2K6OwzcCHKg7Xa8ZBNe7p/mFDy9wH:E8awKK1U6JIdcar7WUKmBaKjeIUw
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • VMProtect_Zero - VMProtect packed file
  • anti_vm_detect - Possibly employs anti-virtualization techniques

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
142.250.196.238 Active Moloch
142.250.71.225 Active Moloch
193.42.32.118 Active Moloch
208.67.104.60 Active Moloch
94.142.138.113 Active Moloch
94.142.138.131 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section _RDATA
section .vmp0
section .vmp1
section .vmp2
resource name REGISTRY
resource name YSTREAM
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
gate3+0x5fead @ 0x13ff9fead
gate3+0x15c85b @ 0x14009c85b
gate3+0x26a11e @ 0x1401aa11e
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 f7 b4 24 d0 02 00 00 48 8b c2 48 89 84 24 d8
exception.symbol: gate3+0x5fead
exception.instruction: div qword ptr [rsp + 0x2d0]
exception.module: gate3.exe
exception.exception_code: 0xc0000094
exception.offset: 392877
exception.address: 0x13ff9fead
registers.r14: 0
registers.r15: 0
registers.rcx: 16478
registers.rsi: 0
registers.r10: 199611178449350
registers.rbx: 0
registers.rsp: 1506512
registers.r11: 1484528
registers.r8: 8796092882944
registers.r9: 5371188304
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 16478
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Windows\System32\GroupPolicy
filepath: C:\Windows\System32\GroupPolicy
1 1 0
section {u'size_of_data': u'0x0027b800', u'virtual_address': u'0x00402000', u'entropy': 7.896193927262063, u'name': u'.vmp2', u'virtual_size': u'0x0027b768'} entropy 7.89619392726 description A section with a high entropy has been found
section {u'size_of_data': u'0x0001b200', u'virtual_address': u'0x00680000', u'entropy': 7.2309454342455375, u'name': u'.rsrc', u'virtual_size': u'0x0004ed3c'} entropy 7.23094543425 description A section with a high entropy has been found
entropy 0.996990784277 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
section .vmp2 description Section name indicates VMProtect
host 142.250.196.238
host 142.250.71.225
host 193.42.32.118
host 208.67.104.60
host 94.142.138.113
host 94.142.138.131
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Scar.1n!c
Elastic malicious (high confidence)
Cynet Malicious (score: 99)
ALYac Gen:Variant.Tedy.458860
Cylance Unsafe
VIPRE Gen:Variant.Tedy.458860
Sangfor Trojan.Win64.Kryptik.Vjtn
K7AntiVirus Trojan ( 005ac8ce1 )
BitDefender Trojan.GenericKD.73742914
K7GW Trojan ( 005ac8ce1 )
Cybereason malicious.0443b5
Arcabit Trojan.Tedy.D7006C
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/Kryptik.ECB
APEX Malicious
Avast Win64:Malware-gen
Kaspersky Trojan.Win32.Scar.ttjc
Alibaba Trojan:Win64/PrivateLoader.f8ffd255
NANO-Antivirus Trojan.Win64.Scar.kcnjzd
MicroWorld-eScan Trojan.GenericKD.73742914
Rising Trojan.Scar!8.33F (TFE:5:lvYFnyV57AB)
Emsisoft Trojan.GenericKD.73742914 (B)
F-Secure Trojan.TR/Crypt.XPACK.Gen
DrWeb Trojan.DownLoader46.24029
TrendMicro TROJ_GEN.R002C0DBQ24
McAfeeD ti!559B465BC7A5
FireEye Generic.mg.1cbf0540443b57f7
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Webroot W32.Malware.Gen
Google Detected
Avira TR/Crypt.XPACK.Gen
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Scar
Kingsoft Win32.Troj.Unknown.a
Microsoft Trojan:Win64/PrivateLoader.AMAA!MTB
ViRobot Trojan.Win.Z.Scar.2723328
ZoneAlarm Trojan.Win32.Scar.ttjc
GData Trojan.GenericKD.73742914
Varist W64/ABTrojan.RSUP-8490
AhnLab-V3 Trojan/Win.TrojanX-gen.C5509840
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.4273090583
Ikarus Trojan.Win64.Krypt
Panda Trj/Agent.FUM
TrendMicro-HouseCall TROJ_GEN.R002C0DBQ24
Tencent Win32.Trojan.Scar.Vwhl
Yandex Trojan.Scar!r1kXLU1tr68
MaxSecure Trojan.Malware.1728101.susgen
dead_host 94.142.138.113:80
dead_host 192.168.56.101:49166
dead_host 94.142.138.131:80
dead_host 192.168.56.101:49163