Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

svhost.exe

Malicious Packer UPX Malicious Library PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 13, 2024, 1:43 p.m.	Sept. 13, 2024, 1:45 p.m.

Size	5.9MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`ed8ca6f64f124f33a063e78fb985a74a`
SHA256	`ce85f3a21e5e14d7c55d0f15ed60a62f446e8fe85d1b2805f675baf44674fed9`
CRC32	`8CF112FC`
ssdeep	`98304:c6RHiPEI/AuHt7yjnr2SihV4OGr43JNCL0BmQuixsOwVPxlRy0Er5UzNVw8lfGLd:dlqESAuHt7yjnr2SihV4OGr43JNCL0BR`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) UPX_Zero - UPX packed file

svhost.exe "C:\Users\test22\AppData\Local\Temp\svhost.exe"
2056

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 13, 2024, 1:43 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 8389248 registers.r15: 0 registers.rcx: -1 registers.rsi: 2292481 registers.r10: 0 registers.rbx: -10000 registers.rsp: 2292760 registers.r11: 582 registers.r8: 2292800 registers.r9: 2292528 registers.rdx: 0 registers.r12: 2293320 registers.rbp: 2292816 registers.rdi: 4436160 registers.rax: 0 registers.r13: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x00056a00', u'virtual_address': u'0x0046f000', u'entropy': 7.995970534627882, u'name': u'/19', u'virtual_size': u'0x00056952'}

entropy

7.99597053463

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00012000', u'virtual_address': u'0x004c6000', u'entropy': 7.941306039129835, u'name': u'/32', u'virtual_size': u'0x00011e95'}

entropy

7.94130603913

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00096e00', u'virtual_address': u'0x004d9000', u'entropy': 7.996858751865458, u'name': u'/65', u'virtual_size': u'0x00096d0a'}

entropy

7.99685875187

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00076000', u'virtual_address': u'0x00570000', u'entropy': 7.995492407963325, u'name': u'/78', u'virtual_size': u'0x00075fe2'}

entropy

7.99549240796

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00020000', u'virtual_address': u'0x005e6000', u'entropy': 7.800202986244902, u'name': u'/90', u'virtual_size': u'0x0001fff3'}

entropy

7.80020298624

description

A section with a high entropy has been found

entropy

0.268387523786

description

Overall entropy of this PE file is high

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.Common.54ECD97A
Lionic	Trojan.Win32.ReverseShell.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Ransomware.th
ALYac	Trojan.GenericKD.73907114
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73907114
Sangfor	Trojan.Win32.Reverseshell.Vrnz
K7AntiVirus	Trojan ( 005b98261 )
BitDefender	Trojan.GenericKD.73907114
K7GW	Trojan ( 005b98261 )
Arcabit	Trojan.Generic.D467BBAA
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of WinGo/ReverseShell.DX
Avast	Win64:Malware-gen
Kaspersky	UDS:Trojan.Win64.Agent.a
Alibaba	Trojan:Win64/ReverseShell.dadcae76
MicroWorld-eScan	Trojan.GenericKD.73907114
Emsisoft	Trojan.GenericKD.73907114 (B)
F-Secure	Trojan.TR/Redcap.mrikd
McAfeeD	ti!CE85F3A21E5E
CTX	exe.trojan.reverseshell
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.73907114
Google	Detected
Avira	TR/Redcap.mrikd
Antiy-AVL	Trojan/Win32.ReverseShell
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:Trojan.Win64.Agent.a
GData	Trojan.GenericKD.73907114
Varist	W64/ABTrojan.EVHP-6900
McAfee	Artemis!ED8CA6F64F12
DeepInstinct	MALICIOUS
Ikarus	Trojan.WinGo.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09HT24
Tencent	Win32.Trojan.Redcap.Ncnw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ReverseShell.DX!tr
AVG	Win64:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)
alibabacloud	Trojan:Multi/ReverseShell.DD