Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2024, 9:58 a.m.	Nov. 11, 2024, 10:14 a.m.

Size	1.1MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8911e8d889f59b52df80729faac2c99c`
SHA256	`8d0c2f35092d606d015bd250b534b670857b0dba8004a4e7588482dd257c9342`
CRC32	`7A58D9DD`
ssdeep	`24576:dHdxgqHiiNOz3CmVWhxlMNCUktQiCiqPsuT:d9+GIzyoAMojesu`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) VMProtect_Zero - VMProtect packed file

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:51 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 135168 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f851000 process_handle: 0xffffffffffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002360a0

size

0x0000036c

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0010f000', u'virtual_address': u'0x00126000', u'entropy': 7.9130744346361945, u'name': u'.vmp1', u'virtual_size': u'0x0010ee70'}

entropy

7.91307443464

description

A section with a high entropy has been found

entropy

0.998158379374

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.VMProtect.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.PUPXVO.tc
ALYac	Gen:Variant.Tedy.511541
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.511541
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Variant.Tedy.511541
K7GW	Trojan ( 7000001d1 )
K7AntiVirus	Trojan ( 7000001d1 )
Arcabit	Trojan.Tedy.D7CE35
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.VMProtect.ABO
APEX	Malicious
Avast	Win64:MalwareX-gen [Trj]
Alibaba	Packed:Win32/VMProtect.743b5365
MicroWorld-eScan	Gen:Variant.Tedy.511541
Rising	Trojan.VMPAgent!8.1ACDF (CLOUD)
Emsisoft	Gen:Variant.Tedy.511541 (B)
F-Secure	Trojan.TR/Black.Gen2
Zillya	Trojan.VMProtect.Win32.93364
TrendMicro	TROJ_GEN.R002C0DJ624
McAfeeD	Real Protect-LS!8911E8D889F5
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.vmprotect
Sophos	Mal/VMProtBad-A
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.8911e8d889f59b52
Avira	TR/Black.Gen2
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Xcitium	Malware@#1vyu9xsq66ldo
Microsoft	Trojan:Win64/VMPAgent.RP!MTB
GData	Gen:Variant.Tedy.511541
Varist	W64/ABTrojan.YKEZ-3496
AhnLab-V3	Trojan/Win.Generic.C5257311
McAfee	Artemis!8911E8D889F5
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1951864450
Ikarus	Trojan.Win32.VMProtect
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DJ624
Tencent	Malware.Win32.Gencirc.140863b2
MaxSecure	Trojan.Malware.222427546.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All