Detecting Virtual Environment Artefacts

Created the Monday 11 March 2019. Updated 2 weeks, 4 days ago.

Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.

  • QEMU: QEMU registers artifacts in the Windows registry. For example, the key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 contains the value Identifier with data QEMU. Another check is the key HARDWARE\Description\System with the value SystemBiosVersion and data QEMU.

  • VirtualBox: The VirtualBox Guest Additions leave multiple registry artifacts. Searching the registry for the string VBOX often reveals keys that expose the presence of VirtualBox.

  • VMware (Registry & Files): VMware installs tools in C:\Program Files\VMware\VMware Tools, and related registry entries may also contain information about the virtual hard drive, network adapters, or virtual mouse. Searching the registry for VMware can reveal these indicators.

  • VMware (Memory): VMware also leaves artifacts in memory. Critical processor structures may be moved or altered inside a VM, leaving recognizable footprints. Malware can scan physical memory for strings such as VMware to confirm that it is running in a virtualized environment.


Technique Identifier

U1332


Code Snippets

Detection Rules

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
2e496717b85edc1f47dececadbf2...edc432bef640f7ff7616e528.elf 1 2025-10-05 1 day, 22 hours ago
000.exe 7 2025-10-06 2 days, 1 hour ago
ri_setup_full4134_UjiwJcEu.exe 7 2025-10-02 5 days, 19 hours ago
mirroringApp-car-v1.0.2310071810 (1).apk 3 2024-11-14 1 week, 1 day ago
program.elf 1 2025-09-26 1 week, 4 days ago
chrome_pwa_launcher.exe 5 2025-09-24 1 week, 6 days ago
botnpwds.exe 10 2025-09-24 1 week, 6 days ago
rlm1611_http.dll 6 2025-09-22 2 weeks, 1 day ago
hid-tools.dll 13 2025-09-22 2 weeks, 2 days ago
Yandex.exe 8 2025-09-20 2 weeks, 3 days ago
View All

Sleeping Alien

Subscribe to our Newsletter

Don't miss out on the latest and greatest updates from us! Subscribe to our newsletter and be the first to know about exciting content and future updates.