popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

svhostc.exe

Malicious Library UPX Internet API Http API HTTP AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 29, 2024, 1:25 p.m. July 29, 2024, 1:51 p.m.
Size 421.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ae3dd2f4488753b690ca17d555147aba
SHA256 77bdb3c46654446f1edffd1a388e3f64d8ca4dc24acd9575b95e94c26b8b43fe
CRC32 C85F89A4
ssdeep 6144:aPvOGvTbPoC8lV5AdpKndv8w7UkvKw1SthsFLDXW7nX9TCR/QYZuWDv7ZNk:aPzv3PL8lV6IxV/Kmes1Dm5SQYZuWX
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
api.telegram.org
A 149.154.167.220
149.154.167.220
IP Address Status Action
149.154.167.220 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name:
0 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
section .zitebej
section .sahezin
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 270336
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0263e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 503808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03cb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\MyHiddenFolder
filepath: C:\Users\test22\AppData\Roaming\MyHiddenFolder
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\MyHiddenFolder\svhostc.exe
filepath: C:\Users\test22\AppData\Roaming\MyHiddenFolder\svhostc.exe
1 1 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Roaming\MyHiddenFolder\svhostc.exe
flags: 2
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\svhostc.exe
newfilepath: C:\Users\test22\AppData\Roaming\MyHiddenFolder\svhostc.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\svhostc.exe
1 1 0
section {u'size_of_data': u'0x00049c00', u'virtual_address': u'0x00001000', u'entropy': 7.949015515367575, u'name': u'.text', u'virtual_size': u'0x00049b30'} entropy 7.94901551537 description A section with a high entropy has been found
entropy 0.701545778835 description Overall entropy of this PE file is high
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over HTTP rule Network_HTTP
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 516096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\My Program reg_value C:\Users\test22\AppData\Roaming\MyHiddenFolder\svhostc.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2660
process_handle: 0x00000080
1 1 0
Process injection Process 2560 called NtSetContextThread to modify thread in remote process 2660
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4434029
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2660
1 0 0
Process injection Process 2560 resumed a thread in remote process 2660
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2660
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2664
thread_handle: 0x0000007c
process_identifier: 2660
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\svhostc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\svhostc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\svhostc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000080
1 1 0

NtGetContextThread

 thread_handle: 0x0000007c
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2660
process_handle: 0x00000080
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 516096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2660
process_handle: 0x00000080
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4434029
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2660
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2660
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Injuke.16!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Lockbit.gh
ALYac Gen:Variant.Jaik.236336
Cylance Unsafe
VIPRE Gen:Variant.Jaik.236336
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 005649fd1 )
BitDefender Gen:Variant.Midie.151499
K7GW Trojan ( 005649fd1 )
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of Win32/Kryptik.HXPN
APEX Malicious
McAfee Artemis!AE3DD2F44887
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packer.pkr_ce1a-9980177-0
Kaspersky HEUR:Trojan.Win32.Injuke.gen
Alibaba Trojan:Win32/Kryptik.bd287a59
MicroWorld-eScan Gen:Variant.Midie.151499
Rising Trojan.SmokeLoader!1.FF9D (CLASSIC)
Emsisoft Gen:Variant.Midie.151499 (B)
F-Secure Trojan.TR/AVI.AceCrypter.ojldh
DrWeb Trojan.Inject5.6654
TrendMicro Trojan.Win32.AMADEY.YXEG2Z
McAfeeD Real Protect-LS!AE3DD2F44887
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.ae3dd2f4488753b6
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.Gen
Google Detected
Avira TR/AVI.AceCrypter.ojldh
MAX malware (ai score=88)
Antiy-AVL Trojan/Win32.Convagent
Kingsoft malware.kb.a.1000
Gridinsoft Ransom.Win32.Sabsik.sa
Microsoft Trojan:Win32/Multiverze
ZoneAlarm HEUR:Trojan.Win32.Injuke.gen
GData Gen:Variant.Midie.151499
Varist W32/ABTrojan.OGWN-0279
AhnLab-V3 Trojan/Win.PWSX-gen.C5653856
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36810.Ay0@amtYgpiG
DeepInstinct MALICIOUS
Malwarebytes Trojan.MalPack.GS
Ikarus Trojan.Win32.Crypt
Panda Trj/Chgt.AD