popup

Report - svchost.exe

Generic Malware Admin Tool (Sysinternals Devolutions inc) Malicious Packer PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.16 08:13 Machine s1_win7_x6401
Filename svchost.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
2.0
ZERO API file : malware
VT API (file) 40 detected (AIDetect, malware2, malicious, high confidence, Graftor, Save, VBKrypt, Eldorado, EPNK, Mucc, S + Troj, UMal, lefmp@0, Unsafe, Score, kcloud, Guloader, Artemis, ai score=94, susgen, PossibleThreat, ZevbaF, jm0@aGmFw2hi, GdSda, confidence)
md5 6572076bc21603b0612703e4dd2e1f67
sha256 cf62a78fa8483a391861a1eb56322cc8fd9ccecca90629398ec54ed62af6114c
ssdeep 1536:w+mqfTK8fKzFDwZbo+Ag+8ItLItgkBGsXy0exhDoQa8N:ZlfABDi+8Itegk7y0yV3N
imphash 2c08d8f9644132654eb702b279083d5c
impfuzzy 48:nq/Sw3QZwgmtwGYgxtjwb3ueH3ib92emxr1SxgdI3/bsFA5qFNm2jIhHw+seHgkZ:nq/S6QZfmt5Ygx16+2yb92lxrwxgdIvL
  Network IP location

Signature (3cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
 0x401000 _CIcos
 0x401004 _adj_fptan
 0x401008 __vbaVarMove
 0x40100c __vbaHresultCheck
 0x401010 None
 0x401014 __vbaFreeVar
 0x401018 None
 0x40101c __vbaStrVarMove
 0x401020 __vbaLenBstr
 0x401024 __vbaFreeVarList
 0x401028 __vbaEnd
 0x40102c None
 0x401030 _adj_fdiv_m64
 0x401034 __vbaFreeObjList
 0x401038 None
 0x40103c None
 0x401040 _adj_fprem1
 0x401044 None
 0x401048 None
 0x40104c None
 0x401050 None
 0x401054 __vbaSetSystemError
 0x401058 None
 0x40105c __vbaHresultCheckObj
 0x401060 None
 0x401064 _adj_fdiv_m32
 0x401068 None
 0x40106c __vbaAryDestruct
 0x401070 None
 0x401074 None
 0x401078 __vbaBoolStr
 0x40107c None
 0x401080 __vbaObjSet
 0x401084 __vbaOnError
 0x401088 None
 0x40108c None
 0x401090 _adj_fdiv_m16i
 0x401094 __vbaObjSetAddref
 0x401098 _adj_fdivr_m16i
 0x40109c None
 0x4010a0 None
 0x4010a4 __vbaFpR8
 0x4010a8 __vbaVarTstLt
 0x4010ac _CIsin
 0x4010b0 __vbaErase
 0x4010b4 None
 0x4010b8 __vbaChkstk
 0x4010bc EVENT_SINK_AddRef
 0x4010c0 __vbaGenerateBoundsError
 0x4010c4 __vbaStrCmp
 0x4010c8 __vbaAryConstruct2
 0x4010cc __vbaVarTstEq
 0x4010d0 __vbaR4Str
 0x4010d4 __vbaObjVar
 0x4010d8 None
 0x4010dc DllFunctionCall
 0x4010e0 None
 0x4010e4 None
 0x4010e8 _adj_fpatan
 0x4010ec None
 0x4010f0 None
 0x4010f4 __vbaLateIdCallLd
 0x4010f8 None
 0x4010fc __vbaRedim
 0x401100 EVENT_SINK_Release
 0x401104 None
 0x401108 __vbaUI1I2
 0x40110c _CIsqrt
 0x401110 EVENT_SINK_QueryInterface
 0x401114 None
 0x401118 __vbaExceptHandler
 0x40111c _adj_fprem
 0x401120 _adj_fdivr_m64
 0x401124 None
 0x401128 None
 0x40112c None
 0x401130 __vbaFPException
 0x401134 __vbaInStrVar
 0x401138 None
 0x40113c None
 0x401140 None
 0x401144 None
 0x401148 _CIlog
 0x40114c __vbaNew2
 0x401150 __vbaInStr
 0x401154 None
 0x401158 None
 0x40115c _adj_fdiv_m32i
 0x401160 _adj_fdivr_m32i
 0x401164 __vbaStrCopy
 0x401168 __vbaI4Str
 0x40116c __vbaFreeStrList
 0x401170 _adj_fdivr_m32
 0x401174 _adj_fdiv_r
 0x401178 None
 0x40117c __vbaVarTstNe
 0x401180 __vbaI4Var
 0x401184 None
 0x401188 __vbaVarAdd
 0x40118c __vbaLateMemCall
 0x401190 __vbaVarDup
 0x401194 __vbaStrToAnsi
 0x401198 None
 0x40119c __vbaFpI4
 0x4011a0 __vbaVarCopy
 0x4011a4 None
 0x4011a8 __vbaLateMemCallLd
 0x4011ac _CIatan
 0x4011b0 __vbaStrMove
 0x4011b4 __vbaCastObj
 0x4011b8 _allmul
 0x4011bc __vbaLateIdSt
 0x4011c0 None
 0x4011c4 _CItan
 0x4011c8 _CIexp
 0x4011cc __vbaFreeObj
 0x4011d0 __vbaFreeStr
 0x4011d4 None

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure