ScreenShot
Created | 2021.06.25 10:14 | Machine | s1_win7_x6401 |
Filename | s%CE%BDchost.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 57 detected (AIDetect, malware1, malicious, high confidence, DownLoader30, Zusy, FarfliPMF, S19352949, FRMW, Unsafe, GenKryptik, Save, GhostRAT, ZexaF, xmW@a0gar3n, Eldorado, Attribute, HighConfidence, EZKJ, BackdoorX, Farfli, gethzp, Gencirc, A + Troj, AutoG, R002C0DFG21, Krypt, xrlrm, ai score=89, ASMalwS, score, R299612, Injuke, Ghost, FakeFolder, CLASSIC, GenAsa, 6tUyyqkpagE, Static AI, Malicious PE, susgen, Genetic, confidence) | ||
md5 | 91e2c066da101bdb8cbfae83d90a15cf | ||
sha256 | 161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49 | ||
ssdeep | 6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8NhE5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyld | ||
imphash | 92cbf1b7939e726b820cc211fce00750 | ||
impfuzzy | 24:mDAMnOovuHfcd37JHd3iv8ERRvNuk/eJmt9s:PMOhHfclr3WveJCW |
Network IP location
Signature (14cnts)
Level | Description |
---|---|
danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a service |
notice | Creates a suspicious process |
notice | Drops an executable to the user AppData folder |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
Rules (13cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x402000 GetProcAddress
0x402004 GetModuleHandleA
0x402008 RtlUnwind
0x40200c RaiseException
0x402010 GetStartupInfoA
0x402014 GetCommandLineA
0x402018 GetVersion
0x40201c ExitProcess
0x402020 InitializeCriticalSection
0x402024 EnterCriticalSection
0x402028 LeaveCriticalSection
0x40202c HeapFree
0x402030 GetCurrentThreadId
0x402034 TlsSetValue
0x402038 TlsAlloc
0x40203c SetLastError
0x402040 TlsGetValue
0x402044 GetLastError
0x402048 SetUnhandledExceptionFilter
0x40204c TerminateProcess
0x402050 GetCurrentProcess
0x402054 UnhandledExceptionFilter
0x402058 GetModuleFileNameA
0x40205c FreeEnvironmentStringsA
0x402060 FreeEnvironmentStringsW
0x402064 WideCharToMultiByte
0x402068 GetEnvironmentStrings
0x40206c GetEnvironmentStringsW
0x402070 SetHandleCount
0x402074 GetStdHandle
0x402078 GetFileType
0x40207c GetEnvironmentVariableA
0x402080 GetVersionExA
0x402084 HeapDestroy
0x402088 HeapCreate
0x40208c VirtualFree
0x402090 WriteFile
0x402094 HeapAlloc
0x402098 VirtualAlloc
0x40209c HeapReAlloc
0x4020a0 IsBadWritePtr
0x4020a4 IsBadReadPtr
0x4020a8 IsBadCodePtr
0x4020ac GetCPInfo
0x4020b0 GetACP
0x4020b4 GetOEMCP
0x4020b8 LoadLibraryA
0x4020bc MultiByteToWideChar
0x4020c0 LCMapStringA
0x4020c4 LCMapStringW
0x4020c8 GetStringTypeA
0x4020cc GetStringTypeW
0x4020d0 InterlockedDecrement
0x4020d4 InterlockedIncrement
EAT(Export Address Table) Library
0x4010fe Fatal
KERNEL32.dll
0x402000 GetProcAddress
0x402004 GetModuleHandleA
0x402008 RtlUnwind
0x40200c RaiseException
0x402010 GetStartupInfoA
0x402014 GetCommandLineA
0x402018 GetVersion
0x40201c ExitProcess
0x402020 InitializeCriticalSection
0x402024 EnterCriticalSection
0x402028 LeaveCriticalSection
0x40202c HeapFree
0x402030 GetCurrentThreadId
0x402034 TlsSetValue
0x402038 TlsAlloc
0x40203c SetLastError
0x402040 TlsGetValue
0x402044 GetLastError
0x402048 SetUnhandledExceptionFilter
0x40204c TerminateProcess
0x402050 GetCurrentProcess
0x402054 UnhandledExceptionFilter
0x402058 GetModuleFileNameA
0x40205c FreeEnvironmentStringsA
0x402060 FreeEnvironmentStringsW
0x402064 WideCharToMultiByte
0x402068 GetEnvironmentStrings
0x40206c GetEnvironmentStringsW
0x402070 SetHandleCount
0x402074 GetStdHandle
0x402078 GetFileType
0x40207c GetEnvironmentVariableA
0x402080 GetVersionExA
0x402084 HeapDestroy
0x402088 HeapCreate
0x40208c VirtualFree
0x402090 WriteFile
0x402094 HeapAlloc
0x402098 VirtualAlloc
0x40209c HeapReAlloc
0x4020a0 IsBadWritePtr
0x4020a4 IsBadReadPtr
0x4020a8 IsBadCodePtr
0x4020ac GetCPInfo
0x4020b0 GetACP
0x4020b4 GetOEMCP
0x4020b8 LoadLibraryA
0x4020bc MultiByteToWideChar
0x4020c0 LCMapStringA
0x4020c4 LCMapStringW
0x4020c8 GetStringTypeA
0x4020cc GetStringTypeW
0x4020d0 InterlockedDecrement
0x4020d4 InterlockedIncrement
EAT(Export Address Table) Library
0x4010fe Fatal