ScreenShot
| Created | 2021.08.29 12:47 | Machine | s1_win7_x6401 |
| Filename | Svc_host.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (malicious, high confidence, Razy, Save, ZemsilF, Gy2@aOYjIsi, Generic ML PUA, Static AI, Malicious PE, 1MFCAJH, Sabsik, score, ai score=82, PasswordStealer, confidence) | ||
| md5 | f10f6674811925909e9d76ed554563a4 | ||
| sha256 | ad8e4031c8f2c544a2ca6bb64ebc98f82acacde9cc819f1c36b11a4311a30195 | ||
| ssdeep | 12288:CrUSMoDMJz7bLg0EKsWmAhndfnZs8svfozj/:2bweQsWmAhBIvfozj/ | ||
| imphash | b462095fea3219e285e54ac0547eead6 | ||
| impfuzzy | 96:8cfp95YU3A0MJ44Xl4S5zzgU83ck1C/XZqUhDwPOQdH:33+QL1CfZBCPOQdH | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Connects to a Dynamic DNS Domain |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
Suricata ids
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY External IP Lookup - checkip.dyndns.org
PE API
IAT(Import Address Table) Library
kernel32.dll
0x45f17c DeleteCriticalSection
0x45f180 LeaveCriticalSection
0x45f184 EnterCriticalSection
0x45f188 InitializeCriticalSection
0x45f18c VirtualFree
0x45f190 VirtualAlloc
0x45f194 LocalFree
0x45f198 LocalAlloc
0x45f19c GetTickCount
0x45f1a0 QueryPerformanceCounter
0x45f1a4 GetVersion
0x45f1a8 GetCurrentThreadId
0x45f1ac InterlockedDecrement
0x45f1b0 InterlockedIncrement
0x45f1b4 VirtualQuery
0x45f1b8 WideCharToMultiByte
0x45f1bc MultiByteToWideChar
0x45f1c0 lstrlenA
0x45f1c4 lstrcpynA
0x45f1c8 LoadLibraryExA
0x45f1cc GetThreadLocale
0x45f1d0 GetStartupInfoA
0x45f1d4 GetProcAddress
0x45f1d8 GetModuleHandleA
0x45f1dc GetModuleFileNameA
0x45f1e0 GetLocaleInfoA
0x45f1e4 GetCommandLineA
0x45f1e8 FreeLibrary
0x45f1ec FindFirstFileA
0x45f1f0 FindClose
0x45f1f4 ExitProcess
0x45f1f8 ExitThread
0x45f1fc WriteFile
0x45f200 UnhandledExceptionFilter
0x45f204 RtlUnwind
0x45f208 RaiseException
0x45f20c GetStdHandle
user32.dll
0x45f214 GetKeyboardType
0x45f218 LoadStringA
0x45f21c MessageBoxA
0x45f220 CharNextA
advapi32.dll
0x45f228 RegQueryValueExA
0x45f22c RegOpenKeyExA
0x45f230 RegCloseKey
oleaut32.dll
0x45f238 SysFreeString
0x45f23c SysReAllocStringLen
0x45f240 SysAllocStringLen
kernel32.dll
0x45f248 TlsSetValue
0x45f24c TlsGetValue
0x45f250 TlsFree
0x45f254 TlsAlloc
0x45f258 LocalFree
0x45f25c LocalAlloc
advapi32.dll
0x45f264 RegOpenKeyA
kernel32.dll
0x45f26c WriteProcessMemory
0x45f270 WriteFile
0x45f274 WideCharToMultiByte
0x45f278 WaitForSingleObject
0x45f27c VirtualQuery
0x45f280 VirtualProtectEx
0x45f284 VirtualProtect
0x45f288 VirtualFree
0x45f28c VirtualAllocEx
0x45f290 VirtualAlloc
0x45f294 SystemTimeToFileTime
0x45f298 SizeofResource
0x45f29c SetThreadContext
0x45f2a0 SetLastError
0x45f2a4 SetFileTime
0x45f2a8 SetFilePointer
0x45f2ac SetFileAttributesW
0x45f2b0 SetFileAttributesA
0x45f2b4 SetEvent
0x45f2b8 SetErrorMode
0x45f2bc SetEndOfFile
0x45f2c0 SetCurrentDirectoryW
0x45f2c4 SetCurrentDirectoryA
0x45f2c8 ResetEvent
0x45f2cc RemoveDirectoryW
0x45f2d0 RemoveDirectoryA
0x45f2d4 ReadProcessMemory
0x45f2d8 ReadFile
0x45f2dc QueryDosDeviceW
0x45f2e0 PostQueuedCompletionStatus
0x45f2e4 MultiByteToWideChar
0x45f2e8 LockResource
0x45f2ec LoadResource
0x45f2f0 LoadLibraryW
0x45f2f4 LoadLibraryA
0x45f2f8 LeaveCriticalSection
0x45f2fc IsBadWritePtr
0x45f300 IsBadStringPtrW
0x45f304 IsBadReadPtr
0x45f308 InitializeCriticalSection
0x45f30c GetWindowsDirectoryW
0x45f310 GetWindowsDirectoryA
0x45f314 GetVersionExA
0x45f318 GetVersion
0x45f31c GetThreadLocale
0x45f320 GetThreadContext
0x45f324 GetTempPathW
0x45f328 GetTempPathA
0x45f32c GetTempFileNameW
0x45f330 GetTempFileNameA
0x45f334 GetSystemDirectoryW
0x45f338 GetSystemDirectoryA
0x45f33c GetStringTypeExW
0x45f340 GetStringTypeExA
0x45f344 GetStdHandle
0x45f348 GetProcAddress
0x45f34c GetModuleHandleA
0x45f350 GetModuleFileNameW
0x45f354 GetModuleFileNameA
0x45f358 GetLogicalDriveStringsW
0x45f35c GetLocaleInfoW
0x45f360 GetLocaleInfoA
0x45f364 GetLocalTime
0x45f368 GetLastError
0x45f36c GetFullPathNameW
0x45f370 GetFullPathNameA
0x45f374 GetFileSize
0x45f378 GetFileAttributesW
0x45f37c GetFileAttributesA
0x45f380 GetDiskFreeSpaceA
0x45f384 GetDateFormatA
0x45f388 GetCurrentThreadId
0x45f38c GetCurrentProcessId
0x45f390 GetCurrentProcess
0x45f394 GetCurrentDirectoryW
0x45f398 GetCurrentDirectoryA
0x45f39c GetCPInfo
0x45f3a0 GetACP
0x45f3a4 FreeResource
0x45f3a8 FreeLibrary
0x45f3ac FormatMessageA
0x45f3b0 FlushInstructionCache
0x45f3b4 FlushFileBuffers
0x45f3b8 FindResourceW
0x45f3bc FindNextFileW
0x45f3c0 FindNextFileA
0x45f3c4 FindFirstFileW
0x45f3c8 FindFirstFileA
0x45f3cc FindClose
0x45f3d0 FileTimeToLocalFileTime
0x45f3d4 FileTimeToDosDateTime
0x45f3d8 ExitProcess
0x45f3dc EnumCalendarInfoA
0x45f3e0 EnterCriticalSection
0x45f3e4 DeleteFileW
0x45f3e8 DeleteFileA
0x45f3ec DeleteCriticalSection
0x45f3f0 CreateRemoteThread
0x45f3f4 CreateFileW
0x45f3f8 CreateFileA
0x45f3fc CreateEventA
0x45f400 CreateDirectoryW
0x45f404 CreateDirectoryA
0x45f408 CompareStringW
0x45f40c CompareStringA
0x45f410 CloseHandle
user32.dll
0x45f418 MessageBoxA
0x45f41c LoadStringA
0x45f420 GetSystemMetrics
0x45f424 CharUpperBuffW
0x45f428 CharUpperW
0x45f42c CharLowerBuffW
0x45f430 CharLowerW
0x45f434 CharNextA
0x45f438 CharLowerA
0x45f43c CharUpperA
0x45f440 CharToOemA
kernel32.dll
0x45f448 Sleep
kernel32.dll
0x45f450 ActivateActCtx
0x45f454 CreateActCtxW
0x45f458 QueryDosDeviceW
ole32.dll
0x45f460 CreateStreamOnHGlobal
0x45f464 CoUninitialize
0x45f468 CoInitialize
oleaut32.dll
0x45f470 GetErrorInfo
0x45f474 SysFreeString
oleaut32.dll
0x45f47c SafeArrayPtrOfIndex
0x45f480 SafeArrayGetUBound
0x45f484 SafeArrayGetLBound
0x45f488 SafeArrayCreate
0x45f48c VariantChangeType
0x45f490 VariantCopy
0x45f494 VariantClear
0x45f498 VariantInit
ntdll.dll
0x45f4a0 RtlInitUnicodeString
0x45f4a4 RtlFreeUnicodeString
0x45f4a8 RtlFormatCurrentUserKeyPath
0x45f4ac RtlDosPathNameToNtPathName_U
SHFolder.dll
0x45f4b4 SHGetFolderPathW
0x45f4b8 SHGetFolderPathA
ntdll.dll
0x45f4c0 ZwProtectVirtualMemory
shlwapi.dll
0x45f4c8 PathMatchSpecW
ntdll.dll
0x45f4d0 LdrGetProcedureAddress
0x45f4d4 RtlFreeUnicodeString
0x45f4d8 RtlInitAnsiString
0x45f4dc RtlAnsiStringToUnicodeString
0x45f4e0 LdrLoadDll
EAT(Export Address Table) is none
kernel32.dll
0x45f17c DeleteCriticalSection
0x45f180 LeaveCriticalSection
0x45f184 EnterCriticalSection
0x45f188 InitializeCriticalSection
0x45f18c VirtualFree
0x45f190 VirtualAlloc
0x45f194 LocalFree
0x45f198 LocalAlloc
0x45f19c GetTickCount
0x45f1a0 QueryPerformanceCounter
0x45f1a4 GetVersion
0x45f1a8 GetCurrentThreadId
0x45f1ac InterlockedDecrement
0x45f1b0 InterlockedIncrement
0x45f1b4 VirtualQuery
0x45f1b8 WideCharToMultiByte
0x45f1bc MultiByteToWideChar
0x45f1c0 lstrlenA
0x45f1c4 lstrcpynA
0x45f1c8 LoadLibraryExA
0x45f1cc GetThreadLocale
0x45f1d0 GetStartupInfoA
0x45f1d4 GetProcAddress
0x45f1d8 GetModuleHandleA
0x45f1dc GetModuleFileNameA
0x45f1e0 GetLocaleInfoA
0x45f1e4 GetCommandLineA
0x45f1e8 FreeLibrary
0x45f1ec FindFirstFileA
0x45f1f0 FindClose
0x45f1f4 ExitProcess
0x45f1f8 ExitThread
0x45f1fc WriteFile
0x45f200 UnhandledExceptionFilter
0x45f204 RtlUnwind
0x45f208 RaiseException
0x45f20c GetStdHandle
user32.dll
0x45f214 GetKeyboardType
0x45f218 LoadStringA
0x45f21c MessageBoxA
0x45f220 CharNextA
advapi32.dll
0x45f228 RegQueryValueExA
0x45f22c RegOpenKeyExA
0x45f230 RegCloseKey
oleaut32.dll
0x45f238 SysFreeString
0x45f23c SysReAllocStringLen
0x45f240 SysAllocStringLen
kernel32.dll
0x45f248 TlsSetValue
0x45f24c TlsGetValue
0x45f250 TlsFree
0x45f254 TlsAlloc
0x45f258 LocalFree
0x45f25c LocalAlloc
advapi32.dll
0x45f264 RegOpenKeyA
kernel32.dll
0x45f26c WriteProcessMemory
0x45f270 WriteFile
0x45f274 WideCharToMultiByte
0x45f278 WaitForSingleObject
0x45f27c VirtualQuery
0x45f280 VirtualProtectEx
0x45f284 VirtualProtect
0x45f288 VirtualFree
0x45f28c VirtualAllocEx
0x45f290 VirtualAlloc
0x45f294 SystemTimeToFileTime
0x45f298 SizeofResource
0x45f29c SetThreadContext
0x45f2a0 SetLastError
0x45f2a4 SetFileTime
0x45f2a8 SetFilePointer
0x45f2ac SetFileAttributesW
0x45f2b0 SetFileAttributesA
0x45f2b4 SetEvent
0x45f2b8 SetErrorMode
0x45f2bc SetEndOfFile
0x45f2c0 SetCurrentDirectoryW
0x45f2c4 SetCurrentDirectoryA
0x45f2c8 ResetEvent
0x45f2cc RemoveDirectoryW
0x45f2d0 RemoveDirectoryA
0x45f2d4 ReadProcessMemory
0x45f2d8 ReadFile
0x45f2dc QueryDosDeviceW
0x45f2e0 PostQueuedCompletionStatus
0x45f2e4 MultiByteToWideChar
0x45f2e8 LockResource
0x45f2ec LoadResource
0x45f2f0 LoadLibraryW
0x45f2f4 LoadLibraryA
0x45f2f8 LeaveCriticalSection
0x45f2fc IsBadWritePtr
0x45f300 IsBadStringPtrW
0x45f304 IsBadReadPtr
0x45f308 InitializeCriticalSection
0x45f30c GetWindowsDirectoryW
0x45f310 GetWindowsDirectoryA
0x45f314 GetVersionExA
0x45f318 GetVersion
0x45f31c GetThreadLocale
0x45f320 GetThreadContext
0x45f324 GetTempPathW
0x45f328 GetTempPathA
0x45f32c GetTempFileNameW
0x45f330 GetTempFileNameA
0x45f334 GetSystemDirectoryW
0x45f338 GetSystemDirectoryA
0x45f33c GetStringTypeExW
0x45f340 GetStringTypeExA
0x45f344 GetStdHandle
0x45f348 GetProcAddress
0x45f34c GetModuleHandleA
0x45f350 GetModuleFileNameW
0x45f354 GetModuleFileNameA
0x45f358 GetLogicalDriveStringsW
0x45f35c GetLocaleInfoW
0x45f360 GetLocaleInfoA
0x45f364 GetLocalTime
0x45f368 GetLastError
0x45f36c GetFullPathNameW
0x45f370 GetFullPathNameA
0x45f374 GetFileSize
0x45f378 GetFileAttributesW
0x45f37c GetFileAttributesA
0x45f380 GetDiskFreeSpaceA
0x45f384 GetDateFormatA
0x45f388 GetCurrentThreadId
0x45f38c GetCurrentProcessId
0x45f390 GetCurrentProcess
0x45f394 GetCurrentDirectoryW
0x45f398 GetCurrentDirectoryA
0x45f39c GetCPInfo
0x45f3a0 GetACP
0x45f3a4 FreeResource
0x45f3a8 FreeLibrary
0x45f3ac FormatMessageA
0x45f3b0 FlushInstructionCache
0x45f3b4 FlushFileBuffers
0x45f3b8 FindResourceW
0x45f3bc FindNextFileW
0x45f3c0 FindNextFileA
0x45f3c4 FindFirstFileW
0x45f3c8 FindFirstFileA
0x45f3cc FindClose
0x45f3d0 FileTimeToLocalFileTime
0x45f3d4 FileTimeToDosDateTime
0x45f3d8 ExitProcess
0x45f3dc EnumCalendarInfoA
0x45f3e0 EnterCriticalSection
0x45f3e4 DeleteFileW
0x45f3e8 DeleteFileA
0x45f3ec DeleteCriticalSection
0x45f3f0 CreateRemoteThread
0x45f3f4 CreateFileW
0x45f3f8 CreateFileA
0x45f3fc CreateEventA
0x45f400 CreateDirectoryW
0x45f404 CreateDirectoryA
0x45f408 CompareStringW
0x45f40c CompareStringA
0x45f410 CloseHandle
user32.dll
0x45f418 MessageBoxA
0x45f41c LoadStringA
0x45f420 GetSystemMetrics
0x45f424 CharUpperBuffW
0x45f428 CharUpperW
0x45f42c CharLowerBuffW
0x45f430 CharLowerW
0x45f434 CharNextA
0x45f438 CharLowerA
0x45f43c CharUpperA
0x45f440 CharToOemA
kernel32.dll
0x45f448 Sleep
kernel32.dll
0x45f450 ActivateActCtx
0x45f454 CreateActCtxW
0x45f458 QueryDosDeviceW
ole32.dll
0x45f460 CreateStreamOnHGlobal
0x45f464 CoUninitialize
0x45f468 CoInitialize
oleaut32.dll
0x45f470 GetErrorInfo
0x45f474 SysFreeString
oleaut32.dll
0x45f47c SafeArrayPtrOfIndex
0x45f480 SafeArrayGetUBound
0x45f484 SafeArrayGetLBound
0x45f488 SafeArrayCreate
0x45f48c VariantChangeType
0x45f490 VariantCopy
0x45f494 VariantClear
0x45f498 VariantInit
ntdll.dll
0x45f4a0 RtlInitUnicodeString
0x45f4a4 RtlFreeUnicodeString
0x45f4a8 RtlFormatCurrentUserKeyPath
0x45f4ac RtlDosPathNameToNtPathName_U
SHFolder.dll
0x45f4b4 SHGetFolderPathW
0x45f4b8 SHGetFolderPathA
ntdll.dll
0x45f4c0 ZwProtectVirtualMemory
shlwapi.dll
0x45f4c8 PathMatchSpecW
ntdll.dll
0x45f4d0 LdrGetProcedureAddress
0x45f4d4 RtlFreeUnicodeString
0x45f4d8 RtlInitAnsiString
0x45f4dc RtlAnsiStringToUnicodeString
0x45f4e0 LdrLoadDll
EAT(Export Address Table) is none