popup

Report - svchost.exe

Generic Malware PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.09 09:07 Machine s1_win7_x6401
Filename svchost.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
8
 Behavior Score
7.4
ZERO API file : malware
VT API (file) 48 detected (CautusL, malicious, high confidence, Siggen14, Mikey, GenericRI, S20702303, Graftor, Unsafe, Solmyr, Eldorado, Attribute, HighConfidence, ACBZ, score, ixdyob, RATX, ULPM, ASMalwS, ParalaxRat, 13NZCK2, R436666, GenericRXAA, ai score=89, Gencirc, mpJSPmzsnqA, Static AI, Malicious PE, susgen, GdSda)
md5 fc8ce0eb1a60a03e0b167b680af1625d
sha256 1118b519f21a145a3e72b8c4b03fa7c8f22d6e1ab7ee6b103595d5cd6775b0a1
ssdeep 24576:tndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzwvWJrPwStB:1XDFBU2iIBb0xY/6sUYYDelPwSv
imphash 6ed4f5f04d62b18d96b26d6db7c18840
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRn:dBJAEoZ/OEGDzyRn
  Network IP location

Signature (11cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
watch A process attempted to delay the analysis task.
watch Communicates with host for which no DNS query was performed
watch Creates a windows hook that monitors keyboard input (keylogger)
watch Installs an hook procedure to monitor for mouse events
watch Looks for the Windows Idle Time to determine the uptime
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
65.21.3.192
whois
Unknown 65.21.3.192 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x7e3028 LoadLibraryA
 0x7e302c ExitProcess
 0x7e3030 GetProcAddress
 0x7e3034 VirtualProtect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure