ScreenShot
| Created | 2021.10.13 19:45 | Machine | s1_win7_x6401 |
| Filename | svchost.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (Bulz, malicious, high confidence, Generic ML PUA, Tnega, score, Artemis, ai score=85, R002H09IJ21, Static AI, Suspicious PE, PossibleThreat, confidence) | ||
| md5 | 340d0f2a160733b307bbe9434dd8b701 | ||
| sha256 | af277cb89f2f2144810957f7ae9fa55f6df4bb097780a8e36d8d97d1c9cec0d3 | ||
| ssdeep | 98304:yqlTteVpNQ2bDCrDzXxoez8Z4pgw93f4lwc/IqEvQP/ghRinibYB8:JlTsWTxLRwlbYQP/g+ib | ||
| imphash | ab2ba2cd627342a99318bbdfb697241c | ||
| impfuzzy | 12:9BnlYcL8wDfTdZtck+mSUC5kBZGoQtXJxZGb9AJcDfA5kLfP9m:7EwXtpC58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
WSOCK32.dll
0x14093e000 gethostbyname
WINMM.dll
0x14093e010 mixerGetLineInfoW
VERSION.dll
0x14093e020 GetFileVersionInfoW
COMCTL32.dll
0x14093e030 ImageList_Create
PSAPI.DLL
0x14093e040 GetProcessImageFileNameW
WININET.dll
0x14093e050 InternetOpenW
KERNEL32.dll
0x14093e060 GetVersionExW
0x14093e068 GetVersion
USER32.dll
0x14093e078 MessageBeep
GDI32.dll
0x14093e088 GetPixel
COMDLG32.dll
0x14093e098 CommDlgExtendedError
ADVAPI32.dll
0x14093e0a8 RegDeleteKeyW
SHELL32.dll
0x14093e0b8 DragQueryPoint
ole32.dll
0x14093e0c8 OleInitialize
OLEAUT32.dll
0x14093e0d8 SafeArrayGetLBound
WTSAPI32.dll
0x14093e0e8 WTSSendMessageW
KERNEL32.dll
0x14093e0f8 FlsSetValue
USER32.dll
0x14093e108 GetProcessWindowStation
KERNEL32.dll
0x14093e118 LocalAlloc
0x14093e120 LocalFree
0x14093e128 GetModuleFileNameW
0x14093e130 GetProcessAffinityMask
0x14093e138 SetProcessAffinityMask
0x14093e140 SetThreadAffinityMask
0x14093e148 Sleep
0x14093e150 ExitProcess
0x14093e158 FreeLibrary
0x14093e160 LoadLibraryA
0x14093e168 GetModuleHandleA
0x14093e170 GetProcAddress
USER32.dll
0x14093e180 GetProcessWindowStation
0x14093e188 GetUserObjectInformationW
EAT(Export Address Table) Library
WSOCK32.dll
0x14093e000 gethostbyname
WINMM.dll
0x14093e010 mixerGetLineInfoW
VERSION.dll
0x14093e020 GetFileVersionInfoW
COMCTL32.dll
0x14093e030 ImageList_Create
PSAPI.DLL
0x14093e040 GetProcessImageFileNameW
WININET.dll
0x14093e050 InternetOpenW
KERNEL32.dll
0x14093e060 GetVersionExW
0x14093e068 GetVersion
USER32.dll
0x14093e078 MessageBeep
GDI32.dll
0x14093e088 GetPixel
COMDLG32.dll
0x14093e098 CommDlgExtendedError
ADVAPI32.dll
0x14093e0a8 RegDeleteKeyW
SHELL32.dll
0x14093e0b8 DragQueryPoint
ole32.dll
0x14093e0c8 OleInitialize
OLEAUT32.dll
0x14093e0d8 SafeArrayGetLBound
WTSAPI32.dll
0x14093e0e8 WTSSendMessageW
KERNEL32.dll
0x14093e0f8 FlsSetValue
USER32.dll
0x14093e108 GetProcessWindowStation
KERNEL32.dll
0x14093e118 LocalAlloc
0x14093e120 LocalFree
0x14093e128 GetModuleFileNameW
0x14093e130 GetProcessAffinityMask
0x14093e138 SetProcessAffinityMask
0x14093e140 SetThreadAffinityMask
0x14093e148 Sleep
0x14093e150 ExitProcess
0x14093e158 FreeLibrary
0x14093e160 LoadLibraryA
0x14093e168 GetModuleHandleA
0x14093e170 GetProcAddress
USER32.dll
0x14093e180 GetProcessWindowStation
0x14093e188 GetUserObjectInformationW
EAT(Export Address Table) Library