ScreenShot
| Created | 2021.11.11 12:48 | Machine | s1_win7_x6401 |
| Filename | Svchost.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (AIDetect, malware2, malicious, high confidence, Fragtor, MachineLearning, Anomalous, 100%, ZexaF, nL0@aGDW4mki, Eldorado, Attribute, HighConfidence, Kryptik, HNCG, PWSX, MultiPlug, Static AI, Malicious PE, Krypt, score, R447594, Unsafe, ai score=82) | ||
| md5 | 954cb27a8b7a8022163bf0855e9dc1da | ||
| sha256 | cdb4e3529f2cc4a1c9be0fc3da007e011f2cdd275aca1c8639cd682c9116f8c3 | ||
| ssdeep | 24576:tOSb5hndv5nLTaxQzYO/McICSlKp3uJhcH1S60D2DU:hrdhf8KMc3McQW0TT | ||
| imphash | ca2428f95da32f90e7651228c28ff6a1 | ||
| impfuzzy | 24:+azz2kfCejrOov1lDIcLVbjIX53Qr9WzOqdQGMZO:FHfCCaVc54XlhzOqdQGJ | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0x674180 AdjustTokenPrivileges
0x674184 GetUserNameW
0x674188 LookupPrivilegeValueW
0x67418c OpenProcessToken
GDI32.dll
0x674194 CreateFontIndirectW
0x674198 SetBkMode
0x67419c SetTextColor
KERNEL32.dll
0x6741a4 CreateThread
0x6741a8 DeleteCriticalSection
0x6741ac EnterCriticalSection
0x6741b0 ExitProcess
0x6741b4 FindClose
0x6741b8 FindFirstFileA
0x6741bc FindNextFileA
0x6741c0 FreeLibrary
0x6741c4 GetCommandLineA
0x6741c8 GetLastError
0x6741cc GetModuleHandleA
0x6741d0 GetProcAddress
0x6741d4 InitializeCriticalSection
0x6741d8 LeaveCriticalSection
0x6741dc LoadLibraryA
0x6741e0 SetUnhandledExceptionFilter
0x6741e4 TlsGetValue
0x6741e8 VirtualProtect
0x6741ec VirtualQuery
0x6741f0 WaitForSingleObject
0x6741f4 lstrlenA
msvcrt.dll
0x6741fc _strdup
0x674200 _stricoll
msvcrt.dll
0x674208 __getmainargs
0x67420c __mb_cur_max
0x674210 __p__environ
0x674214 __p__fmode
0x674218 __set_app_type
0x67421c _cexit
0x674220 _errno
0x674224 _fpreset
0x674228 _fullpath
0x67422c _iob
0x674230 _isctype
0x674234 _onexit
0x674238 _pctype
0x67423c _setmode
0x674240 _strdup
0x674244 abort
0x674248 atexit
0x67424c calloc
0x674250 free
0x674254 fwrite
0x674258 malloc
0x67425c mbstowcs
0x674260 memcpy
0x674264 realloc
0x674268 setlocale
0x67426c signal
0x674270 strcoll
0x674274 strlen
0x674278 tolower
0x67427c vfprintf
0x674280 wcstombs
EAT(Export Address Table) is none
ADVAPI32.DLL
0x674180 AdjustTokenPrivileges
0x674184 GetUserNameW
0x674188 LookupPrivilegeValueW
0x67418c OpenProcessToken
GDI32.dll
0x674194 CreateFontIndirectW
0x674198 SetBkMode
0x67419c SetTextColor
KERNEL32.dll
0x6741a4 CreateThread
0x6741a8 DeleteCriticalSection
0x6741ac EnterCriticalSection
0x6741b0 ExitProcess
0x6741b4 FindClose
0x6741b8 FindFirstFileA
0x6741bc FindNextFileA
0x6741c0 FreeLibrary
0x6741c4 GetCommandLineA
0x6741c8 GetLastError
0x6741cc GetModuleHandleA
0x6741d0 GetProcAddress
0x6741d4 InitializeCriticalSection
0x6741d8 LeaveCriticalSection
0x6741dc LoadLibraryA
0x6741e0 SetUnhandledExceptionFilter
0x6741e4 TlsGetValue
0x6741e8 VirtualProtect
0x6741ec VirtualQuery
0x6741f0 WaitForSingleObject
0x6741f4 lstrlenA
msvcrt.dll
0x6741fc _strdup
0x674200 _stricoll
msvcrt.dll
0x674208 __getmainargs
0x67420c __mb_cur_max
0x674210 __p__environ
0x674214 __p__fmode
0x674218 __set_app_type
0x67421c _cexit
0x674220 _errno
0x674224 _fpreset
0x674228 _fullpath
0x67422c _iob
0x674230 _isctype
0x674234 _onexit
0x674238 _pctype
0x67423c _setmode
0x674240 _strdup
0x674244 abort
0x674248 atexit
0x67424c calloc
0x674250 free
0x674254 fwrite
0x674258 malloc
0x67425c mbstowcs
0x674260 memcpy
0x674264 realloc
0x674268 setlocale
0x67426c signal
0x674270 strcoll
0x674274 strlen
0x674278 tolower
0x67427c vfprintf
0x674280 wcstombs
EAT(Export Address Table) is none