ScreenShot
| Created | 2022.12.05 09:53 | Machine | s1_win7_x6403 |
| Filename | svchost.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (Fsysna, MulDrop20, Fragtor, Unsafe, Vvjy, ZexaF, fu0@ayCZ@Pji, ABTrojan, BLWN, Attribute, HighConfidence, malicious, high confidence, ADYK, ihjv, jsthyw, TrojanX, Ckjl, R067C0PIB22, Detected, XPACK, Gen3, kcloud, Woreflint, score, ai score=84, lVmKEGZ4QoP, susgen, PossibleThreat, Chgt) | ||
| md5 | b8d23f55d8924b617a57035db1cd3eb0 | ||
| sha256 | 921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8 | ||
| ssdeep | 1536:Q+uA+pnOZyTfpU9tE6lrY4eOmunPXqDMlsKrKN08LpSMm+IEQFTm:RuBA+hME6+SnPQasBN0cSN+IlFTm | ||
| imphash | 90ed158733fbf50c643f5d1f7acc2500 | ||
| impfuzzy | 96:q/5pwPU3r2p+xPARsWA+2nCdX8Cs7p6/R+ynK3y:KwXs3XnYns7p6IC | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (40cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
ole32.dll
0x40e300 CoInitialize
0x40e304 CoCreateInstance
0x40e308 OleInitialize
KERNEL32.dll
0x40e078 CreateJobObjectW
0x40e07c SetFilePointer
0x40e080 LocalAlloc
0x40e084 GetPrivateProfileSectionNamesW
0x40e088 ResumeThread
0x40e08c OpenProcess
0x40e090 GetPrivateProfileStringW
0x40e094 Sleep
0x40e098 lstrcpyA
0x40e09c LocalFree
0x40e0a0 GetCurrentProcessId
0x40e0a4 CreateProcessW
0x40e0a8 lstrcpyW
0x40e0ac CreateProcessA
0x40e0b0 TerminateJobObject
0x40e0b4 GetTickCount
0x40e0b8 GetCurrentProcess
0x40e0bc CreateFileMappingA
0x40e0c0 ExitProcess
0x40e0c4 lstrcmpiW
0x40e0c8 SetErrorMode
0x40e0cc GetCommandLineA
0x40e0d0 SetUnhandledExceptionFilter
0x40e0d4 FindFirstFileW
0x40e0d8 FindNextFileW
0x40e0dc FindClose
0x40e0e0 WaitForSingleObject
0x40e0e4 GetProcAddress
0x40e0e8 SetFileAttributesW
0x40e0ec CreateToolhelp32Snapshot
0x40e0f0 Process32NextW
0x40e0f4 TerminateThread
0x40e0f8 Process32FirstW
0x40e0fc GetWindowsDirectoryW
0x40e100 MoveFileW
0x40e104 GetCommandLineW
0x40e108 AssignProcessToJobObject
0x40e10c ExitThread
0x40e110 WaitForMultipleObjects
0x40e114 EnterCriticalSection
0x40e118 ExpandEnvironmentStringsW
0x40e11c LeaveCriticalSection
0x40e120 InitializeCriticalSection
0x40e124 DeleteCriticalSection
0x40e128 GetModuleFileNameW
0x40e12c Process32First
0x40e130 lstrcpynW
0x40e134 GetEnvironmentVariableW
0x40e138 GetCurrentThreadId
0x40e13c ProcessIdToSessionId
0x40e140 Process32Next
0x40e144 WTSGetActiveConsoleSessionId
0x40e148 lstrcpynA
0x40e14c lstrcmpW
0x40e150 GetPrivateProfileIntW
0x40e154 CreateThread
0x40e158 CloseHandle
0x40e15c DeleteFileW
0x40e160 WritePrivateProfileStringW
0x40e164 GlobalAlloc
0x40e168 lstrcatW
0x40e16c GetLastError
0x40e170 FormatMessageW
0x40e174 GetModuleHandleA
0x40e178 lstrcatA
0x40e17c GetFileAttributesW
0x40e180 CreateFileW
0x40e184 lstrlenA
0x40e188 GetTempPathW
0x40e18c VirtualAlloc
0x40e190 WriteFile
0x40e194 lstrlenW
0x40e198 VirtualFree
0x40e19c ReadFile
0x40e1a0 CreateDirectoryW
0x40e1a4 lstrcmpiA
0x40e1a8 LoadLibraryA
0x40e1ac GlobalUnlock
0x40e1b0 TerminateProcess
0x40e1b4 GetTempFileNameW
0x40e1b8 CopyFileW
0x40e1bc GetFileSize
0x40e1c0 GetVersionExW
0x40e1c4 GlobalLock
0x40e1c8 lstrcmpA
USER32.dll
0x40e1dc WindowFromPoint
0x40e1e0 ScreenToClient
0x40e1e4 SendMessageTimeoutA
0x40e1e8 SendMessageTimeoutW
0x40e1ec GetWindowRect
0x40e1f0 PostMessageW
0x40e1f4 GetKeyboardLayoutList
0x40e1f8 GetProcessWindowStation
0x40e1fc GetDesktopWindow
0x40e200 GetUserObjectInformationW
0x40e204 EnumDisplayDevicesW
0x40e208 GetThreadDesktop
0x40e20c GetSystemMetrics
0x40e210 MonitorFromWindow
0x40e214 ToAscii
0x40e218 SetForegroundWindow
0x40e21c PtInRect
0x40e220 MenuItemFromPoint
0x40e224 HiliteMenuItem
0x40e228 ActivateKeyboardLayout
0x40e22c PrintWindow
0x40e230 CreateDesktopA
0x40e234 GetClassNameW
0x40e238 BringWindowToTop
0x40e23c GetTopWindow
0x40e240 OpenDesktopA
0x40e244 VkKeyScanExA
0x40e248 GetKeyboardState
0x40e24c GetMenuItemCount
0x40e250 SetActiveWindow
0x40e254 SetWindowPos
0x40e258 GetDC
0x40e25c GetMenu
0x40e260 GetWindow
0x40e264 GetWindowPlacement
0x40e268 IsWindow
0x40e26c SetWindowLongA
0x40e270 GetKeyboardLayout
0x40e274 MoveWindow
0x40e278 SetFocus
0x40e27c LoadKeyboardLayoutA
0x40e280 SystemParametersInfoA
0x40e284 GetParent
0x40e288 GetMessageW
0x40e28c DispatchMessageA
0x40e290 IsWindowVisible
0x40e294 SendMessageW
0x40e298 SetThreadDesktop
0x40e29c ShowWindow
0x40e2a0 GetWindowLongA
0x40e2a4 TranslateMessage
0x40e2a8 GetWindowTextW
0x40e2ac GetClassNameA
0x40e2b0 OemToCharA
0x40e2b4 GetDlgItem
0x40e2b8 SetWinEventHook
0x40e2bc CharLowerA
0x40e2c0 UnhookWinEvent
0x40e2c4 wsprintfA
0x40e2c8 GetWindowThreadProcessId
0x40e2cc PostMessageA
0x40e2d0 FindWindowExA
0x40e2d4 EnumDesktopWindows
0x40e2d8 FindWindowA
0x40e2dc OpenClipboard
0x40e2e0 wvsprintfW
0x40e2e4 CloseClipboard
0x40e2e8 EmptyClipboard
0x40e2ec GetClipboardData
0x40e2f0 SetClipboardData
0x40e2f4 IsClipboardFormatAvailable
0x40e2f8 wvsprintfA
GDI32.dll
0x40e04c SelectObject
0x40e050 CreateCompatibleBitmap
0x40e054 DeleteDC
0x40e058 CreatePen
0x40e05c Rectangle
0x40e060 GetDIBits
0x40e064 BitBlt
0x40e068 DeleteObject
0x40e06c CreateSolidBrush
0x40e070 CreateCompatibleDC
COMDLG32.dll
0x40e040 GetOpenFileNameW
0x40e044 GetSaveFileNameW
ADVAPI32.dll
0x40e000 RegQueryValueExW
0x40e004 RegOpenKeyExW
0x40e008 RegOpenKeyExA
0x40e00c RegQueryValueExA
0x40e010 GetSidSubAuthorityCount
0x40e014 GetSidSubAuthority
0x40e018 RegCloseKey
0x40e01c RegSetValueExA
0x40e020 RegQueryValueA
0x40e024 RegSetValueA
0x40e028 RegEnumKeyA
0x40e02c RegDeleteValueA
0x40e030 RegSetValueExW
0x40e034 GetTokenInformation
0x40e038 OpenProcessToken
SHELL32.dll
0x40e1d0 SHGetFolderPathW
0x40e1d4 ShellExecuteW
EAT(Export Address Table) is none
ole32.dll
0x40e300 CoInitialize
0x40e304 CoCreateInstance
0x40e308 OleInitialize
KERNEL32.dll
0x40e078 CreateJobObjectW
0x40e07c SetFilePointer
0x40e080 LocalAlloc
0x40e084 GetPrivateProfileSectionNamesW
0x40e088 ResumeThread
0x40e08c OpenProcess
0x40e090 GetPrivateProfileStringW
0x40e094 Sleep
0x40e098 lstrcpyA
0x40e09c LocalFree
0x40e0a0 GetCurrentProcessId
0x40e0a4 CreateProcessW
0x40e0a8 lstrcpyW
0x40e0ac CreateProcessA
0x40e0b0 TerminateJobObject
0x40e0b4 GetTickCount
0x40e0b8 GetCurrentProcess
0x40e0bc CreateFileMappingA
0x40e0c0 ExitProcess
0x40e0c4 lstrcmpiW
0x40e0c8 SetErrorMode
0x40e0cc GetCommandLineA
0x40e0d0 SetUnhandledExceptionFilter
0x40e0d4 FindFirstFileW
0x40e0d8 FindNextFileW
0x40e0dc FindClose
0x40e0e0 WaitForSingleObject
0x40e0e4 GetProcAddress
0x40e0e8 SetFileAttributesW
0x40e0ec CreateToolhelp32Snapshot
0x40e0f0 Process32NextW
0x40e0f4 TerminateThread
0x40e0f8 Process32FirstW
0x40e0fc GetWindowsDirectoryW
0x40e100 MoveFileW
0x40e104 GetCommandLineW
0x40e108 AssignProcessToJobObject
0x40e10c ExitThread
0x40e110 WaitForMultipleObjects
0x40e114 EnterCriticalSection
0x40e118 ExpandEnvironmentStringsW
0x40e11c LeaveCriticalSection
0x40e120 InitializeCriticalSection
0x40e124 DeleteCriticalSection
0x40e128 GetModuleFileNameW
0x40e12c Process32First
0x40e130 lstrcpynW
0x40e134 GetEnvironmentVariableW
0x40e138 GetCurrentThreadId
0x40e13c ProcessIdToSessionId
0x40e140 Process32Next
0x40e144 WTSGetActiveConsoleSessionId
0x40e148 lstrcpynA
0x40e14c lstrcmpW
0x40e150 GetPrivateProfileIntW
0x40e154 CreateThread
0x40e158 CloseHandle
0x40e15c DeleteFileW
0x40e160 WritePrivateProfileStringW
0x40e164 GlobalAlloc
0x40e168 lstrcatW
0x40e16c GetLastError
0x40e170 FormatMessageW
0x40e174 GetModuleHandleA
0x40e178 lstrcatA
0x40e17c GetFileAttributesW
0x40e180 CreateFileW
0x40e184 lstrlenA
0x40e188 GetTempPathW
0x40e18c VirtualAlloc
0x40e190 WriteFile
0x40e194 lstrlenW
0x40e198 VirtualFree
0x40e19c ReadFile
0x40e1a0 CreateDirectoryW
0x40e1a4 lstrcmpiA
0x40e1a8 LoadLibraryA
0x40e1ac GlobalUnlock
0x40e1b0 TerminateProcess
0x40e1b4 GetTempFileNameW
0x40e1b8 CopyFileW
0x40e1bc GetFileSize
0x40e1c0 GetVersionExW
0x40e1c4 GlobalLock
0x40e1c8 lstrcmpA
USER32.dll
0x40e1dc WindowFromPoint
0x40e1e0 ScreenToClient
0x40e1e4 SendMessageTimeoutA
0x40e1e8 SendMessageTimeoutW
0x40e1ec GetWindowRect
0x40e1f0 PostMessageW
0x40e1f4 GetKeyboardLayoutList
0x40e1f8 GetProcessWindowStation
0x40e1fc GetDesktopWindow
0x40e200 GetUserObjectInformationW
0x40e204 EnumDisplayDevicesW
0x40e208 GetThreadDesktop
0x40e20c GetSystemMetrics
0x40e210 MonitorFromWindow
0x40e214 ToAscii
0x40e218 SetForegroundWindow
0x40e21c PtInRect
0x40e220 MenuItemFromPoint
0x40e224 HiliteMenuItem
0x40e228 ActivateKeyboardLayout
0x40e22c PrintWindow
0x40e230 CreateDesktopA
0x40e234 GetClassNameW
0x40e238 BringWindowToTop
0x40e23c GetTopWindow
0x40e240 OpenDesktopA
0x40e244 VkKeyScanExA
0x40e248 GetKeyboardState
0x40e24c GetMenuItemCount
0x40e250 SetActiveWindow
0x40e254 SetWindowPos
0x40e258 GetDC
0x40e25c GetMenu
0x40e260 GetWindow
0x40e264 GetWindowPlacement
0x40e268 IsWindow
0x40e26c SetWindowLongA
0x40e270 GetKeyboardLayout
0x40e274 MoveWindow
0x40e278 SetFocus
0x40e27c LoadKeyboardLayoutA
0x40e280 SystemParametersInfoA
0x40e284 GetParent
0x40e288 GetMessageW
0x40e28c DispatchMessageA
0x40e290 IsWindowVisible
0x40e294 SendMessageW
0x40e298 SetThreadDesktop
0x40e29c ShowWindow
0x40e2a0 GetWindowLongA
0x40e2a4 TranslateMessage
0x40e2a8 GetWindowTextW
0x40e2ac GetClassNameA
0x40e2b0 OemToCharA
0x40e2b4 GetDlgItem
0x40e2b8 SetWinEventHook
0x40e2bc CharLowerA
0x40e2c0 UnhookWinEvent
0x40e2c4 wsprintfA
0x40e2c8 GetWindowThreadProcessId
0x40e2cc PostMessageA
0x40e2d0 FindWindowExA
0x40e2d4 EnumDesktopWindows
0x40e2d8 FindWindowA
0x40e2dc OpenClipboard
0x40e2e0 wvsprintfW
0x40e2e4 CloseClipboard
0x40e2e8 EmptyClipboard
0x40e2ec GetClipboardData
0x40e2f0 SetClipboardData
0x40e2f4 IsClipboardFormatAvailable
0x40e2f8 wvsprintfA
GDI32.dll
0x40e04c SelectObject
0x40e050 CreateCompatibleBitmap
0x40e054 DeleteDC
0x40e058 CreatePen
0x40e05c Rectangle
0x40e060 GetDIBits
0x40e064 BitBlt
0x40e068 DeleteObject
0x40e06c CreateSolidBrush
0x40e070 CreateCompatibleDC
COMDLG32.dll
0x40e040 GetOpenFileNameW
0x40e044 GetSaveFileNameW
ADVAPI32.dll
0x40e000 RegQueryValueExW
0x40e004 RegOpenKeyExW
0x40e008 RegOpenKeyExA
0x40e00c RegQueryValueExA
0x40e010 GetSidSubAuthorityCount
0x40e014 GetSidSubAuthority
0x40e018 RegCloseKey
0x40e01c RegSetValueExA
0x40e020 RegQueryValueA
0x40e024 RegSetValueA
0x40e028 RegEnumKeyA
0x40e02c RegDeleteValueA
0x40e030 RegSetValueExW
0x40e034 GetTokenInformation
0x40e038 OpenProcessToken
SHELL32.dll
0x40e1d0 SHGetFolderPathW
0x40e1d4 ShellExecuteW
EAT(Export Address Table) is none