ScreenShot
| Created | 2023.06.27 07:36 | Machine | s1_win7_x6401 |
| Filename | svchost.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (AIDetectMalware, 5sW@aGmZVmk, Save, TrojanPSW, malicious, Eldorado, Attribute, HighConfidence, Windows, Vidar, score, bopm, PWSX, QQPass, QQRob, Wylw, ATRAPS, Gen4, YXDFWZ, high, Static AI, Malicious PE, Arkei, H4AWWK, Detected, R588668, Artemis, ai score=83, BScope, unsafe, Genetic, AvQdEuhLBi, confidence, 100%) | ||
| md5 | 1fb72647665a1635f4fbef1430d43279 | ||
| sha256 | c21c505650cd2b99a23f1cebb6cbd544552c02d9334460c72aadf436d68cdab1 | ||
| ssdeep | 49152:VN+1VxCkbPBzS7ULCbGyDboE8wrupidLNDNVeC1T5nY5tHfswXNWoUr3EHDMYCpk:SlpDBzS7UL+G3q5V7y5JB9WBUHIYCpsT | ||
| imphash | 2deb0170673a67617f054deaf02df626 | ||
| impfuzzy | 24:jNDoy4yFBX+ZKqckNdZ+fcWbluGIOovItZJ3xnlyvcjMZ/HOTGwAiwxJTd1EQ4EI:jD6ZxBdZ+fcDGHntb1KE6NyQI | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x440014 Sleep
0x440018 GetSystemInfo
0x44001c lstrlenA
0x440020 lstrcatA
0x440024 VirtualProtect
0x440028 HeapAlloc
0x44002c GetProcessHeap
0x440030 GetProcAddress
0x440034 LoadLibraryA
0x440038 VirtualAlloc
0x44003c GetLogicalProcessorInformationEx
0x440040 CloseHandle
0x440044 Process32Next
0x440048 Process32First
0x44004c CreateToolhelp32Snapshot
0x440050 FindNextFileW
0x440054 VirtualAllocExNuma
0x440058 SetEndOfFile
0x44005c VirtualFree
0x440060 TerminateProcess
0x440064 GetCurrentProcess
0x440068 CreateFileW
0x44006c CreateFileA
0x440070 SetStdHandle
0x440074 WriteConsoleW
0x440078 LoadLibraryW
0x44007c IsValidLocale
0x440080 EnumSystemLocalesA
0x440084 GetLocaleInfoA
0x440088 GetUserDefaultLCID
0x44008c GetLocaleInfoW
0x440090 GetStringTypeW
0x440094 FindFirstFileW
0x440098 ExitProcess
0x44009c InterlockedIncrement
0x4400a0 InterlockedDecrement
0x4400a4 WideCharToMultiByte
0x4400a8 InterlockedExchange
0x4400ac InitializeCriticalSection
0x4400b0 DeleteCriticalSection
0x4400b4 EnterCriticalSection
0x4400b8 LeaveCriticalSection
0x4400bc EncodePointer
0x4400c0 DecodePointer
0x4400c4 MultiByteToWideChar
0x4400c8 GetLastError
0x4400cc HeapFree
0x4400d0 RaiseException
0x4400d4 RtlUnwind
0x4400d8 HeapReAlloc
0x4400dc GetSystemTimeAsFileTime
0x4400e0 GetCommandLineA
0x4400e4 HeapSetInformation
0x4400e8 GetStartupInfoW
0x4400ec LCMapStringW
0x4400f0 GetCPInfo
0x4400f4 IsProcessorFeaturePresent
0x4400f8 UnhandledExceptionFilter
0x4400fc SetUnhandledExceptionFilter
0x440100 IsDebuggerPresent
0x440104 GetModuleHandleW
0x440108 WriteFile
0x44010c GetStdHandle
0x440110 GetModuleFileNameW
0x440114 HeapCreate
0x440118 TlsAlloc
0x44011c TlsGetValue
0x440120 TlsSetValue
0x440124 TlsFree
0x440128 SetLastError
0x44012c GetCurrentThreadId
0x440130 GetACP
0x440134 GetOEMCP
0x440138 IsValidCodePage
0x44013c HeapSize
0x440140 SetHandleCount
0x440144 InitializeCriticalSectionAndSpinCount
0x440148 GetFileType
0x44014c GetConsoleCP
0x440150 GetConsoleMode
0x440154 FlushFileBuffers
0x440158 ReadFile
0x44015c SetFilePointer
0x440160 GetModuleFileNameA
0x440164 FreeEnvironmentStringsW
0x440168 GetEnvironmentStringsW
0x44016c QueryPerformanceCounter
0x440170 GetTickCount
0x440174 GetCurrentProcessId
USER32.dll
0x440190 ReleaseDC
GDI32.dll
0x440008 GetDeviceCaps
0x44000c CreateDCA
ole32.dll
0x440198 CoCreateInstance
0x44019c CoInitializeSecurity
0x4401a0 CoInitializeEx
0x4401a4 CoSetProxyBlanket
OLEAUT32.dll
0x44017c SysFreeString
0x440180 VariantClear
0x440184 VariantInit
0x440188 SysAllocString
CRYPT32.dll
0x440000 CryptStringToBinaryA
EAT(Export Address Table) is none
KERNEL32.dll
0x440014 Sleep
0x440018 GetSystemInfo
0x44001c lstrlenA
0x440020 lstrcatA
0x440024 VirtualProtect
0x440028 HeapAlloc
0x44002c GetProcessHeap
0x440030 GetProcAddress
0x440034 LoadLibraryA
0x440038 VirtualAlloc
0x44003c GetLogicalProcessorInformationEx
0x440040 CloseHandle
0x440044 Process32Next
0x440048 Process32First
0x44004c CreateToolhelp32Snapshot
0x440050 FindNextFileW
0x440054 VirtualAllocExNuma
0x440058 SetEndOfFile
0x44005c VirtualFree
0x440060 TerminateProcess
0x440064 GetCurrentProcess
0x440068 CreateFileW
0x44006c CreateFileA
0x440070 SetStdHandle
0x440074 WriteConsoleW
0x440078 LoadLibraryW
0x44007c IsValidLocale
0x440080 EnumSystemLocalesA
0x440084 GetLocaleInfoA
0x440088 GetUserDefaultLCID
0x44008c GetLocaleInfoW
0x440090 GetStringTypeW
0x440094 FindFirstFileW
0x440098 ExitProcess
0x44009c InterlockedIncrement
0x4400a0 InterlockedDecrement
0x4400a4 WideCharToMultiByte
0x4400a8 InterlockedExchange
0x4400ac InitializeCriticalSection
0x4400b0 DeleteCriticalSection
0x4400b4 EnterCriticalSection
0x4400b8 LeaveCriticalSection
0x4400bc EncodePointer
0x4400c0 DecodePointer
0x4400c4 MultiByteToWideChar
0x4400c8 GetLastError
0x4400cc HeapFree
0x4400d0 RaiseException
0x4400d4 RtlUnwind
0x4400d8 HeapReAlloc
0x4400dc GetSystemTimeAsFileTime
0x4400e0 GetCommandLineA
0x4400e4 HeapSetInformation
0x4400e8 GetStartupInfoW
0x4400ec LCMapStringW
0x4400f0 GetCPInfo
0x4400f4 IsProcessorFeaturePresent
0x4400f8 UnhandledExceptionFilter
0x4400fc SetUnhandledExceptionFilter
0x440100 IsDebuggerPresent
0x440104 GetModuleHandleW
0x440108 WriteFile
0x44010c GetStdHandle
0x440110 GetModuleFileNameW
0x440114 HeapCreate
0x440118 TlsAlloc
0x44011c TlsGetValue
0x440120 TlsSetValue
0x440124 TlsFree
0x440128 SetLastError
0x44012c GetCurrentThreadId
0x440130 GetACP
0x440134 GetOEMCP
0x440138 IsValidCodePage
0x44013c HeapSize
0x440140 SetHandleCount
0x440144 InitializeCriticalSectionAndSpinCount
0x440148 GetFileType
0x44014c GetConsoleCP
0x440150 GetConsoleMode
0x440154 FlushFileBuffers
0x440158 ReadFile
0x44015c SetFilePointer
0x440160 GetModuleFileNameA
0x440164 FreeEnvironmentStringsW
0x440168 GetEnvironmentStringsW
0x44016c QueryPerformanceCounter
0x440170 GetTickCount
0x440174 GetCurrentProcessId
USER32.dll
0x440190 ReleaseDC
GDI32.dll
0x440008 GetDeviceCaps
0x44000c CreateDCA
ole32.dll
0x440198 CoCreateInstance
0x44019c CoInitializeSecurity
0x4401a0 CoInitializeEx
0x4401a4 CoSetProxyBlanket
OLEAUT32.dll
0x44017c SysFreeString
0x440180 VariantClear
0x440184 VariantInit
0x440188 SysAllocString
CRYPT32.dll
0x440000 CryptStringToBinaryA
EAT(Export Address Table) is none