ScreenShot
| Created | 2023.10.13 08:41 | Machine | s1_win7_x6401 |
| Filename | svchost.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 13 detected (AIDetectMalware, malicious, high confidence, unsafe, confidence, Attribute, HighConfidence, score, Wacatac, susgen) | ||
| md5 | c9abc0932559d7ecced02a9125acea05 | ||
| sha256 | c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20 | ||
| ssdeep | 98304:TMOl82OGyTIZ+e9KsPdJDrL6R2tcya1luLIlMCABHQ:T9l82skVxEGcya1lVKQ | ||
| imphash | 847c2f25b48889c8545823bcf35ae6ba | ||
| impfuzzy | 48:/orXA9Q9WbW2AES1jtv4Bc+py5S35DTXNn:ArXA29WbW2NS1jtv4Bc+py5eDNn | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
crypt.dll
0x140038318 BCryptGenRandom
ADVAPI32.dll
0x140038000 SystemFunction036
KERNEL32.dll
0x140038010 CreateFileW
0x140038018 RtlVirtualUnwind
0x140038020 Sleep
0x140038028 LoadLibraryA
0x140038030 GetProcAddress
0x140038038 VirtualProtect
0x140038040 GetProcessHeap
0x140038048 HeapAlloc
0x140038050 HeapFree
0x140038058 AddVectoredExceptionHandler
0x140038060 SetThreadStackGuarantee
0x140038068 GetLastError
0x140038070 GetCurrentThread
0x140038078 HeapReAlloc
0x140038080 GetCurrentProcess
0x140038088 CloseHandle
0x140038090 GetModuleHandleA
0x140038098 TryAcquireSRWLockExclusive
0x1400380a0 ReleaseSRWLockExclusive
0x1400380a8 GetStdHandle
0x1400380b0 GetConsoleMode
0x1400380b8 WaitForSingleObject
0x1400380c0 MultiByteToWideChar
0x1400380c8 WriteConsoleW
0x1400380d0 SetLastError
0x1400380d8 WaitForSingleObjectEx
0x1400380e0 CreateMutexA
0x1400380e8 ReleaseMutex
0x1400380f0 RtlLookupFunctionEntry
0x1400380f8 GetModuleHandleW
0x140038100 FormatMessageW
0x140038108 GetCurrentDirectoryW
0x140038110 RtlCaptureContext
0x140038118 AcquireSRWLockExclusive
0x140038120 GetEnvironmentVariableW
0x140038128 AcquireSRWLockShared
0x140038130 ReleaseSRWLockShared
0x140038138 FreeLibrary
0x140038140 SetFilePointerEx
0x140038148 GetConsoleOutputCP
0x140038150 FlushFileBuffers
0x140038158 HeapSize
0x140038160 LCMapStringW
0x140038168 CompareStringW
0x140038170 FlsFree
0x140038178 FlsSetValue
0x140038180 FlsGetValue
0x140038188 FlsAlloc
0x140038190 QueryPerformanceCounter
0x140038198 GetCurrentProcessId
0x1400381a0 GetCurrentThreadId
0x1400381a8 GetSystemTimeAsFileTime
0x1400381b0 InitializeSListHead
0x1400381b8 IsDebuggerPresent
0x1400381c0 UnhandledExceptionFilter
0x1400381c8 SetUnhandledExceptionFilter
0x1400381d0 GetStartupInfoW
0x1400381d8 IsProcessorFeaturePresent
0x1400381e0 RtlUnwindEx
0x1400381e8 EncodePointer
0x1400381f0 RaiseException
0x1400381f8 EnterCriticalSection
0x140038200 LeaveCriticalSection
0x140038208 DeleteCriticalSection
0x140038210 InitializeCriticalSectionAndSpinCount
0x140038218 TlsAlloc
0x140038220 TlsGetValue
0x140038228 TlsSetValue
0x140038230 TlsFree
0x140038238 LoadLibraryExW
0x140038240 RtlPcToFileHeader
0x140038248 WriteFile
0x140038250 GetModuleFileNameW
0x140038258 ExitProcess
0x140038260 TerminateProcess
0x140038268 GetModuleHandleExW
0x140038270 GetCommandLineA
0x140038278 GetCommandLineW
0x140038280 FindClose
0x140038288 FindFirstFileExW
0x140038290 FindNextFileW
0x140038298 IsValidCodePage
0x1400382a0 GetACP
0x1400382a8 GetOEMCP
0x1400382b0 GetCPInfo
0x1400382b8 WideCharToMultiByte
0x1400382c0 GetEnvironmentStringsW
0x1400382c8 FreeEnvironmentStringsW
0x1400382d0 SetEnvironmentVariableW
0x1400382d8 SetStdHandle
0x1400382e0 GetFileType
0x1400382e8 GetStringTypeW
PSAPI.DLL
0x1400382f8 GetModuleFileNameExW
0x140038300 GetModuleBaseNameW
0x140038308 EnumProcessModulesEx
oleaut32.dll
0x140038340 SafeArrayCreateVector
0x140038348 SysAllocStringLen
0x140038350 SafeArrayUnaccessData
0x140038358 SafeArrayAccessData
0x140038360 SafeArrayCreate
0x140038368 SysStringLen
0x140038370 SafeArrayPutElement
0x140038378 SafeArrayGetUBound
0x140038380 SafeArrayGetLBound
0x140038388 GetErrorInfo
0x140038390 SysFreeString
ntdll.dll
0x140038328 NtWriteFile
0x140038330 RtlNtStatusToDosError
EAT(Export Address Table) is none
crypt.dll
0x140038318 BCryptGenRandom
ADVAPI32.dll
0x140038000 SystemFunction036
KERNEL32.dll
0x140038010 CreateFileW
0x140038018 RtlVirtualUnwind
0x140038020 Sleep
0x140038028 LoadLibraryA
0x140038030 GetProcAddress
0x140038038 VirtualProtect
0x140038040 GetProcessHeap
0x140038048 HeapAlloc
0x140038050 HeapFree
0x140038058 AddVectoredExceptionHandler
0x140038060 SetThreadStackGuarantee
0x140038068 GetLastError
0x140038070 GetCurrentThread
0x140038078 HeapReAlloc
0x140038080 GetCurrentProcess
0x140038088 CloseHandle
0x140038090 GetModuleHandleA
0x140038098 TryAcquireSRWLockExclusive
0x1400380a0 ReleaseSRWLockExclusive
0x1400380a8 GetStdHandle
0x1400380b0 GetConsoleMode
0x1400380b8 WaitForSingleObject
0x1400380c0 MultiByteToWideChar
0x1400380c8 WriteConsoleW
0x1400380d0 SetLastError
0x1400380d8 WaitForSingleObjectEx
0x1400380e0 CreateMutexA
0x1400380e8 ReleaseMutex
0x1400380f0 RtlLookupFunctionEntry
0x1400380f8 GetModuleHandleW
0x140038100 FormatMessageW
0x140038108 GetCurrentDirectoryW
0x140038110 RtlCaptureContext
0x140038118 AcquireSRWLockExclusive
0x140038120 GetEnvironmentVariableW
0x140038128 AcquireSRWLockShared
0x140038130 ReleaseSRWLockShared
0x140038138 FreeLibrary
0x140038140 SetFilePointerEx
0x140038148 GetConsoleOutputCP
0x140038150 FlushFileBuffers
0x140038158 HeapSize
0x140038160 LCMapStringW
0x140038168 CompareStringW
0x140038170 FlsFree
0x140038178 FlsSetValue
0x140038180 FlsGetValue
0x140038188 FlsAlloc
0x140038190 QueryPerformanceCounter
0x140038198 GetCurrentProcessId
0x1400381a0 GetCurrentThreadId
0x1400381a8 GetSystemTimeAsFileTime
0x1400381b0 InitializeSListHead
0x1400381b8 IsDebuggerPresent
0x1400381c0 UnhandledExceptionFilter
0x1400381c8 SetUnhandledExceptionFilter
0x1400381d0 GetStartupInfoW
0x1400381d8 IsProcessorFeaturePresent
0x1400381e0 RtlUnwindEx
0x1400381e8 EncodePointer
0x1400381f0 RaiseException
0x1400381f8 EnterCriticalSection
0x140038200 LeaveCriticalSection
0x140038208 DeleteCriticalSection
0x140038210 InitializeCriticalSectionAndSpinCount
0x140038218 TlsAlloc
0x140038220 TlsGetValue
0x140038228 TlsSetValue
0x140038230 TlsFree
0x140038238 LoadLibraryExW
0x140038240 RtlPcToFileHeader
0x140038248 WriteFile
0x140038250 GetModuleFileNameW
0x140038258 ExitProcess
0x140038260 TerminateProcess
0x140038268 GetModuleHandleExW
0x140038270 GetCommandLineA
0x140038278 GetCommandLineW
0x140038280 FindClose
0x140038288 FindFirstFileExW
0x140038290 FindNextFileW
0x140038298 IsValidCodePage
0x1400382a0 GetACP
0x1400382a8 GetOEMCP
0x1400382b0 GetCPInfo
0x1400382b8 WideCharToMultiByte
0x1400382c0 GetEnvironmentStringsW
0x1400382c8 FreeEnvironmentStringsW
0x1400382d0 SetEnvironmentVariableW
0x1400382d8 SetStdHandle
0x1400382e0 GetFileType
0x1400382e8 GetStringTypeW
PSAPI.DLL
0x1400382f8 GetModuleFileNameExW
0x140038300 GetModuleBaseNameW
0x140038308 EnumProcessModulesEx
oleaut32.dll
0x140038340 SafeArrayCreateVector
0x140038348 SysAllocStringLen
0x140038350 SafeArrayUnaccessData
0x140038358 SafeArrayAccessData
0x140038360 SafeArrayCreate
0x140038368 SysStringLen
0x140038370 SafeArrayPutElement
0x140038378 SafeArrayGetUBound
0x140038380 SafeArrayGetLBound
0x140038388 GetErrorInfo
0x140038390 SysFreeString
ntdll.dll
0x140038328 NtWriteFile
0x140038330 RtlNtStatusToDosError
EAT(Export Address Table) is none