ScreenShot
Created | 2023.11.16 18:34 | Machine | s1_win7_x6401 |
Filename | svchost.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | |||
md5 | 54a47f6b5e09a77e61649109c6a08866 | ||
sha256 | 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2 | ||
ssdeep | 384:eipYzV8555BUcKaJEEyKxC0exYQ1k3KFUOLg2JfvaW9C5bW9odW:3peIszaqEyKxCtxJk6FbXaw | ||
imphash | 58e185299ecca757fe68ba83a6495fde | ||
impfuzzy | 48:XGfhx0tX71bKrADd+SoCPUCVmFf8LNotb5eQvwpxvDbiW1cyH1FeBL0nIV:XGfho8AB+SoCPjMf8Ktb5eQvwrvD2W12 |
Network IP location
Signature (2cnts)
Level | Description |
---|---|
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | This executable has a PDB path |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x1001000 __wgetmainargs
0x1001004 _exit
0x1001008 _XcptFilter
0x100100c exit
0x1001010 _initterm
0x1001014 _amsg_exit
0x1001018 __setusermatherr
0x100101c memcpy
0x1001020 _controlfp
0x1001024 _except_handler4_common
0x1001028 ?terminate@@YAXXZ
0x100102c __set_app_type
0x1001030 __p__fmode
0x1001034 __p__commode
0x1001038 _cexit
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
0x1001040 TerminateProcess
0x1001044 GetCurrentProcess
0x1001048 OpenProcessToken
0x100104c GetCurrentProcessId
0x1001050 GetCurrentThreadId
KERNEL32.dll
0x1001058 LocalAlloc
0x100105c CloseHandle
0x1001060 DelayLoadFailureHook
0x1001064 GetProcAddress
0x1001068 GetLastError
0x100106c FreeLibrary
0x1001070 InterlockedCompareExchange
0x1001074 LoadLibraryExA
0x1001078 InterlockedExchange
0x100107c Sleep
0x1001080 SetUnhandledExceptionFilter
0x1001084 GetModuleHandleA
0x1001088 QueryPerformanceCounter
0x100108c GetTickCount
0x1001090 GetSystemTimeAsFileTime
0x1001094 UnhandledExceptionFilter
0x1001098 DeactivateActCtx
0x100109c LoadLibraryExW
0x10010a0 ActivateActCtx
0x10010a4 LeaveCriticalSection
0x10010a8 lstrcmpW
0x10010ac EnterCriticalSection
0x10010b0 RegCloseKey
0x10010b4 RegOpenKeyExW
0x10010b8 HeapSetInformation
0x10010bc lstrcmpiW
0x10010c0 lstrlenW
0x10010c4 LCMapStringW
0x10010c8 RegQueryValueExW
0x10010cc ReleaseActCtx
0x10010d0 CreateActCtxW
0x10010d4 ExpandEnvironmentStringsW
0x10010d8 GetCommandLineW
0x10010dc ExitProcess
0x10010e0 SetProcessAffinityUpdateMode
0x10010e4 RegDisablePredefinedCacheEx
0x10010e8 InitializeCriticalSection
0x10010ec GetProcessHeap
0x10010f0 SetErrorMode
0x10010f4 RegisterWaitForSingleObjectEx
0x10010f8 LocalFree
0x10010fc HeapFree
0x1001100 WideCharToMultiByte
0x1001104 HeapAlloc
ntdll.dll
0x100110c RtlAllocateHeap
0x1001110 RtlLengthRequiredSid
0x1001114 RtlSubAuthoritySid
0x1001118 RtlInitializeSid
0x100111c RtlCopySid
0x1001120 RtlSubAuthorityCountSid
0x1001124 RtlInitializeCriticalSection
0x1001128 RtlSetProcessIsCritical
0x100112c RtlImageNtHeader
0x1001130 RtlUnhandledExceptionFilter
0x1001134 EtwEventWrite
0x1001138 EtwEventEnabled
0x100113c EtwEventRegister
0x1001140 RtlFreeHeap
API-MS-Win-Security-Base-L1-1-0.dll
0x1001148 SetSecurityDescriptorDacl
0x100114c AddAccessAllowedAce
0x1001150 SetSecurityDescriptorOwner
0x1001154 SetSecurityDescriptorGroup
0x1001158 GetTokenInformation
0x100115c InitializeSecurityDescriptor
0x1001160 GetLengthSid
0x1001164 InitializeAcl
API-MS-WIN-Service-Core-L1-1-0.dll
0x100116c StartServiceCtrlDispatcherW
0x1001170 SetServiceStatus
API-MS-WIN-Service-winsvc-L1-1-0.dll
0x1001178 RegisterServiceCtrlHandlerW
RPCRT4.dll
0x1001180 RpcMgmtSetServerStackSize
0x1001184 I_RpcMapWin32Status
0x1001188 RpcServerUnregisterIf
0x100118c RpcMgmtWaitServerListen
0x1001190 RpcMgmtStopServerListening
0x1001194 RpcServerUnregisterIfEx
0x1001198 RpcServerRegisterIf
0x100119c RpcServerUseProtseqEpW
0x10011a0 RpcServerListen
EAT(Export Address Table) is none
msvcrt.dll
0x1001000 __wgetmainargs
0x1001004 _exit
0x1001008 _XcptFilter
0x100100c exit
0x1001010 _initterm
0x1001014 _amsg_exit
0x1001018 __setusermatherr
0x100101c memcpy
0x1001020 _controlfp
0x1001024 _except_handler4_common
0x1001028 ?terminate@@YAXXZ
0x100102c __set_app_type
0x1001030 __p__fmode
0x1001034 __p__commode
0x1001038 _cexit
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
0x1001040 TerminateProcess
0x1001044 GetCurrentProcess
0x1001048 OpenProcessToken
0x100104c GetCurrentProcessId
0x1001050 GetCurrentThreadId
KERNEL32.dll
0x1001058 LocalAlloc
0x100105c CloseHandle
0x1001060 DelayLoadFailureHook
0x1001064 GetProcAddress
0x1001068 GetLastError
0x100106c FreeLibrary
0x1001070 InterlockedCompareExchange
0x1001074 LoadLibraryExA
0x1001078 InterlockedExchange
0x100107c Sleep
0x1001080 SetUnhandledExceptionFilter
0x1001084 GetModuleHandleA
0x1001088 QueryPerformanceCounter
0x100108c GetTickCount
0x1001090 GetSystemTimeAsFileTime
0x1001094 UnhandledExceptionFilter
0x1001098 DeactivateActCtx
0x100109c LoadLibraryExW
0x10010a0 ActivateActCtx
0x10010a4 LeaveCriticalSection
0x10010a8 lstrcmpW
0x10010ac EnterCriticalSection
0x10010b0 RegCloseKey
0x10010b4 RegOpenKeyExW
0x10010b8 HeapSetInformation
0x10010bc lstrcmpiW
0x10010c0 lstrlenW
0x10010c4 LCMapStringW
0x10010c8 RegQueryValueExW
0x10010cc ReleaseActCtx
0x10010d0 CreateActCtxW
0x10010d4 ExpandEnvironmentStringsW
0x10010d8 GetCommandLineW
0x10010dc ExitProcess
0x10010e0 SetProcessAffinityUpdateMode
0x10010e4 RegDisablePredefinedCacheEx
0x10010e8 InitializeCriticalSection
0x10010ec GetProcessHeap
0x10010f0 SetErrorMode
0x10010f4 RegisterWaitForSingleObjectEx
0x10010f8 LocalFree
0x10010fc HeapFree
0x1001100 WideCharToMultiByte
0x1001104 HeapAlloc
ntdll.dll
0x100110c RtlAllocateHeap
0x1001110 RtlLengthRequiredSid
0x1001114 RtlSubAuthoritySid
0x1001118 RtlInitializeSid
0x100111c RtlCopySid
0x1001120 RtlSubAuthorityCountSid
0x1001124 RtlInitializeCriticalSection
0x1001128 RtlSetProcessIsCritical
0x100112c RtlImageNtHeader
0x1001130 RtlUnhandledExceptionFilter
0x1001134 EtwEventWrite
0x1001138 EtwEventEnabled
0x100113c EtwEventRegister
0x1001140 RtlFreeHeap
API-MS-Win-Security-Base-L1-1-0.dll
0x1001148 SetSecurityDescriptorDacl
0x100114c AddAccessAllowedAce
0x1001150 SetSecurityDescriptorOwner
0x1001154 SetSecurityDescriptorGroup
0x1001158 GetTokenInformation
0x100115c InitializeSecurityDescriptor
0x1001160 GetLengthSid
0x1001164 InitializeAcl
API-MS-WIN-Service-Core-L1-1-0.dll
0x100116c StartServiceCtrlDispatcherW
0x1001170 SetServiceStatus
API-MS-WIN-Service-winsvc-L1-1-0.dll
0x1001178 RegisterServiceCtrlHandlerW
RPCRT4.dll
0x1001180 RpcMgmtSetServerStackSize
0x1001184 I_RpcMapWin32Status
0x1001188 RpcServerUnregisterIf
0x100118c RpcMgmtWaitServerListen
0x1001190 RpcMgmtStopServerListening
0x1001194 RpcServerUnregisterIfEx
0x1001198 RpcServerRegisterIf
0x100119c RpcServerUseProtseqEpW
0x10011a0 RpcServerListen
EAT(Export Address Table) is none