ScreenShot
Created | 2023.11.25 18:19 | Machine | s1_win7_x6403 |
Filename | sservc.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 35 detected (AIDetectMalware, Chapak, Lockbit, MachineLearning, Anomalous, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, PWSX, Obfuscated, high, score, Krypt, Static AI, Malicious PE, Detected, Recordbreaker, Artemis, BScope, unsafe, SmokeLoader, CLASSIC, susgen, Kryptik, HHTS) | ||
md5 | 4f17e0e8d7f6931d86bcef776619a2b5 | ||
sha256 | 92f3c06a0ba8bc92f1a39521ad2979b86ce409fe9892e5f578e23a48fd8aef46 | ||
ssdeep | 49152:lu1Cicgvix2ooeL/DIk40DHN1Bl7BclwqyW:lusGIUeLhzxRyBv | ||
imphash | 7c1db49ad6667947e0650b5a549f4e65 | ||
impfuzzy | 24:PjkE3jkrXV4WES+ckjKbp4cDP2us1Jo+ATitlNJbtZLOovEG+ncQyv9thIbplOF7:SFpm1XlTtZ6VGgcx9vCsWXa7f |
Network IP location
Signature (26cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | Executed a process and injected code into it |
danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Installs Tor on the machine |
watch | One or more of the buffers contains an embedded PE file |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates executable files on the filesystem |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Starts servers listening |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Queries for the computername |
info | This executable has a PDB path |
Rules (19cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | hide_executable_file | Hide executable file | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (334cnts) ?
Suricata ids
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 749
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 747
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186
ET SCAN Potential SSH Scan OUTBOUND
ET INFO TLS Handshake Failure
ET DNS Query to a *.top domain - Likely Hostile
ET INFO DNS Query for Suspicious .ga Domain
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 747
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186
ET SCAN Potential SSH Scan OUTBOUND
ET INFO TLS Handshake Failure
ET DNS Query to a *.top domain - Likely Hostile
ET INFO DNS Query for Suspicious .ga Domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40100c TlsGetValue
0x401010 SetLocalTime
0x401014 FindResourceW
0x401018 GlobalAddAtomA
0x40101c GetConsoleAliasA
0x401020 InitializeSListHead
0x401024 CreateJobObjectW
0x401028 SetComputerNameW
0x40102c GetModuleHandleW
0x401030 CreateNamedPipeW
0x401034 GetConsoleAliasesA
0x401038 GetPrivateProfileStringW
0x40103c GetWindowsDirectoryA
0x401040 GetGeoInfoW
0x401044 LoadLibraryW
0x401048 ReadConsoleInputA
0x40104c GetSystemWindowsDirectoryA
0x401050 GetConsoleAliasExesLengthW
0x401054 GetNamedPipeInfo
0x401058 CreateFileW
0x40105c GetVolumePathNameA
0x401060 GetLastError
0x401064 GetComputerNameA
0x401068 GetProcAddress
0x40106c VirtualAlloc
0x401070 EnumDateFormatsExA
0x401074 SearchPathA
0x401078 OpenWaitableTimerA
0x40107c LocalAlloc
0x401080 CreateFileMappingW
0x401084 SetConsoleDisplayMode
0x401088 GetNumberFormatW
0x40108c RemoveDirectoryW
0x401090 SetConsoleWindowInfo
0x401094 GetSystemInfo
0x401098 GlobalFindAtomW
0x40109c FindFirstVolumeMountPointA
0x4010a0 FreeEnvironmentStringsW
0x4010a4 EndUpdateResourceA
0x4010a8 ReadConsoleInputW
0x4010ac GetWindowsDirectoryW
0x4010b0 GetCurrentProcessId
0x4010b4 DebugActiveProcess
0x4010b8 SetLastError
0x4010bc UnhandledExceptionFilter
0x4010c0 SetUnhandledExceptionFilter
0x4010c4 Sleep
0x4010c8 ExitProcess
0x4010cc GetCommandLineA
0x4010d0 GetStartupInfoA
0x4010d4 RaiseException
0x4010d8 RtlUnwind
0x4010dc WriteFile
0x4010e0 GetStdHandle
0x4010e4 GetModuleFileNameA
0x4010e8 TerminateProcess
0x4010ec GetCurrentProcess
0x4010f0 IsDebuggerPresent
0x4010f4 HeapAlloc
0x4010f8 HeapFree
0x4010fc EnterCriticalSection
0x401100 LeaveCriticalSection
0x401104 SetHandleCount
0x401108 GetFileType
0x40110c DeleteCriticalSection
0x401110 TlsAlloc
0x401114 TlsSetValue
0x401118 TlsFree
0x40111c InterlockedIncrement
0x401120 GetCurrentThreadId
0x401124 InterlockedDecrement
0x401128 CloseHandle
0x40112c LoadLibraryA
0x401130 InitializeCriticalSectionAndSpinCount
0x401134 FreeEnvironmentStringsA
0x401138 GetEnvironmentStrings
0x40113c WideCharToMultiByte
0x401140 GetEnvironmentStringsW
0x401144 HeapCreate
0x401148 VirtualFree
0x40114c QueryPerformanceCounter
0x401150 GetTickCount
0x401154 GetSystemTimeAsFileTime
0x401158 HeapReAlloc
0x40115c GetModuleHandleA
0x401160 SetFilePointer
0x401164 GetConsoleCP
0x401168 GetConsoleMode
0x40116c GetCPInfo
0x401170 GetACP
0x401174 GetOEMCP
0x401178 IsValidCodePage
0x40117c SetStdHandle
0x401180 FlushFileBuffers
0x401184 HeapSize
0x401188 GetLocaleInfoA
0x40118c WriteConsoleA
0x401190 GetConsoleOutputCP
0x401194 WriteConsoleW
0x401198 MultiByteToWideChar
0x40119c LCMapStringA
0x4011a0 LCMapStringW
0x4011a4 GetStringTypeA
0x4011a8 GetStringTypeW
0x4011ac CreateFileA
USER32.dll
0x4011b4 GetMessageExtraInfo
0x4011b8 CharToOemBuffA
GDI32.dll
0x401000 GetCharWidth32A
0x401004 GetCharABCWidthsFloatW
EAT(Export Address Table) is none
KERNEL32.dll
0x40100c TlsGetValue
0x401010 SetLocalTime
0x401014 FindResourceW
0x401018 GlobalAddAtomA
0x40101c GetConsoleAliasA
0x401020 InitializeSListHead
0x401024 CreateJobObjectW
0x401028 SetComputerNameW
0x40102c GetModuleHandleW
0x401030 CreateNamedPipeW
0x401034 GetConsoleAliasesA
0x401038 GetPrivateProfileStringW
0x40103c GetWindowsDirectoryA
0x401040 GetGeoInfoW
0x401044 LoadLibraryW
0x401048 ReadConsoleInputA
0x40104c GetSystemWindowsDirectoryA
0x401050 GetConsoleAliasExesLengthW
0x401054 GetNamedPipeInfo
0x401058 CreateFileW
0x40105c GetVolumePathNameA
0x401060 GetLastError
0x401064 GetComputerNameA
0x401068 GetProcAddress
0x40106c VirtualAlloc
0x401070 EnumDateFormatsExA
0x401074 SearchPathA
0x401078 OpenWaitableTimerA
0x40107c LocalAlloc
0x401080 CreateFileMappingW
0x401084 SetConsoleDisplayMode
0x401088 GetNumberFormatW
0x40108c RemoveDirectoryW
0x401090 SetConsoleWindowInfo
0x401094 GetSystemInfo
0x401098 GlobalFindAtomW
0x40109c FindFirstVolumeMountPointA
0x4010a0 FreeEnvironmentStringsW
0x4010a4 EndUpdateResourceA
0x4010a8 ReadConsoleInputW
0x4010ac GetWindowsDirectoryW
0x4010b0 GetCurrentProcessId
0x4010b4 DebugActiveProcess
0x4010b8 SetLastError
0x4010bc UnhandledExceptionFilter
0x4010c0 SetUnhandledExceptionFilter
0x4010c4 Sleep
0x4010c8 ExitProcess
0x4010cc GetCommandLineA
0x4010d0 GetStartupInfoA
0x4010d4 RaiseException
0x4010d8 RtlUnwind
0x4010dc WriteFile
0x4010e0 GetStdHandle
0x4010e4 GetModuleFileNameA
0x4010e8 TerminateProcess
0x4010ec GetCurrentProcess
0x4010f0 IsDebuggerPresent
0x4010f4 HeapAlloc
0x4010f8 HeapFree
0x4010fc EnterCriticalSection
0x401100 LeaveCriticalSection
0x401104 SetHandleCount
0x401108 GetFileType
0x40110c DeleteCriticalSection
0x401110 TlsAlloc
0x401114 TlsSetValue
0x401118 TlsFree
0x40111c InterlockedIncrement
0x401120 GetCurrentThreadId
0x401124 InterlockedDecrement
0x401128 CloseHandle
0x40112c LoadLibraryA
0x401130 InitializeCriticalSectionAndSpinCount
0x401134 FreeEnvironmentStringsA
0x401138 GetEnvironmentStrings
0x40113c WideCharToMultiByte
0x401140 GetEnvironmentStringsW
0x401144 HeapCreate
0x401148 VirtualFree
0x40114c QueryPerformanceCounter
0x401150 GetTickCount
0x401154 GetSystemTimeAsFileTime
0x401158 HeapReAlloc
0x40115c GetModuleHandleA
0x401160 SetFilePointer
0x401164 GetConsoleCP
0x401168 GetConsoleMode
0x40116c GetCPInfo
0x401170 GetACP
0x401174 GetOEMCP
0x401178 IsValidCodePage
0x40117c SetStdHandle
0x401180 FlushFileBuffers
0x401184 HeapSize
0x401188 GetLocaleInfoA
0x40118c WriteConsoleA
0x401190 GetConsoleOutputCP
0x401194 WriteConsoleW
0x401198 MultiByteToWideChar
0x40119c LCMapStringA
0x4011a0 LCMapStringW
0x4011a4 GetStringTypeA
0x4011a8 GetStringTypeW
0x4011ac CreateFileA
USER32.dll
0x4011b4 GetMessageExtraInfo
0x4011b8 CharToOemBuffA
GDI32.dll
0x401000 GetCharWidth32A
0x401004 GetCharABCWidthsFloatW
EAT(Export Address Table) is none