ScreenShot
| Created | 2024.07.22 09:10 | Machine | s1_win7_x6401 |
| Filename | svhosts.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 38 detected (AIDetectMalware, malicious, high confidence, score, Unsafe, Save, GenericKD, Attribute, HighConfidence, MalwareX, Siggen29, AMADEY, YXEGTZ, Real Protect, Detected, ai score=89, GrayWare, Wacapew, Wacatac, ABTrojan, BRUU, ZexaF, EuW@aCYFdYai, Static AI, Malicious PE, susgen, PossibleThreat, confidence, 100%) | ||
| md5 | d39a20fd19892439847037745f81a036 | ||
| sha256 | 1992aa12ce8a82991eed74ef987403a956c1a2b53d333a13a1dfa49eb6695323 | ||
| ssdeep | 12288:AXS+1BlXqUlPxMtExpePQmwsnCAph0lhSMXlCuSKLZP:AX9qUpqn9h0lhSMXlhS2P | ||
| imphash | 23f692f4e52a797ff94d704b8daf6feb | ||
| impfuzzy | 48:ral/QjKYOl6rXDFtd/tSzpsZMc+LrfWvSrFh:jjKeXDFD/tSzpMMc+ffWvSrv | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Creates hidden or system file |
| notice | Moves the original executable to a new location |
| info | Queries for the computername |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
USER32.dll
0x446188 GetClipboardData
0x44618c EmptyClipboard
0x446190 CloseClipboard
0x446194 OpenClipboard
0x446198 SetClipboardData
ADVAPI32.dll
0x446000 GetCurrentHwProfileW
0x446004 GetUserNameW
0x446008 RegCloseKey
0x44600c RegSetValueExW
0x446010 RegOpenKeyExW
WININET.dll
0x4461a0 HttpOpenRequestA
0x4461a4 InternetQueryDataAvailable
0x4461a8 InternetCloseHandle
0x4461ac InternetOpenA
0x4461b0 HttpSendRequestA
0x4461b4 InternetConnectA
0x4461b8 InternetReadFile
0x4461bc HttpQueryInfoW
KERNEL32.dll
0x446018 GetCommandLineW
0x44601c GetEnvironmentStringsW
0x446020 FreeEnvironmentStringsW
0x446024 IsValidLocale
0x446028 GetCommandLineA
0x44602c FindNextFileW
0x446030 FindFirstFileExW
0x446034 FindClose
0x446038 CompareStringEx
0x44603c InitializeCriticalSectionEx
0x446040 LCMapStringEx
0x446044 CreateDirectoryW
0x446048 GetModuleFileNameW
0x44604c GetFileAttributesW
0x446050 SetFileAttributesW
0x446054 MoveFileW
0x446058 Sleep
0x44605c GlobalAlloc
0x446060 GlobalLock
0x446064 ExitProcess
0x446068 GlobalUnlock
0x44606c MultiByteToWideChar
0x446070 WideCharToMultiByte
0x446074 CreateMutexA
0x446078 ReleaseMutex
0x44607c OpenMutexA
0x446080 CloseHandle
0x446084 GetGeoInfoA
0x446088 GetLastError
0x44608c GetUserGeoID
0x446090 GetComputerNameW
0x446094 GetSystemTimeAsFileTime
0x446098 IsDebuggerPresent
0x44609c UnhandledExceptionFilter
0x4460a0 SetUnhandledExceptionFilter
0x4460a4 SetLastError
0x4460a8 GetCurrentProcess
0x4460ac TerminateProcess
0x4460b0 IsProcessorFeaturePresent
0x4460b4 GetCurrentThreadId
0x4460b8 InitializeCriticalSectionAndSpinCount
0x4460bc TlsAlloc
0x4460c0 TlsGetValue
0x4460c4 TlsSetValue
0x4460c8 TlsFree
0x4460cc FreeLibrary
0x4460d0 GetProcAddress
0x4460d4 LoadLibraryExW
0x4460d8 LCMapStringW
0x4460dc GetLocaleInfoW
0x4460e0 GetUserDefaultLCID
0x4460e4 EnumSystemLocalesW
0x4460e8 HeapAlloc
0x4460ec HeapReAlloc
0x4460f0 HeapFree
0x4460f4 EnterCriticalSection
0x4460f8 LeaveCriticalSection
0x4460fc DeleteCriticalSection
0x446100 GetStdHandle
0x446104 GetFileType
0x446108 GetStartupInfoW
0x44610c RaiseException
0x446110 SetFilePointerEx
0x446114 GetConsoleMode
0x446118 IsValidCodePage
0x44611c GetACP
0x446120 GetOEMCP
0x446124 GetCPInfo
0x446128 GetModuleHandleW
0x44612c GetModuleHandleExW
0x446130 GetStringTypeW
0x446134 GetProcessHeap
0x446138 SetStdHandle
0x44613c CreateFileW
0x446140 FlushFileBuffers
0x446144 WriteFile
0x446148 GetConsoleOutputCP
0x44614c EncodePointer
0x446150 DecodePointer
0x446154 WriteConsoleW
0x446158 HeapSize
0x44615c ReleaseSRWLockExclusive
0x446160 AcquireSRWLockExclusive
0x446164 WakeAllConditionVariable
0x446168 SleepConditionVariableSRW
0x44616c QueryPerformanceCounter
0x446170 GetCurrentProcessId
0x446174 InitializeSListHead
0x446178 RtlUnwind
SHELL32.dll
0x446180 SHGetFolderPathW
EAT(Export Address Table) is none
USER32.dll
0x446188 GetClipboardData
0x44618c EmptyClipboard
0x446190 CloseClipboard
0x446194 OpenClipboard
0x446198 SetClipboardData
ADVAPI32.dll
0x446000 GetCurrentHwProfileW
0x446004 GetUserNameW
0x446008 RegCloseKey
0x44600c RegSetValueExW
0x446010 RegOpenKeyExW
WININET.dll
0x4461a0 HttpOpenRequestA
0x4461a4 InternetQueryDataAvailable
0x4461a8 InternetCloseHandle
0x4461ac InternetOpenA
0x4461b0 HttpSendRequestA
0x4461b4 InternetConnectA
0x4461b8 InternetReadFile
0x4461bc HttpQueryInfoW
KERNEL32.dll
0x446018 GetCommandLineW
0x44601c GetEnvironmentStringsW
0x446020 FreeEnvironmentStringsW
0x446024 IsValidLocale
0x446028 GetCommandLineA
0x44602c FindNextFileW
0x446030 FindFirstFileExW
0x446034 FindClose
0x446038 CompareStringEx
0x44603c InitializeCriticalSectionEx
0x446040 LCMapStringEx
0x446044 CreateDirectoryW
0x446048 GetModuleFileNameW
0x44604c GetFileAttributesW
0x446050 SetFileAttributesW
0x446054 MoveFileW
0x446058 Sleep
0x44605c GlobalAlloc
0x446060 GlobalLock
0x446064 ExitProcess
0x446068 GlobalUnlock
0x44606c MultiByteToWideChar
0x446070 WideCharToMultiByte
0x446074 CreateMutexA
0x446078 ReleaseMutex
0x44607c OpenMutexA
0x446080 CloseHandle
0x446084 GetGeoInfoA
0x446088 GetLastError
0x44608c GetUserGeoID
0x446090 GetComputerNameW
0x446094 GetSystemTimeAsFileTime
0x446098 IsDebuggerPresent
0x44609c UnhandledExceptionFilter
0x4460a0 SetUnhandledExceptionFilter
0x4460a4 SetLastError
0x4460a8 GetCurrentProcess
0x4460ac TerminateProcess
0x4460b0 IsProcessorFeaturePresent
0x4460b4 GetCurrentThreadId
0x4460b8 InitializeCriticalSectionAndSpinCount
0x4460bc TlsAlloc
0x4460c0 TlsGetValue
0x4460c4 TlsSetValue
0x4460c8 TlsFree
0x4460cc FreeLibrary
0x4460d0 GetProcAddress
0x4460d4 LoadLibraryExW
0x4460d8 LCMapStringW
0x4460dc GetLocaleInfoW
0x4460e0 GetUserDefaultLCID
0x4460e4 EnumSystemLocalesW
0x4460e8 HeapAlloc
0x4460ec HeapReAlloc
0x4460f0 HeapFree
0x4460f4 EnterCriticalSection
0x4460f8 LeaveCriticalSection
0x4460fc DeleteCriticalSection
0x446100 GetStdHandle
0x446104 GetFileType
0x446108 GetStartupInfoW
0x44610c RaiseException
0x446110 SetFilePointerEx
0x446114 GetConsoleMode
0x446118 IsValidCodePage
0x44611c GetACP
0x446120 GetOEMCP
0x446124 GetCPInfo
0x446128 GetModuleHandleW
0x44612c GetModuleHandleExW
0x446130 GetStringTypeW
0x446134 GetProcessHeap
0x446138 SetStdHandle
0x44613c CreateFileW
0x446140 FlushFileBuffers
0x446144 WriteFile
0x446148 GetConsoleOutputCP
0x44614c EncodePointer
0x446150 DecodePointer
0x446154 WriteConsoleW
0x446158 HeapSize
0x44615c ReleaseSRWLockExclusive
0x446160 AcquireSRWLockExclusive
0x446164 WakeAllConditionVariable
0x446168 SleepConditionVariableSRW
0x44616c QueryPerformanceCounter
0x446170 GetCurrentProcessId
0x446174 InitializeSListHead
0x446178 RtlUnwind
SHELL32.dll
0x446180 SHGetFolderPathW
EAT(Export Address Table) is none