ScreenShot
| Created | 2024.07.29 13:51 | Machine | s1_win7_x6401 |
| Filename | svhostc.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 56 detected (AIDetectMalware, Injuke, malicious, high confidence, score, Lockbit, Jaik, Unsafe, Save, Midie, Attribute, HighConfidence, Kryptik, HXPN, Artemis, PWSX, SmokeLoader, CLASSIC, AceCrypter, ojldh, Inject5, AMADEY, YXEG2Z, Real Protect, moderate, Static AI, Malicious PE, Detected, ai score=88, Convagent, Sabsik, Multiverze, ABTrojan, OGWN, ZexaF, Ay0@amtYgpiG, Chgt, Obfuscated, GenKryptik, EWCW, confidence, 100%) | ||
| md5 | ae3dd2f4488753b690ca17d555147aba | ||
| sha256 | 77bdb3c46654446f1edffd1a388e3f64d8ca4dc24acd9575b95e94c26b8b43fe | ||
| ssdeep | 6144:aPvOGvTbPoC8lV5AdpKndv8w7UkvKw1SthsFLDXW7nX9TCR/QYZuWDv7ZNk:aPzv3PL8lV6IxV/Kmes1Dm5SQYZuWX | ||
| imphash | 976b33a49b3619a38b3ab50dd40fd590 | ||
| impfuzzy | 24:lQu9zDjkrXDN9fn3mqICNTKr1PDiOXtUUncQIlyv9Mh0HE/J3IjS3Ml/AAQhcK6c:uXfnOr1pXtzcHK9e7MSE/AAQaK6T+Y6B | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates hidden or system file |
| notice | Moves the original executable to a new location |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x44b010 LocalCompact
0x44b014 EnumCalendarInfoW
0x44b018 SetEnvironmentVariableW
0x44b01c GetTickCount
0x44b020 CreateNamedPipeW
0x44b024 GetConsoleAliasesA
0x44b028 EnumResourceTypesA
0x44b02c GetConsoleCP
0x44b030 GlobalAlloc
0x44b034 SetFileShortNameW
0x44b038 LoadLibraryW
0x44b03c IsProcessInJob
0x44b040 FatalAppExitW
0x44b044 AssignProcessToJobObject
0x44b048 IsBadCodePtr
0x44b04c GetModuleFileNameW
0x44b050 GetSystemDirectoryA
0x44b054 ReplaceFileA
0x44b058 GlobalUnlock
0x44b05c CreateJobObjectA
0x44b060 GetLastError
0x44b064 WriteConsoleInputW
0x44b068 VerLanguageNameW
0x44b06c LoadLibraryA
0x44b070 SetConsoleCtrlHandler
0x44b074 AddAtomW
0x44b078 HeapWalk
0x44b07c GetOEMCP
0x44b080 EnumDateFormatsA
0x44b084 GetModuleHandleA
0x44b088 GetProcessShutdownParameters
0x44b08c EnumResourceNamesA
0x44b090 GetFileTime
0x44b094 PeekConsoleInputA
0x44b098 GetDiskFreeSpaceExA
0x44b09c LCMapStringW
0x44b0a0 HeapSize
0x44b0a4 GetStringTypeW
0x44b0a8 WriteConsoleW
0x44b0ac FindVolumeClose
0x44b0b0 HeapCompact
0x44b0b4 GetProcAddress
0x44b0b8 CreateFileA
0x44b0bc FlushFileBuffers
0x44b0c0 HeapReAlloc
0x44b0c4 GetCommandLineW
0x44b0c8 HeapSetInformation
0x44b0cc GetStartupInfoW
0x44b0d0 DecodePointer
0x44b0d4 UnhandledExceptionFilter
0x44b0d8 SetUnhandledExceptionFilter
0x44b0dc IsDebuggerPresent
0x44b0e0 EncodePointer
0x44b0e4 TerminateProcess
0x44b0e8 GetCurrentProcess
0x44b0ec HeapAlloc
0x44b0f0 HeapFree
0x44b0f4 EnterCriticalSection
0x44b0f8 LeaveCriticalSection
0x44b0fc SetHandleCount
0x44b100 GetStdHandle
0x44b104 InitializeCriticalSectionAndSpinCount
0x44b108 GetFileType
0x44b10c DeleteCriticalSection
0x44b110 MultiByteToWideChar
0x44b114 ReadFile
0x44b118 GetModuleHandleW
0x44b11c ExitProcess
0x44b120 SetFilePointer
0x44b124 HeapCreate
0x44b128 CloseHandle
0x44b12c WriteFile
0x44b130 FreeEnvironmentStringsW
0x44b134 GetEnvironmentStringsW
0x44b138 TlsAlloc
0x44b13c TlsGetValue
0x44b140 TlsSetValue
0x44b144 TlsFree
0x44b148 InterlockedIncrement
0x44b14c SetLastError
0x44b150 GetCurrentThreadId
0x44b154 InterlockedDecrement
0x44b158 QueryPerformanceCounter
0x44b15c GetCurrentProcessId
0x44b160 GetSystemTimeAsFileTime
0x44b164 WideCharToMultiByte
0x44b168 GetConsoleMode
0x44b16c GetCPInfo
0x44b170 GetACP
0x44b174 IsValidCodePage
0x44b178 Sleep
0x44b17c RtlUnwind
0x44b180 SetStdHandle
0x44b184 IsProcessorFeaturePresent
0x44b188 CreateFileW
USER32.dll
0x44b198 CharUpperBuffA
0x44b19c GetMessageExtraInfo
0x44b1a0 SetCaretPos
0x44b1a4 GetMenu
0x44b1a8 DrawStateW
0x44b1ac GetSysColorBrush
GDI32.dll
0x44b000 GetCharWidthI
0x44b004 CreateDCA
0x44b008 GetCharABCWidthsI
WINHTTP.dll
0x44b1b4 WinHttpOpen
MSIMG32.dll
0x44b190 AlphaBlend
EAT(Export Address Table) is none
KERNEL32.dll
0x44b010 LocalCompact
0x44b014 EnumCalendarInfoW
0x44b018 SetEnvironmentVariableW
0x44b01c GetTickCount
0x44b020 CreateNamedPipeW
0x44b024 GetConsoleAliasesA
0x44b028 EnumResourceTypesA
0x44b02c GetConsoleCP
0x44b030 GlobalAlloc
0x44b034 SetFileShortNameW
0x44b038 LoadLibraryW
0x44b03c IsProcessInJob
0x44b040 FatalAppExitW
0x44b044 AssignProcessToJobObject
0x44b048 IsBadCodePtr
0x44b04c GetModuleFileNameW
0x44b050 GetSystemDirectoryA
0x44b054 ReplaceFileA
0x44b058 GlobalUnlock
0x44b05c CreateJobObjectA
0x44b060 GetLastError
0x44b064 WriteConsoleInputW
0x44b068 VerLanguageNameW
0x44b06c LoadLibraryA
0x44b070 SetConsoleCtrlHandler
0x44b074 AddAtomW
0x44b078 HeapWalk
0x44b07c GetOEMCP
0x44b080 EnumDateFormatsA
0x44b084 GetModuleHandleA
0x44b088 GetProcessShutdownParameters
0x44b08c EnumResourceNamesA
0x44b090 GetFileTime
0x44b094 PeekConsoleInputA
0x44b098 GetDiskFreeSpaceExA
0x44b09c LCMapStringW
0x44b0a0 HeapSize
0x44b0a4 GetStringTypeW
0x44b0a8 WriteConsoleW
0x44b0ac FindVolumeClose
0x44b0b0 HeapCompact
0x44b0b4 GetProcAddress
0x44b0b8 CreateFileA
0x44b0bc FlushFileBuffers
0x44b0c0 HeapReAlloc
0x44b0c4 GetCommandLineW
0x44b0c8 HeapSetInformation
0x44b0cc GetStartupInfoW
0x44b0d0 DecodePointer
0x44b0d4 UnhandledExceptionFilter
0x44b0d8 SetUnhandledExceptionFilter
0x44b0dc IsDebuggerPresent
0x44b0e0 EncodePointer
0x44b0e4 TerminateProcess
0x44b0e8 GetCurrentProcess
0x44b0ec HeapAlloc
0x44b0f0 HeapFree
0x44b0f4 EnterCriticalSection
0x44b0f8 LeaveCriticalSection
0x44b0fc SetHandleCount
0x44b100 GetStdHandle
0x44b104 InitializeCriticalSectionAndSpinCount
0x44b108 GetFileType
0x44b10c DeleteCriticalSection
0x44b110 MultiByteToWideChar
0x44b114 ReadFile
0x44b118 GetModuleHandleW
0x44b11c ExitProcess
0x44b120 SetFilePointer
0x44b124 HeapCreate
0x44b128 CloseHandle
0x44b12c WriteFile
0x44b130 FreeEnvironmentStringsW
0x44b134 GetEnvironmentStringsW
0x44b138 TlsAlloc
0x44b13c TlsGetValue
0x44b140 TlsSetValue
0x44b144 TlsFree
0x44b148 InterlockedIncrement
0x44b14c SetLastError
0x44b150 GetCurrentThreadId
0x44b154 InterlockedDecrement
0x44b158 QueryPerformanceCounter
0x44b15c GetCurrentProcessId
0x44b160 GetSystemTimeAsFileTime
0x44b164 WideCharToMultiByte
0x44b168 GetConsoleMode
0x44b16c GetCPInfo
0x44b170 GetACP
0x44b174 IsValidCodePage
0x44b178 Sleep
0x44b17c RtlUnwind
0x44b180 SetStdHandle
0x44b184 IsProcessorFeaturePresent
0x44b188 CreateFileW
USER32.dll
0x44b198 CharUpperBuffA
0x44b19c GetMessageExtraInfo
0x44b1a0 SetCaretPos
0x44b1a4 GetMenu
0x44b1a8 DrawStateW
0x44b1ac GetSysColorBrush
GDI32.dll
0x44b000 GetCharWidthI
0x44b004 CreateDCA
0x44b008 GetCharABCWidthsI
WINHTTP.dll
0x44b1b4 WinHttpOpen
MSIMG32.dll
0x44b190 AlphaBlend
EAT(Export Address Table) is none