ScreenShot
| Created | 2024.08.06 09:21 | Machine | s1_win7_x6401 |
| Filename | svchost.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (AIDetectMalware, Reflo, Windows, Threat, Malicious, score, CoinMiner, S32378657, Mint, Zard, Save, Kryptik, FWHP, Genkryptik, kqljel, qANomcoTHvR, AGEN, Siggen29, R002C0DGV24, Krypt, Static AI, Malicious PE, Detected, ai score=80, Eldorado, DropperX, R622355, OScope, Miner, GdSda, susgen, GQCB, confidence) | ||
| md5 | eb7eb5acecb06deab2b4fce875d6c079 | ||
| sha256 | 3b0503a6c2fb8f5cc645df4d5ab4dd9161cab9104dd1b7b8db0a89956a94bc6e | ||
| ssdeep | 98304:WoyQksM4D03ZztuWvrBl7IhqUSRK0DtRgNCPpZKFYv:dJM4DQTueNNIG/RJK8 | ||
| imphash | 203d63d5d9a088e2d84cef737227986b | ||
| impfuzzy | 12:FMHHGf5XGXKiEG6eGJyJk6lTpJq/iZJfMRJRJJoARZqRVPXJHqc:FMGf5XGf6ZgJkoDq6ZJfQfjBcV9 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET POLICY Cryptocurrency Miner Checkin
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
ET POLICY Cryptocurrency Miner Checkin
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x14000a960 __C_specific_handler
0x14000a968 __getmainargs
0x14000a970 __initenv
0x14000a978 __iob_func
0x14000a980 __set_app_type
0x14000a988 __setusermatherr
0x14000a990 _amsg_exit
0x14000a998 _cexit
0x14000a9a0 _commode
0x14000a9a8 _fmode
0x14000a9b0 _initterm
0x14000a9b8 _onexit
0x14000a9c0 _wcsicmp
0x14000a9c8 _wcsnicmp
0x14000a9d0 abort
0x14000a9d8 calloc
0x14000a9e0 exit
0x14000a9e8 fprintf
0x14000a9f0 free
0x14000a9f8 fwrite
0x14000aa00 malloc
0x14000aa08 memcpy
0x14000aa10 memset
0x14000aa18 signal
0x14000aa20 strlen
0x14000aa28 strncmp
0x14000aa30 vfprintf
0x14000aa38 wcscat
0x14000aa40 wcscpy
0x14000aa48 wcslen
0x14000aa50 wcsncmp
0x14000aa58 wcsstr
KERNEL32.dll
0x14000aa68 DeleteCriticalSection
0x14000aa70 EnterCriticalSection
0x14000aa78 GetLastError
0x14000aa80 InitializeCriticalSection
0x14000aa88 LeaveCriticalSection
0x14000aa90 SetUnhandledExceptionFilter
0x14000aa98 Sleep
0x14000aaa0 TlsGetValue
0x14000aaa8 VirtualProtect
0x14000aab0 VirtualQuery
EAT(Export Address Table) is none
msvcrt.dll
0x14000a960 __C_specific_handler
0x14000a968 __getmainargs
0x14000a970 __initenv
0x14000a978 __iob_func
0x14000a980 __set_app_type
0x14000a988 __setusermatherr
0x14000a990 _amsg_exit
0x14000a998 _cexit
0x14000a9a0 _commode
0x14000a9a8 _fmode
0x14000a9b0 _initterm
0x14000a9b8 _onexit
0x14000a9c0 _wcsicmp
0x14000a9c8 _wcsnicmp
0x14000a9d0 abort
0x14000a9d8 calloc
0x14000a9e0 exit
0x14000a9e8 fprintf
0x14000a9f0 free
0x14000a9f8 fwrite
0x14000aa00 malloc
0x14000aa08 memcpy
0x14000aa10 memset
0x14000aa18 signal
0x14000aa20 strlen
0x14000aa28 strncmp
0x14000aa30 vfprintf
0x14000aa38 wcscat
0x14000aa40 wcscpy
0x14000aa48 wcslen
0x14000aa50 wcsncmp
0x14000aa58 wcsstr
KERNEL32.dll
0x14000aa68 DeleteCriticalSection
0x14000aa70 EnterCriticalSection
0x14000aa78 GetLastError
0x14000aa80 InitializeCriticalSection
0x14000aa88 LeaveCriticalSection
0x14000aa90 SetUnhandledExceptionFilter
0x14000aa98 Sleep
0x14000aaa0 TlsGetValue
0x14000aaa8 VirtualProtect
0x14000aab0 VirtualQuery
EAT(Export Address Table) is none