ScreenShot
| Created | 2024.08.11 15:10 | Machine | s1_win7_x6403 |
| Filename | svch0st.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 59 detected (AIDetectMalware, CobaltStrike, Cobalt, Unsafe, malicious, Rozena, Windows, Artifact, score, CozyDuke, faqakq, CLASSIC, XPACK, Gen7, Meterpreter, high, Static AI, Malicious PE, ccimf, Detected, ai score=82, AGeneric, FACY, R329694, Hacktool, GenAsa, C5jzoNrl5s, GdSda, confidence, 100%) | ||
| md5 | 5575d0030528b163ac14ebe51ebd7da9 | ||
| sha256 | 0ae85148ff06520ba2e8e3b55c121fcf1ca1a1897b9a4443fc0830753053f06a | ||
| ssdeep | 3072:NRKgFrkR7kqxM6rKnpHfn1oYBgX0dydjc6wmKRkHYE/D+hFSoIJclhPetHvWFadI:NRKgc7/Gp9WuSjc6mRo+hFNjKO0T | ||
| imphash | dc25ee78e2ef4d36faa0badf1e7461c9 | ||
| impfuzzy | 24:Q2kfiK1JlDzncLLb9Lezd5XGDZEkqkoDquQZn:gfiK1jcTtezdJGVEkqkoqz | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x448138 CloseHandle
0x44813c ConnectNamedPipe
0x448140 CreateFileA
0x448144 CreateNamedPipeA
0x448148 CreateThread
0x44814c DeleteCriticalSection
0x448150 EnterCriticalSection
0x448154 FreeLibrary
0x448158 GetCurrentProcess
0x44815c GetCurrentProcessId
0x448160 GetCurrentThreadId
0x448164 GetLastError
0x448168 GetModuleHandleA
0x44816c GetProcAddress
0x448170 GetStartupInfoA
0x448174 GetSystemTimeAsFileTime
0x448178 GetTickCount
0x44817c InitializeCriticalSection
0x448180 LeaveCriticalSection
0x448184 LoadLibraryA
0x448188 LoadLibraryW
0x44818c QueryPerformanceCounter
0x448190 ReadFile
0x448194 SetUnhandledExceptionFilter
0x448198 Sleep
0x44819c TerminateProcess
0x4481a0 TlsGetValue
0x4481a4 UnhandledExceptionFilter
0x4481a8 VirtualAlloc
0x4481ac VirtualProtect
0x4481b0 VirtualQuery
0x4481b4 WriteFile
msvcrt.dll
0x4481bc __dllonexit
0x4481c0 __getmainargs
0x4481c4 __initenv
0x4481c8 __lconv_init
0x4481cc __set_app_type
0x4481d0 __setusermatherr
0x4481d4 _acmdln
0x4481d8 _amsg_exit
0x4481dc _cexit
0x4481e0 _fmode
0x4481e4 _initterm
0x4481e8 _iob
0x4481ec _lock
0x4481f0 _onexit
0x4481f4 _unlock
0x4481f8 _winmajor
0x4481fc abort
0x448200 calloc
0x448204 exit
0x448208 fprintf
0x44820c free
0x448210 fwrite
0x448214 malloc
0x448218 memcpy
0x44821c signal
0x448220 sprintf
0x448224 strlen
0x448228 strncmp
0x44822c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x448138 CloseHandle
0x44813c ConnectNamedPipe
0x448140 CreateFileA
0x448144 CreateNamedPipeA
0x448148 CreateThread
0x44814c DeleteCriticalSection
0x448150 EnterCriticalSection
0x448154 FreeLibrary
0x448158 GetCurrentProcess
0x44815c GetCurrentProcessId
0x448160 GetCurrentThreadId
0x448164 GetLastError
0x448168 GetModuleHandleA
0x44816c GetProcAddress
0x448170 GetStartupInfoA
0x448174 GetSystemTimeAsFileTime
0x448178 GetTickCount
0x44817c InitializeCriticalSection
0x448180 LeaveCriticalSection
0x448184 LoadLibraryA
0x448188 LoadLibraryW
0x44818c QueryPerformanceCounter
0x448190 ReadFile
0x448194 SetUnhandledExceptionFilter
0x448198 Sleep
0x44819c TerminateProcess
0x4481a0 TlsGetValue
0x4481a4 UnhandledExceptionFilter
0x4481a8 VirtualAlloc
0x4481ac VirtualProtect
0x4481b0 VirtualQuery
0x4481b4 WriteFile
msvcrt.dll
0x4481bc __dllonexit
0x4481c0 __getmainargs
0x4481c4 __initenv
0x4481c8 __lconv_init
0x4481cc __set_app_type
0x4481d0 __setusermatherr
0x4481d4 _acmdln
0x4481d8 _amsg_exit
0x4481dc _cexit
0x4481e0 _fmode
0x4481e4 _initterm
0x4481e8 _iob
0x4481ec _lock
0x4481f0 _onexit
0x4481f4 _unlock
0x4481f8 _winmajor
0x4481fc abort
0x448200 calloc
0x448204 exit
0x448208 fprintf
0x44820c free
0x448210 fwrite
0x448214 malloc
0x448218 memcpy
0x44821c signal
0x448220 sprintf
0x448224 strlen
0x448228 strncmp
0x44822c vfprintf
EAT(Export Address Table) is none