popup

Report - svchost.exe

PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.09.30 11:38 Machine s1_win7_x6401
Filename svchost.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
10
 Behavior Score
6.8
ZERO API file : malware
VT API (file) 60 detected (AIDetectMalware, Farfli, Malicious, score, GenericRXIH, GenericKD, Unsafe, Pcclient, V59y, confidence, Genus, Attribute, HighConfidence, moderate confidence, TrojanX, Deepscan, GenKryptik, fslxzc, UqIb3HcQmoG, Fusing, edcss, R011C0DHJ24, bacrz, Detected, Malware@#2kcufmflc0qlr, ABTrojan, FSIQ, Artemis, BScope, GameThief, Magania, Gencirc, GenAsa, Bo60Z8VoEiY, QQPass, susgen, AIGT)
md5 56fd972f1d650272de4508513de8a27d
sha256 01246ce06d56da2b83f49063e5277f08ba6a693646f8d388ae7da4caec915853
ssdeep 12288:n/cUoABfJFsQCvVj/CHNmZzCXK6g8eB0jOiaTfE:/cUNsQsj/aNUC6MeB0jOi2
imphash 4d8b6a362096a5421be6c829faaa32e5
impfuzzy 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGUh:dBJAEoZ/OEGDzyRr
  Network IP location

Signature (13cnts)

Level Description
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Created a process named as a common system process
notice Creates a service
notice Creates a suspicious process
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info The executable uses a known packer

Rules (2cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
r.pengyou.com
whois
Unknown 0.0.0.1 mailcious
27.25.134.180
whois
CN Chinanet 27.25.134.180 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x499c6c LoadLibraryA
 0x499c70 ExitProcess
 0x499c74 GetProcAddress
 0x499c78 VirtualProtect
MSVCRT.dll
 0x499c80 _stricmp

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure