ScreenShot
| Created | 2024.10.20 09:54 | Machine | s1_win7_x6403 |
| Filename | svchost.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 680ac3eb351fa5695226c02d374440f4 | ||
| sha256 | 4c12ce3f75bb90fba67dd1d3de6c2f6667252810aff265acca97b2ea3c9ef22d | ||
| ssdeep | 1536:hXo5uyG3DmITZTtQtTzTucuzdwN7e9x5pAIjTBLSnP:25uyODmITZpQtT+cuzGe9x5pAIjTB | ||
| imphash | a14f65c6e68db0d7ea4fb1938b6a9029 | ||
| impfuzzy | 48:PMpfcor+ur8vaLmghXyHKulZBc7zhGNtNqMs:PMpfcor+ur8vaL1h4D/yfhOTqMs | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e000 VirtualFree
0x40e004 WriteFile
0x40e008 VirtualAlloc
0x40e00c WaitForSingleObject
0x40e010 CreateFileW
0x40e014 Sleep
0x40e018 GetLastError
0x40e01c lstrcatW
0x40e020 CloseHandle
0x40e024 GetNativeSystemInfo
0x40e028 CreateThread
0x40e02c ExitProcess
0x40e030 lstrcmpiW
0x40e034 InitializeCriticalSection
0x40e038 CreateEventW
0x40e03c SetEvent
0x40e040 DeleteCriticalSection
0x40e044 EnterCriticalSection
0x40e048 LeaveCriticalSection
0x40e04c IsBadReadPtr
0x40e050 CancelIo
0x40e054 WaitForMultipleObjects
0x40e058 ExitThread
0x40e05c WideCharToMultiByte
0x40e060 MultiByteToWideChar
0x40e064 GetProcAddress
0x40e068 GetModuleHandleExW
0x40e06c FreeLibrary
0x40e070 RtlUnwind
0x40e074 VirtualQuery
0x40e078 GetModuleHandleW
0x40e07c GetStartupInfoW
0x40e080 IsDebuggerPresent
0x40e084 InitializeSListHead
0x40e088 GetSystemTimeAsFileTime
0x40e08c GetCurrentThreadId
0x40e090 GetCurrentProcessId
0x40e094 QueryPerformanceCounter
0x40e098 IsProcessorFeaturePresent
0x40e09c TerminateProcess
0x40e0a0 GetCurrentProcess
0x40e0a4 SetUnhandledExceptionFilter
0x40e0a8 UnhandledExceptionFilter
SHELL32.dll
0x40e0b0 ShellExecuteW
WS2_32.dll
0x40e0c0 WSAWaitForMultipleEvents
0x40e0c4 WSAEventSelect
0x40e0c8 WSACreateEvent
0x40e0cc setsockopt
0x40e0d0 WSAGetOverlappedResult
0x40e0d4 htons
0x40e0d8 WSARecv
0x40e0dc WSAEnumNetworkEvents
0x40e0e0 getaddrinfo
0x40e0e4 WSASocketW
0x40e0e8 WSASend
0x40e0ec closesocket
0x40e0f0 WSAIoctl
0x40e0f4 socket
0x40e0f8 send
0x40e0fc WSAGetLastError
0x40e100 connect
0x40e104 WSAStartup
WINMM.dll
0x40e0b8 timeGetTime
msvcrt.dll
0x40e10c ___lc_handle_func
0x40e110 ?_set_new_mode@@YAHH@Z
0x40e114 _msize
0x40e118 _control87
0x40e11c ?terminate@@YAXXZ
0x40e120 ___lc_codepage_func
0x40e124 __wgetmainargs
0x40e128 _CIlog10
0x40e12c ceil
0x40e130 realloc
0x40e134 _clearfp
0x40e138 memset
0x40e13c _fmode
0x40e140 _wcmdln
0x40e144 _amsg_exit
0x40e148 __set_app_type
0x40e14c _XcptFilter
0x40e150 strtol
0x40e154 tolower
0x40e158 __pctype_func
0x40e15c _errno
0x40e160 __p__commode
0x40e164 _initterm
0x40e168 malloc
0x40e16c abort
0x40e170 free
0x40e174 memcpy
0x40e178 strrchr
0x40e17c memmove
0x40e180 __CxxFrameHandler
EAT(Export Address Table) is none
KERNEL32.dll
0x40e000 VirtualFree
0x40e004 WriteFile
0x40e008 VirtualAlloc
0x40e00c WaitForSingleObject
0x40e010 CreateFileW
0x40e014 Sleep
0x40e018 GetLastError
0x40e01c lstrcatW
0x40e020 CloseHandle
0x40e024 GetNativeSystemInfo
0x40e028 CreateThread
0x40e02c ExitProcess
0x40e030 lstrcmpiW
0x40e034 InitializeCriticalSection
0x40e038 CreateEventW
0x40e03c SetEvent
0x40e040 DeleteCriticalSection
0x40e044 EnterCriticalSection
0x40e048 LeaveCriticalSection
0x40e04c IsBadReadPtr
0x40e050 CancelIo
0x40e054 WaitForMultipleObjects
0x40e058 ExitThread
0x40e05c WideCharToMultiByte
0x40e060 MultiByteToWideChar
0x40e064 GetProcAddress
0x40e068 GetModuleHandleExW
0x40e06c FreeLibrary
0x40e070 RtlUnwind
0x40e074 VirtualQuery
0x40e078 GetModuleHandleW
0x40e07c GetStartupInfoW
0x40e080 IsDebuggerPresent
0x40e084 InitializeSListHead
0x40e088 GetSystemTimeAsFileTime
0x40e08c GetCurrentThreadId
0x40e090 GetCurrentProcessId
0x40e094 QueryPerformanceCounter
0x40e098 IsProcessorFeaturePresent
0x40e09c TerminateProcess
0x40e0a0 GetCurrentProcess
0x40e0a4 SetUnhandledExceptionFilter
0x40e0a8 UnhandledExceptionFilter
SHELL32.dll
0x40e0b0 ShellExecuteW
WS2_32.dll
0x40e0c0 WSAWaitForMultipleEvents
0x40e0c4 WSAEventSelect
0x40e0c8 WSACreateEvent
0x40e0cc setsockopt
0x40e0d0 WSAGetOverlappedResult
0x40e0d4 htons
0x40e0d8 WSARecv
0x40e0dc WSAEnumNetworkEvents
0x40e0e0 getaddrinfo
0x40e0e4 WSASocketW
0x40e0e8 WSASend
0x40e0ec closesocket
0x40e0f0 WSAIoctl
0x40e0f4 socket
0x40e0f8 send
0x40e0fc WSAGetLastError
0x40e100 connect
0x40e104 WSAStartup
WINMM.dll
0x40e0b8 timeGetTime
msvcrt.dll
0x40e10c ___lc_handle_func
0x40e110 ?_set_new_mode@@YAHH@Z
0x40e114 _msize
0x40e118 _control87
0x40e11c ?terminate@@YAXXZ
0x40e120 ___lc_codepage_func
0x40e124 __wgetmainargs
0x40e128 _CIlog10
0x40e12c ceil
0x40e130 realloc
0x40e134 _clearfp
0x40e138 memset
0x40e13c _fmode
0x40e140 _wcmdln
0x40e144 _amsg_exit
0x40e148 __set_app_type
0x40e14c _XcptFilter
0x40e150 strtol
0x40e154 tolower
0x40e158 __pctype_func
0x40e15c _errno
0x40e160 __p__commode
0x40e164 _initterm
0x40e168 malloc
0x40e16c abort
0x40e170 free
0x40e174 memcpy
0x40e178 strrchr
0x40e17c memmove
0x40e180 __CxxFrameHandler
EAT(Export Address Table) is none