ScreenShot
| Created | 2024.11.13 14:21 | Machine | s1_win7_x6401 |
| Filename | svhost.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 58 detected (AIDetectMalware, Glomaru, lXMS, Malicious, score, GenericRXTR, Unsafe, Dump, KillMBR, confidence, 100%, Genus, high confidence, FatalRAT, Zegost, Farfli, itwbcp, Kryptik, CLASSIC, Fatal, high, Static AI, Suspicious PE, ckgk, Detected, PDSB@4q3i1w, Eldorado, LVbg, R553633, BScope, Nq5f4FOwmYc, susgen, GenKryptik, BJAB) | ||
| md5 | 200488185d59ab372448732e08da1b50 | ||
| sha256 | 1722be3ca7c30055c94f37b865d6f3554c934b23a59f3c1adb7c093473ee0521 | ||
| ssdeep | 1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU | ||
| imphash | 6c306e45fa9f977a2f45c8a08df084d5 | ||
| impfuzzy | 12:mDoABZGJCAOovO3wXJYv8ERRvNu1GlEIjLFQLRJ:mDoCqOovLiv8ERRvNuklEuG | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a service |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | The executable uses a known packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x406000 GetProcAddress
0x406004 LoadLibraryA
0x406008 ExitProcess
0x40600c GetModuleHandleA
0x406010 GetStartupInfoA
0x406014 GetCommandLineA
0x406018 GetVersion
0x40601c TerminateProcess
0x406020 GetCurrentProcess
0x406024 UnhandledExceptionFilter
0x406028 GetModuleFileNameA
0x40602c FreeEnvironmentStringsA
0x406030 FreeEnvironmentStringsW
0x406034 WideCharToMultiByte
0x406038 GetEnvironmentStrings
0x40603c GetEnvironmentStringsW
0x406040 SetHandleCount
0x406044 GetStdHandle
0x406048 GetFileType
0x40604c GetEnvironmentVariableA
0x406050 GetVersionExA
0x406054 HeapDestroy
0x406058 HeapCreate
0x40605c VirtualFree
0x406060 HeapFree
0x406064 RtlUnwind
0x406068 WriteFile
0x40606c GetCPInfo
0x406070 GetACP
0x406074 GetOEMCP
0x406078 HeapAlloc
0x40607c VirtualAlloc
0x406080 HeapReAlloc
0x406084 MultiByteToWideChar
0x406088 LCMapStringA
0x40608c LCMapStringW
0x406090 GetStringTypeA
0x406094 GetStringTypeW
EAT(Export Address Table) is none
KERNEL32.dll
0x406000 GetProcAddress
0x406004 LoadLibraryA
0x406008 ExitProcess
0x40600c GetModuleHandleA
0x406010 GetStartupInfoA
0x406014 GetCommandLineA
0x406018 GetVersion
0x40601c TerminateProcess
0x406020 GetCurrentProcess
0x406024 UnhandledExceptionFilter
0x406028 GetModuleFileNameA
0x40602c FreeEnvironmentStringsA
0x406030 FreeEnvironmentStringsW
0x406034 WideCharToMultiByte
0x406038 GetEnvironmentStrings
0x40603c GetEnvironmentStringsW
0x406040 SetHandleCount
0x406044 GetStdHandle
0x406048 GetFileType
0x40604c GetEnvironmentVariableA
0x406050 GetVersionExA
0x406054 HeapDestroy
0x406058 HeapCreate
0x40605c VirtualFree
0x406060 HeapFree
0x406064 RtlUnwind
0x406068 WriteFile
0x40606c GetCPInfo
0x406070 GetACP
0x406074 GetOEMCP
0x406078 HeapAlloc
0x40607c VirtualAlloc
0x406080 HeapReAlloc
0x406084 MultiByteToWideChar
0x406088 LCMapStringA
0x40608c LCMapStringW
0x406090 GetStringTypeA
0x406094 GetStringTypeW
EAT(Export Address Table) is none