ScreenShot
| Created | 2024.11.13 14:13 | Machine | s1_win7_x6403 |
| Filename | svchot%20-%20%E5%89%AF%E6%9C%AC.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 58 detected (Common, Farfli, Malicious, score, GenericRXQT, Graftor, Unsafe, confidence, Strictor, Attribute, HighConfidence, moderate confidence, Kryptik, HMVR, BackdoorX, Mikey, kcsyie, QpcLiJjSqn, AGEN, R002C0DKA24, moderate, Zegost, Zapchast, Detected, Eldorado, Artemis, TScope, Gencirc, Ghost, susgen) | ||
| md5 | 75cdc74befd8c953ee2c022bd8366633 | ||
| sha256 | fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d | ||
| ssdeep | 12288:nFpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQ:nFmShDrngEUkDaiJfpSaoNRpMCe8CM8T | ||
| imphash | 42eb1dc2f01a922b7f152420aa351e96 | ||
| impfuzzy | 3:dRYX+VMhQBe7WBJAEPw1MO/OywS9KTXzhAXwEQaxRGNLCZuacdOQMRTlCHfmPcAG:dOuVMhLiBJAEoZ/OEGDzyR7lMqcAG | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x583f84 ImageList_Draw
GDI32.dll
0x583f8c Arc
KERNEL32.DLL
0x583f94 LoadLibraryA
0x583f98 ExitProcess
0x583f9c GetProcAddress
0x583fa0 VirtualProtect
MFC42.DLL
0x583fa8 None
MSVCP60.dll
0x583fb0 ??0_Lockit@std@@QAE@XZ
MSVCRT.dll
0x583fb8 sin
USER32.dll
0x583fc0 GetDC
EAT(Export Address Table) is none
COMCTL32.dll
0x583f84 ImageList_Draw
GDI32.dll
0x583f8c Arc
KERNEL32.DLL
0x583f94 LoadLibraryA
0x583f98 ExitProcess
0x583f9c GetProcAddress
0x583fa0 VirtualProtect
MFC42.DLL
0x583fa8 None
MSVCP60.dll
0x583fb0 ??0_Lockit@std@@QAE@XZ
MSVCRT.dll
0x583fb8 sin
USER32.dll
0x583fc0 GetDC
EAT(Export Address Table) is none