ScreenShot
| Created | 2025.04.26 14:25 | Machine | s1_win7_x6403 |
| Filename | svcstealer.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (Malicious, score, Ghanarava, Lazy, Unsafe, Vskc, confidence, 100%, GenusT, EVUF, Attribute, HighConfidence, high confidence, flrd, Nekark, OskiStealer, CLASSIC, qqbgt, Siggen31, Static AI, Malicious PE, Detected, Kepavll, ABTrojan, OEER, R698804, Artemis, GdSda, R002H09DE25, Gencirc) | ||
| md5 | 763ba270b3a70837d7934e6a7fd5d8be | ||
| sha256 | d954b8d3e0481a3d9b5c3c6342af84ebf619bc07d3020188222e6d225cc505e7 | ||
| ssdeep | 24576:8dDEllSAUzNwP9b1UcX1rX+O4k+rUPnKH:8xEllqaP9DrX+sK | ||
| imphash | a145ad3a090ddd666e8ffb08cf197e7e | ||
| impfuzzy | 96:rEjuAnMr8csfStQgBlQHHZHhN738njLuszRssjQ7BLpa:2uAnMJJBlg16ljEBLpa | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | Executes one or more WMI queries |
| notice | An executable file was downloaded by the process svcstealer.exe |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (download) |
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (4cnts) ?
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE SvcStealer Data Exfiltration Attempt
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE SvcStealer CNC Tasking Checkin
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE SvcStealer Data Exfiltration Attempt
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE SvcStealer CNC Tasking Checkin
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400ef058 GetProcAddress
0x1400ef060 LoadLibraryA
0x1400ef068 SetCurrentDirectoryW
0x1400ef070 Process32First
0x1400ef078 GetComputerNameW
0x1400ef080 K32GetModuleFileNameExW
0x1400ef088 OpenProcess
0x1400ef090 GetVersionExW
0x1400ef098 GetModuleFileNameW
0x1400ef0a0 GetLocalTime
0x1400ef0a8 Process32Next
0x1400ef0b0 GlobalMemoryStatusEx
0x1400ef0b8 K32EnumProcesses
0x1400ef0c0 GetSystemInfo
0x1400ef0c8 CreateToolhelp32Snapshot
0x1400ef0d0 ExitProcess
0x1400ef0d8 TerminateThread
0x1400ef0e0 IsDebuggerPresent
0x1400ef0e8 DeleteFileW
0x1400ef0f0 CreateThread
0x1400ef0f8 HeapAlloc
0x1400ef100 HeapFree
0x1400ef108 GetProcessHeap
0x1400ef110 FormatMessageA
0x1400ef118 SetLastError
0x1400ef120 OutputDebugStringA
0x1400ef128 LocalFree
0x1400ef130 HeapReAlloc
0x1400ef138 GetCurrentProcess
0x1400ef140 GetModuleHandleW
0x1400ef148 HeapDestroy
0x1400ef150 HeapCreate
0x1400ef158 GetCurrentThreadId
0x1400ef160 GetCurrentProcessId
0x1400ef168 GetFullPathNameW
0x1400ef170 GetFullPathNameA
0x1400ef178 CreateMutexW
0x1400ef180 HeapCompact
0x1400ef188 SetFilePointer
0x1400ef190 TryEnterCriticalSection
0x1400ef198 MapViewOfFile
0x1400ef1a0 UnmapViewOfFile
0x1400ef1a8 SetEndOfFile
0x1400ef1b0 SystemTimeToFileTime
0x1400ef1b8 QueryPerformanceCounter
0x1400ef1c0 WaitForSingleObject
0x1400ef1c8 UnlockFile
0x1400ef1d0 FlushViewOfFile
0x1400ef1d8 LockFile
0x1400ef1e0 WaitForSingleObjectEx
0x1400ef1e8 OutputDebugStringW
0x1400ef1f0 GetTickCount
0x1400ef1f8 UnlockFileEx
0x1400ef200 GetSystemTimeAsFileTime
0x1400ef208 InitializeCriticalSection
0x1400ef210 WideCharToMultiByte
0x1400ef218 LoadLibraryW
0x1400ef220 FormatMessageW
0x1400ef228 GetFileAttributesA
0x1400ef230 LeaveCriticalSection
0x1400ef238 HeapValidate
0x1400ef240 GetFileAttributesW
0x1400ef248 GetTempPathW
0x1400ef250 HeapSize
0x1400ef258 LockFileEx
0x1400ef260 EnterCriticalSection
0x1400ef268 GetDiskFreeSpaceW
0x1400ef270 CreateFileMappingA
0x1400ef278 CreateFileMappingW
0x1400ef280 GetDiskFreeSpaceA
0x1400ef288 GetFileAttributesExW
0x1400ef290 DeleteCriticalSection
0x1400ef298 GetVersionExA
0x1400ef2a0 GetTempPathA
0x1400ef2a8 GetSystemTime
0x1400ef2b0 AreFileApisANSI
0x1400ef2b8 DeleteFileA
0x1400ef2c0 FindFirstFileW
0x1400ef2c8 CreateDirectoryW
0x1400ef2d0 CopyFileW
0x1400ef2d8 FindClose
0x1400ef2e0 FindNextFileW
0x1400ef2e8 GetWindowsDirectoryA
0x1400ef2f0 GetVolumeInformationA
0x1400ef2f8 TerminateProcess
0x1400ef300 CopyFileA
0x1400ef308 Process32FirstW
0x1400ef310 RemoveDirectoryW
0x1400ef318 Process32NextW
0x1400ef320 GetWindowsDirectoryW
0x1400ef328 GetVolumeInformationW
0x1400ef330 FindFirstFileA
0x1400ef338 FindNextFileA
0x1400ef340 WriteConsoleW
0x1400ef348 SetStdHandle
0x1400ef350 EnumSystemLocalesEx
0x1400ef358 IsValidLocaleName
0x1400ef360 LCMapStringEx
0x1400ef368 GetUserDefaultLocaleName
0x1400ef370 CompareStringEx
0x1400ef378 GetDateFormatEx
0x1400ef380 GetTimeFormatEx
0x1400ef388 lstrcatA
0x1400ef390 FreeLibrary
0x1400ef398 FlushFileBuffers
0x1400ef3a0 lstrcpyA
0x1400ef3a8 GetCurrentDirectoryW
0x1400ef3b0 Sleep
0x1400ef3b8 lstrlenA
0x1400ef3c0 FreeEnvironmentStringsW
0x1400ef3c8 GetEnvironmentStringsW
0x1400ef3d0 GetTickCount64
0x1400ef3d8 ReadConsoleW
0x1400ef3e0 FlsFree
0x1400ef3e8 FlsSetValue
0x1400ef3f0 FlsGetValue
0x1400ef3f8 FlsAlloc
0x1400ef400 SetUnhandledExceptionFilter
0x1400ef408 UnhandledExceptionFilter
0x1400ef410 RtlVirtualUnwind
0x1400ef418 RtlCaptureContext
0x1400ef420 GetConsoleMode
0x1400ef428 GetConsoleCP
0x1400ef430 SetFilePointerEx
0x1400ef438 GetStartupInfoW
0x1400ef440 InitOnceExecuteOnce
0x1400ef448 GetFileType
0x1400ef450 GetStdHandle
0x1400ef458 GetTimeZoneInformation
0x1400ef460 GetOEMCP
0x1400ef468 GetACP
0x1400ef470 IsValidCodePage
0x1400ef478 GetModuleHandleExW
0x1400ef480 IsProcessorFeaturePresent
0x1400ef488 InitializeCriticalSectionAndSpinCount
0x1400ef490 RtlUnwindEx
0x1400ef498 RtlLookupFunctionEntry
0x1400ef4a0 RaiseException
0x1400ef4a8 lstrcmpA
0x1400ef4b0 CloseHandle
0x1400ef4b8 GetLastError
0x1400ef4c0 CreateFileW
0x1400ef4c8 ReadFile
0x1400ef4d0 WriteFile
0x1400ef4d8 GetFileSize
0x1400ef4e0 MultiByteToWideChar
0x1400ef4e8 CreateFileA
0x1400ef4f0 RtlPcToFileHeader
0x1400ef4f8 GetCommandLineW
0x1400ef500 LoadLibraryExW
0x1400ef508 ExitThread
0x1400ef510 GetCPInfo
0x1400ef518 GetLocaleInfoEx
0x1400ef520 InitializeCriticalSectionEx
0x1400ef528 DecodePointer
0x1400ef530 EncodePointer
0x1400ef538 GetStringTypeW
0x1400ef540 SetEnvironmentVariableA
USER32.dll
0x1400ef5b8 wsprintfW
0x1400ef5c0 GetDC
0x1400ef5c8 GetWindow
0x1400ef5d0 GetWindowTextW
0x1400ef5d8 GetSystemMetrics
0x1400ef5e0 GetWindowThreadProcessId
0x1400ef5e8 GetTopWindow
0x1400ef5f0 wsprintfA
ADVAPI32.dll
0x1400ef000 GetUserNameW
SHLWAPI.dll
0x1400ef598 PathStripPathA
0x1400ef5a0 PathFindExtensionW
0x1400ef5a8 StrCmpIW
SHELL32.dll
0x1400ef570 SHGetKnownFolderPath
0x1400ef578 ShellExecuteW
0x1400ef580 SHGetFolderPathW
0x1400ef588 SHGetFolderPathA
ole32.dll
0x1400ef6a0 CoUninitialize
0x1400ef6a8 CoInitializeSecurity
0x1400ef6b0 CoInitializeEx
0x1400ef6b8 CoSetProxyBlanket
0x1400ef6c0 CoCreateInstance
OLEAUT32.dll
0x1400ef550 SysAllocString
0x1400ef558 VariantClear
0x1400ef560 SysFreeString
crypt.dll
0x1400ef600 BCryptOpenAlgorithmProvider
0x1400ef608 BCryptSetProperty
0x1400ef610 BCryptDecrypt
0x1400ef618 BCryptCloseAlgorithmProvider
0x1400ef620 BCryptGenerateSymmetricKey
CRYPT32.dll
0x1400ef010 CryptUnprotectData
0x1400ef018 CryptStringToBinaryA
GDI32.dll
0x1400ef028 CreateCompatibleDC
0x1400ef030 SelectObject
0x1400ef038 DeleteObject
0x1400ef040 CreateCompatibleBitmap
0x1400ef048 BitBlt
gdiplus.dll
0x1400ef630 GdipSaveImageToFile
0x1400ef638 GdipGetImageEncoders
0x1400ef640 GdipCloneImage
0x1400ef648 GdipDisposeImage
0x1400ef650 GdipGetImageEncodersSize
0x1400ef658 GdiplusStartup
0x1400ef660 GdipFree
0x1400ef668 GdipAlloc
0x1400ef670 GdipCreateBitmapFromHBITMAP
0x1400ef678 GdiplusShutdown
msi.dll
0x1400ef688 None
0x1400ef690 None
EAT(Export Address Table) is none
KERNEL32.dll
0x1400ef058 GetProcAddress
0x1400ef060 LoadLibraryA
0x1400ef068 SetCurrentDirectoryW
0x1400ef070 Process32First
0x1400ef078 GetComputerNameW
0x1400ef080 K32GetModuleFileNameExW
0x1400ef088 OpenProcess
0x1400ef090 GetVersionExW
0x1400ef098 GetModuleFileNameW
0x1400ef0a0 GetLocalTime
0x1400ef0a8 Process32Next
0x1400ef0b0 GlobalMemoryStatusEx
0x1400ef0b8 K32EnumProcesses
0x1400ef0c0 GetSystemInfo
0x1400ef0c8 CreateToolhelp32Snapshot
0x1400ef0d0 ExitProcess
0x1400ef0d8 TerminateThread
0x1400ef0e0 IsDebuggerPresent
0x1400ef0e8 DeleteFileW
0x1400ef0f0 CreateThread
0x1400ef0f8 HeapAlloc
0x1400ef100 HeapFree
0x1400ef108 GetProcessHeap
0x1400ef110 FormatMessageA
0x1400ef118 SetLastError
0x1400ef120 OutputDebugStringA
0x1400ef128 LocalFree
0x1400ef130 HeapReAlloc
0x1400ef138 GetCurrentProcess
0x1400ef140 GetModuleHandleW
0x1400ef148 HeapDestroy
0x1400ef150 HeapCreate
0x1400ef158 GetCurrentThreadId
0x1400ef160 GetCurrentProcessId
0x1400ef168 GetFullPathNameW
0x1400ef170 GetFullPathNameA
0x1400ef178 CreateMutexW
0x1400ef180 HeapCompact
0x1400ef188 SetFilePointer
0x1400ef190 TryEnterCriticalSection
0x1400ef198 MapViewOfFile
0x1400ef1a0 UnmapViewOfFile
0x1400ef1a8 SetEndOfFile
0x1400ef1b0 SystemTimeToFileTime
0x1400ef1b8 QueryPerformanceCounter
0x1400ef1c0 WaitForSingleObject
0x1400ef1c8 UnlockFile
0x1400ef1d0 FlushViewOfFile
0x1400ef1d8 LockFile
0x1400ef1e0 WaitForSingleObjectEx
0x1400ef1e8 OutputDebugStringW
0x1400ef1f0 GetTickCount
0x1400ef1f8 UnlockFileEx
0x1400ef200 GetSystemTimeAsFileTime
0x1400ef208 InitializeCriticalSection
0x1400ef210 WideCharToMultiByte
0x1400ef218 LoadLibraryW
0x1400ef220 FormatMessageW
0x1400ef228 GetFileAttributesA
0x1400ef230 LeaveCriticalSection
0x1400ef238 HeapValidate
0x1400ef240 GetFileAttributesW
0x1400ef248 GetTempPathW
0x1400ef250 HeapSize
0x1400ef258 LockFileEx
0x1400ef260 EnterCriticalSection
0x1400ef268 GetDiskFreeSpaceW
0x1400ef270 CreateFileMappingA
0x1400ef278 CreateFileMappingW
0x1400ef280 GetDiskFreeSpaceA
0x1400ef288 GetFileAttributesExW
0x1400ef290 DeleteCriticalSection
0x1400ef298 GetVersionExA
0x1400ef2a0 GetTempPathA
0x1400ef2a8 GetSystemTime
0x1400ef2b0 AreFileApisANSI
0x1400ef2b8 DeleteFileA
0x1400ef2c0 FindFirstFileW
0x1400ef2c8 CreateDirectoryW
0x1400ef2d0 CopyFileW
0x1400ef2d8 FindClose
0x1400ef2e0 FindNextFileW
0x1400ef2e8 GetWindowsDirectoryA
0x1400ef2f0 GetVolumeInformationA
0x1400ef2f8 TerminateProcess
0x1400ef300 CopyFileA
0x1400ef308 Process32FirstW
0x1400ef310 RemoveDirectoryW
0x1400ef318 Process32NextW
0x1400ef320 GetWindowsDirectoryW
0x1400ef328 GetVolumeInformationW
0x1400ef330 FindFirstFileA
0x1400ef338 FindNextFileA
0x1400ef340 WriteConsoleW
0x1400ef348 SetStdHandle
0x1400ef350 EnumSystemLocalesEx
0x1400ef358 IsValidLocaleName
0x1400ef360 LCMapStringEx
0x1400ef368 GetUserDefaultLocaleName
0x1400ef370 CompareStringEx
0x1400ef378 GetDateFormatEx
0x1400ef380 GetTimeFormatEx
0x1400ef388 lstrcatA
0x1400ef390 FreeLibrary
0x1400ef398 FlushFileBuffers
0x1400ef3a0 lstrcpyA
0x1400ef3a8 GetCurrentDirectoryW
0x1400ef3b0 Sleep
0x1400ef3b8 lstrlenA
0x1400ef3c0 FreeEnvironmentStringsW
0x1400ef3c8 GetEnvironmentStringsW
0x1400ef3d0 GetTickCount64
0x1400ef3d8 ReadConsoleW
0x1400ef3e0 FlsFree
0x1400ef3e8 FlsSetValue
0x1400ef3f0 FlsGetValue
0x1400ef3f8 FlsAlloc
0x1400ef400 SetUnhandledExceptionFilter
0x1400ef408 UnhandledExceptionFilter
0x1400ef410 RtlVirtualUnwind
0x1400ef418 RtlCaptureContext
0x1400ef420 GetConsoleMode
0x1400ef428 GetConsoleCP
0x1400ef430 SetFilePointerEx
0x1400ef438 GetStartupInfoW
0x1400ef440 InitOnceExecuteOnce
0x1400ef448 GetFileType
0x1400ef450 GetStdHandle
0x1400ef458 GetTimeZoneInformation
0x1400ef460 GetOEMCP
0x1400ef468 GetACP
0x1400ef470 IsValidCodePage
0x1400ef478 GetModuleHandleExW
0x1400ef480 IsProcessorFeaturePresent
0x1400ef488 InitializeCriticalSectionAndSpinCount
0x1400ef490 RtlUnwindEx
0x1400ef498 RtlLookupFunctionEntry
0x1400ef4a0 RaiseException
0x1400ef4a8 lstrcmpA
0x1400ef4b0 CloseHandle
0x1400ef4b8 GetLastError
0x1400ef4c0 CreateFileW
0x1400ef4c8 ReadFile
0x1400ef4d0 WriteFile
0x1400ef4d8 GetFileSize
0x1400ef4e0 MultiByteToWideChar
0x1400ef4e8 CreateFileA
0x1400ef4f0 RtlPcToFileHeader
0x1400ef4f8 GetCommandLineW
0x1400ef500 LoadLibraryExW
0x1400ef508 ExitThread
0x1400ef510 GetCPInfo
0x1400ef518 GetLocaleInfoEx
0x1400ef520 InitializeCriticalSectionEx
0x1400ef528 DecodePointer
0x1400ef530 EncodePointer
0x1400ef538 GetStringTypeW
0x1400ef540 SetEnvironmentVariableA
USER32.dll
0x1400ef5b8 wsprintfW
0x1400ef5c0 GetDC
0x1400ef5c8 GetWindow
0x1400ef5d0 GetWindowTextW
0x1400ef5d8 GetSystemMetrics
0x1400ef5e0 GetWindowThreadProcessId
0x1400ef5e8 GetTopWindow
0x1400ef5f0 wsprintfA
ADVAPI32.dll
0x1400ef000 GetUserNameW
SHLWAPI.dll
0x1400ef598 PathStripPathA
0x1400ef5a0 PathFindExtensionW
0x1400ef5a8 StrCmpIW
SHELL32.dll
0x1400ef570 SHGetKnownFolderPath
0x1400ef578 ShellExecuteW
0x1400ef580 SHGetFolderPathW
0x1400ef588 SHGetFolderPathA
ole32.dll
0x1400ef6a0 CoUninitialize
0x1400ef6a8 CoInitializeSecurity
0x1400ef6b0 CoInitializeEx
0x1400ef6b8 CoSetProxyBlanket
0x1400ef6c0 CoCreateInstance
OLEAUT32.dll
0x1400ef550 SysAllocString
0x1400ef558 VariantClear
0x1400ef560 SysFreeString
crypt.dll
0x1400ef600 BCryptOpenAlgorithmProvider
0x1400ef608 BCryptSetProperty
0x1400ef610 BCryptDecrypt
0x1400ef618 BCryptCloseAlgorithmProvider
0x1400ef620 BCryptGenerateSymmetricKey
CRYPT32.dll
0x1400ef010 CryptUnprotectData
0x1400ef018 CryptStringToBinaryA
GDI32.dll
0x1400ef028 CreateCompatibleDC
0x1400ef030 SelectObject
0x1400ef038 DeleteObject
0x1400ef040 CreateCompatibleBitmap
0x1400ef048 BitBlt
gdiplus.dll
0x1400ef630 GdipSaveImageToFile
0x1400ef638 GdipGetImageEncoders
0x1400ef640 GdipCloneImage
0x1400ef648 GdipDisposeImage
0x1400ef650 GdipGetImageEncodersSize
0x1400ef658 GdiplusStartup
0x1400ef660 GdipFree
0x1400ef668 GdipAlloc
0x1400ef670 GdipCreateBitmapFromHBITMAP
0x1400ef678 GdiplusShutdown
msi.dll
0x1400ef688 None
0x1400ef690 None
EAT(Export Address Table) is none