Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
unpacked_svchost.exe

Overview

General Information

Sample name:unpacked_svchost.exe
Analysis ID:1417150
MD5:22631afc7d9706f566995833748de97f
SHA1:f371c5f78437db887f1717b0eaf594295b0f4969
SHA256:79449670340d763f164bbda0a32e38f3d06a2a3b6cee41d92c47f448710e015a
Tags:exeIcedID
Infos:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • unpacked_svchost.exe (PID: 1164 cmdline: "C:\Users\user\Desktop\unpacked_svchost.exe" MD5: 22631AFC7D9706F566995833748DE97F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
IcedIDAccording to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.
  • GOLD CABIN
  • Lunar Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
unpacked_svchost.exeJoeSecurity_IcedID_3Yara detected IcedIDJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: unpacked_svchost.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://ilu21plane.xyz/Avira URL Cloud: Label: malware
    Source: https://nizaoplov.xyz/A_Avira URL Cloud: Label: malware
    Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000Avira URL Cloud: Label: malware
    Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)TAvira URL Cloud: Label: malware
    Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004Avira URL Cloud: Label: malware
    Source: https://153ishak.best/A_Avira URL Cloud: Label: malware
    Source: https://nizaoplov.xyz/Avira URL Cloud: Label: malware
    Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004Avira URL Cloud: Label: malware
    Source: https://boldidiotruss.xyz/-Avira URL Cloud: Label: malware
    Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000Avira URL Cloud: Label: malware
    Source: https://boldidiotruss.xyz/Avira URL Cloud: Label: malware
    Source: https://boldidiotruss.xyz/1Avira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: ilu21plane.xyzVirustotal: Detection: 7%Perma Link
    Source: nizaoplov.xyzVirustotal: Detection: 10%Perma Link
    Source: https://ilu21plane.xyz/Virustotal: Detection: 7%Perma Link
    Source: boldidiotruss.xyzVirustotal: Detection: 13%Perma Link
    Source: 153ishak.bestVirustotal: Detection: 6%Perma Link
    Source: https://boldidiotruss.xyz/Virustotal: Detection: 13%Perma Link
    Source: https://nizaoplov.xyz/Virustotal: Detection: 10%Perma Link
    Multi AV Scanner detection for submitted file
    Source: unpacked_svchost.exeReversingLabs: Detection: 71%
    Source: unpacked_svchost.exeVirustotal: Detection: 76%Perma Link
    Yara detected IcedID
    Source: Yara matchFile source: unpacked_svchost.exe, type: SAMPLE
    Machine Learning detection for sample
    Source: unpacked_svchost.exeJoe Sandbox ML: detected
    Source: unpacked_svchost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

    Networking

    barindex
    Performs DNS queries to domains with low reputation
    Source: DNS query: boldidiotruss.xyz
    Source: DNS query: nizaoplov.xyz
    Source: DNS query: ilu21plane.xyz
    Source: DNS query: boldidiotruss.xyz
    Source: DNS query: nizaoplov.xyz
    Source: DNS query: ilu21plane.xyz
    Source: DNS query: boldidiotruss.xyz
    Source: DNS query: nizaoplov.xyz
    Source: DNS query: ilu21plane.xyz
    Source: DNS query: boldidiotruss.xyz
    Source: DNS query: nizaoplov.xyz
    Source: DNS query: ilu21plane.xyz
    Source: DNS query: boldidiotruss.xyz
    Source: DNS query: nizaoplov.xyz
    Source: DNS query: ilu21plane.xyz
    Source: DNS query: boldidiotruss.xyz
    Source: DNS query: nizaoplov.xyz
    Source: DNS query: ilu21plane.xyz
    Source: DNS query: boldidiotruss.xyz
    Source: unknownDNS traffic detected: query: nizaoplov.xyz replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: 153ishak.best replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: boldidiotruss.xyz replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: ilu21plane.xyz replaycode: Name error (3)
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownDNS traffic detected: queries for: boldidiotruss.xyz
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://153ishak.best/A_
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boldidiotruss.xyz/
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boldidiotruss.xyz/-
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boldidiotruss.xyz/1
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp, unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ilu21plane.xyz/
    Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nizaoplov.xyz/
    Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nizaoplov.xyz/A_
    Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000
    Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004
    Source: unpacked_svchost.exe, 00000000.00000003.2974577476.000000000133B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T

    E-Banking Fraud

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: unpacked_svchost.exe, type: SAMPLE
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: unpacked_svchost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@25/0
    Source: C:\Users\user\Desktop\unpacked_svchost.exeFile created: C:\Users\user\AppData\Local\userJump to behavior
    Source: unpacked_svchost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\unpacked_svchost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unpacked_svchost.exeReversingLabs: Detection: 71%
    Source: unpacked_svchost.exeVirustotal: Detection: 76%

    Malware Analysis System Evasion

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)
    Source: C:\Users\user\Desktop\unpacked_svchost.exeCode function: 0_2_010010F6 wsprintfA,0_2_010010F6
    Found stalling execution ending in API Sleep call
    Source: C:\Users\user\Desktop\unpacked_svchost.exeStalling execution: Execution stalls by calling Sleepgraph_0-193
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\unpacked_svchost.exeRDTSC instruction interceptor: First address: 1001131 second address: 1001151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\unpacked_svchost.exeRDTSC instruction interceptor: First address: 1001151 second address: 1001131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F61651D0F5Ah 0x0000000c jc 00007F61651D0F19h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F61651D0F18h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F61651D0F4Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F61651D0E95h 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\unpacked_svchost.exeCode function: 0_2_01001224 rdtsc 0_2_01001224
    Source: C:\Users\user\Desktop\unpacked_svchost.exe TID: 5320Thread sleep time: -690000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\unpacked_svchost.exeLast function: Thread delayed
    Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\unpacked_svchost.exeAPI call chain: ExitProcess graph end nodegraph_0-158
    Source: C:\Users\user\Desktop\unpacked_svchost.exeCode function: 0_2_01001224 rdtsc 0_2_01001224
    Source: C:\Users\user\Desktop\unpacked_svchost.exeCode function: 0_2_01001000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle,0_2_01001000
    Source: C:\Users\user\Desktop\unpacked_svchost.exeCode function: 0_2_010014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA,0_2_010014F9

    Stealing of Sensitive Information

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: unpacked_svchost.exe, type: SAMPLE

    Remote Access Functionality

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: unpacked_svchost.exe, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Masquerading    		OS Credential Dumping221
    Security Software Discovery    		Remote ServicesData from Local System1
    Non-Application Layer Protocol    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    DLL Side-Loading    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
    System Owner/User Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets21
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    unpacked_svchost.exe71%ReversingLabsWin32.Trojan.IcedID
    unpacked_svchost.exe76%VirustotalBrowse
    unpacked_svchost.exe100%AviraHEUR/AGEN.1317131
    unpacked_svchost.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    ilu21plane.xyz8%VirustotalBrowse
    nizaoplov.xyz11%VirustotalBrowse
    boldidiotruss.xyz14%VirustotalBrowse
    153ishak.best7%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://ilu21plane.xyz/100%Avira URL Cloudmalware
    https://nizaoplov.xyz/A_100%Avira URL Cloudmalware
    https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000100%Avira URL Cloudmalware
    https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T100%Avira URL Cloudmalware
    https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004100%Avira URL Cloudmalware
    https://153ishak.best/A_100%Avira URL Cloudmalware
    https://ilu21plane.xyz/8%VirustotalBrowse
    https://nizaoplov.xyz/100%Avira URL Cloudmalware
    https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004100%Avira URL Cloudmalware
    https://boldidiotruss.xyz/-100%Avira URL Cloudmalware
    https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000100%Avira URL Cloudmalware
    https://boldidiotruss.xyz/100%Avira URL Cloudmalware
    https://boldidiotruss.xyz/1100%Avira URL Cloudmalware
    https://boldidiotruss.xyz/14%VirustotalBrowse
    https://nizaoplov.xyz/11%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    nizaoplov.xyz
    		unknown
    		unknowntrueunknown
    153ishak.best
    		unknown
    		unknownfalseunknown
    boldidiotruss.xyz
    		unknown
    		unknowntrueunknown
    ilu21plane.xyz
    		unknown
    		unknowntrueunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://ilu21plane.xyz/unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • 8%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    https://nizaoplov.xyz/A_unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)Tunpacked_svchost.exe, 00000000.00000003.2974577476.000000000133B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://153ishak.best/A_unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://nizaoplov.xyz/unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • 11%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://boldidiotruss.xyz/-unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp, unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001339000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://boldidiotruss.xyz/unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • 14%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    https://boldidiotruss.xyz/1unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1417150
    Start date and time:2024-03-28 17:17:04 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 0s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:4
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:unpacked_svchost.exe
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@1/0@25/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 5
    • Number of non-executed functions: 2
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

    Simulations

    Behavior and APIs

    TimeTypeDescription
    17:17:56API Interceptor25x Sleep call for process: unpacked_svchost.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):2.3731784141221604
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:unpacked_svchost.exe
    File size:17'197 bytes
    MD5:22631afc7d9706f566995833748de97f
    SHA1:f371c5f78437db887f1717b0eaf594295b0f4969
    SHA256:79449670340d763f164bbda0a32e38f3d06a2a3b6cee41d92c47f448710e015a
    SHA512:56e119dd3a4f0b9523d4cba4647333fb31e38af2456168c9a14f313e656e662dfdd70d9fec1d897bebc8ba91ab15cc3017651cf68d044e0b74f4f05960b69b82
    SSDEEP:96:MMqEESUUhDYXAybZACN3fICtECLi0/r3mvuHg3:MMqr7UhcXAybZBrWwjM3
    TLSH:CF721993AD24E8B0FB8B05B00A44212EE3F36926277014F349F744DEEAA2E95746D721
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................+.......+.......Rich....................PE..L...St.]............................=........ ....@

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x40163d
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
    Time Stamp:0x5D9C7453 [Tue Oct 8 11:34:43 2019 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:0e18f33408be6e4cb217f0266066c51c

    Entrypoint Preview

    Instruction
    call 00007F61646BAEECh
    push 00000000h
    call dword ptr [0040200Ch]
    int3
    sub esp, 1Ch
    or dword ptr [esp+04h], FFFFFFFFh
    mov eax, edx
    push ebx
    push esi
    mov ebx, ecx
    mov dword ptr [esp+18h], eax
    xor ecx, ecx
    push ecx
    push ecx
    mov dword ptr [eax], ecx
    mov esi, ecx
    mov eax, dword ptr [esp+30h]
    push ecx
    push ecx
    push ecx
    mov dword ptr [esp+24h], ecx
    mov dword ptr [eax], ecx
    call dword ptr [0040207Ch]
    mov ecx, eax
    mov dword ptr [esp+20h], ecx
    test ecx, ecx
    je 00007F61646BB1B1h
    movzx eax, word ptr [ebx+08h]
    push ebp
    push esi
    push eax
    push dword ptr [ebx]
    push ecx
    call dword ptr [00402088h]
    mov ebp, dword ptr [00402068h]
    mov ecx, eax
    mov dword ptr [esp+20h], ecx
    test ecx, ecx
    je 00007F61646BB186h
    mov eax, dword ptr [ebx+0Ch]
    neg eax
    push edi
    sbb eax, eax
    and eax, 00800000h
    push eax
    mov dword ptr [esp+20h], eax
    xor eax, eax
    push eax
    push eax
    push eax
    push dword ptr [ebx+04h]
    push 004020FCh
    push ecx
    call dword ptr [00402070h]
    mov edi, eax
    test edi, edi
    je 00007F61646BB14Fh
    cmp dword ptr [ebx+0Ch], esi
    je 00007F61646BB04Ah
    push 00000004h
    lea eax, dword ptr [esp+20h]
    mov dword ptr [esp+20h], 00003300h
    push eax
    push 0000001Fh
    push edi
    call dword ptr [0040206Ch]
    xor ebx, ebx
    push ebx
    push ebx
    push ebx
    push ebx
    push ebx
    push ebx
    push edi
    call dword ptr [00402074h]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x210c0x78.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x40000x8c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x94.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x9320xa001ed92ae465afad5ebd29398040c5300bFalse0.647265625data6.043762853215392IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x20000x4680x600ed1fd9a0fd0d16380b51b3b9343b0b46False0.375data3.9346229806161377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x30000x2500x400160844b9aefe6946dcd0d09dc93dc053False0.62109375data5.353421965490113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x40000x8c0x2005bf3b03a3feb562e4a8af4efc9b4f384False0.298828125data2.1736473568030688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    ADVAPI32.dllGetUserNameA
    SHELL32.dllSHGetFolderPathA
    KERNEL32.dlllstrcpyA, ExitProcess, CreateDirectoryA, lstrcatA, Sleep, lstrlenA, ReadFile, HeapFree, WriteFile, CreateFileA, CloseHandle, HeapAlloc, GetFileSize, GetProcessHeap, GetModuleFileNameA, VirtualProtect, VirtualAlloc, HeapReAlloc
    WINHTTP.dllWinHttpCloseHandle, WinHttpSetOption, WinHttpOpenRequest, WinHttpSendRequest, WinHttpQueryHeaders, WinHttpOpen, WinHttpReceiveResponse, WinHttpQueryDataAvailable, WinHttpConnect, WinHttpReadData
    USER32.dllwsprintfA, wsprintfW

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Mar 28, 2024 17:17:56.582192898 CET5395653192.168.2.51.1.1.1
    Mar 28, 2024 17:17:56.686479092 CET53539561.1.1.1192.168.2.5
    Mar 28, 2024 17:18:01.706702948 CET5104653192.168.2.51.1.1.1
    Mar 28, 2024 17:18:01.805475950 CET53510461.1.1.1192.168.2.5
    Mar 28, 2024 17:18:06.815707922 CET5508253192.168.2.51.1.1.1
    Mar 28, 2024 17:18:06.916187048 CET53550821.1.1.1192.168.2.5
    Mar 28, 2024 17:18:11.929579973 CET5698953192.168.2.51.1.1.1
    Mar 28, 2024 17:18:12.037082911 CET53569891.1.1.1192.168.2.5
    Mar 28, 2024 17:18:17.973248959 CET5924253192.168.2.51.1.1.1
    Mar 28, 2024 17:18:18.074172974 CET53592421.1.1.1192.168.2.5
    Mar 28, 2024 17:18:23.081973076 CET5864253192.168.2.51.1.1.1
    Mar 28, 2024 17:18:23.181541920 CET53586421.1.1.1192.168.2.5
    Mar 28, 2024 17:18:28.195759058 CET6345253192.168.2.51.1.1.1
    Mar 28, 2024 17:18:28.294584990 CET53634521.1.1.1192.168.2.5
    Mar 28, 2024 17:18:33.299843073 CET6479553192.168.2.51.1.1.1
    Mar 28, 2024 17:18:33.398788929 CET53647951.1.1.1192.168.2.5
    Mar 28, 2024 17:18:38.409450054 CET5837353192.168.2.51.1.1.1
    Mar 28, 2024 17:18:38.512949944 CET53583731.1.1.1192.168.2.5
    Mar 28, 2024 17:18:43.518351078 CET5159653192.168.2.51.1.1.1
    Mar 28, 2024 17:18:43.618526936 CET53515961.1.1.1192.168.2.5
    Mar 28, 2024 17:18:48.627753019 CET6538853192.168.2.51.1.1.1
    Mar 28, 2024 17:18:48.726372957 CET53653881.1.1.1192.168.2.5
    Mar 28, 2024 17:18:53.737299919 CET6364053192.168.2.51.1.1.1
    Mar 28, 2024 17:18:53.836519957 CET53636401.1.1.1192.168.2.5
    Mar 28, 2024 17:18:58.847192049 CET6207353192.168.2.51.1.1.1
    Mar 28, 2024 17:18:58.945770979 CET53620731.1.1.1192.168.2.5
    Mar 28, 2024 17:19:03.956012011 CET5879553192.168.2.51.1.1.1
    Mar 28, 2024 17:19:04.054058075 CET53587951.1.1.1192.168.2.5
    Mar 28, 2024 17:19:09.065140009 CET5417753192.168.2.51.1.1.1
    Mar 28, 2024 17:19:09.167217970 CET53541771.1.1.1192.168.2.5
    Mar 28, 2024 17:19:14.175074100 CET6163153192.168.2.51.1.1.1
    Mar 28, 2024 17:19:14.274790049 CET53616311.1.1.1192.168.2.5
    Mar 28, 2024 17:19:19.283859968 CET5661353192.168.2.51.1.1.1
    Mar 28, 2024 17:19:19.382514954 CET53566131.1.1.1192.168.2.5
    Mar 28, 2024 17:19:24.393874884 CET6197153192.168.2.51.1.1.1
    Mar 28, 2024 17:19:24.505264044 CET53619711.1.1.1192.168.2.5
    Mar 28, 2024 17:19:29.518604994 CET5514253192.168.2.51.1.1.1
    Mar 28, 2024 17:19:29.617474079 CET53551421.1.1.1192.168.2.5
    Mar 28, 2024 17:19:35.688126087 CET5329153192.168.2.51.1.1.1
    Mar 28, 2024 17:19:35.787507057 CET53532911.1.1.1192.168.2.5
    Mar 28, 2024 17:19:40.818269968 CET5487053192.168.2.51.1.1.1
    Mar 28, 2024 17:19:40.916814089 CET53548701.1.1.1192.168.2.5
    Mar 28, 2024 17:19:45.924757004 CET5665753192.168.2.51.1.1.1
    Mar 28, 2024 17:19:46.023818016 CET53566571.1.1.1192.168.2.5
    Mar 28, 2024 17:19:51.034302950 CET5300853192.168.2.51.1.1.1
    Mar 28, 2024 17:19:51.133475065 CET53530081.1.1.1192.168.2.5
    Mar 28, 2024 17:19:56.143523932 CET6464053192.168.2.51.1.1.1
    Mar 28, 2024 17:19:56.245662928 CET53646401.1.1.1192.168.2.5
    Mar 28, 2024 17:20:01.253637075 CET5056553192.168.2.51.1.1.1
    Mar 28, 2024 17:20:01.359031916 CET53505651.1.1.1192.168.2.5

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 28, 2024 17:17:56.582192898 CET192.168.2.51.1.1.10xfa14Standard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:01.706702948 CET192.168.2.51.1.1.10x8f8bStandard query (0)nizaoplov.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:06.815707922 CET192.168.2.51.1.1.10x6127Standard query (0)153ishak.bestA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:11.929579973 CET192.168.2.51.1.1.10x4094Standard query (0)ilu21plane.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:17.973248959 CET192.168.2.51.1.1.10x485cStandard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:23.081973076 CET192.168.2.51.1.1.10x32d6Standard query (0)nizaoplov.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:28.195759058 CET192.168.2.51.1.1.10x78beStandard query (0)153ishak.bestA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:33.299843073 CET192.168.2.51.1.1.10x2792Standard query (0)ilu21plane.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:38.409450054 CET192.168.2.51.1.1.10xc73aStandard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:43.518351078 CET192.168.2.51.1.1.10x2844Standard query (0)nizaoplov.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:48.627753019 CET192.168.2.51.1.1.10x4075Standard query (0)153ishak.bestA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:53.737299919 CET192.168.2.51.1.1.10xb0a0Standard query (0)ilu21plane.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:58.847192049 CET192.168.2.51.1.1.10xf12fStandard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:03.956012011 CET192.168.2.51.1.1.10x23a5Standard query (0)nizaoplov.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:09.065140009 CET192.168.2.51.1.1.10x8a1eStandard query (0)153ishak.bestA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:14.175074100 CET192.168.2.51.1.1.10xadcdStandard query (0)ilu21plane.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:19.283859968 CET192.168.2.51.1.1.10xad97Standard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:24.393874884 CET192.168.2.51.1.1.10xc1cfStandard query (0)nizaoplov.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:29.518604994 CET192.168.2.51.1.1.10xf444Standard query (0)153ishak.bestA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:35.688126087 CET192.168.2.51.1.1.10x79a8Standard query (0)ilu21plane.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:40.818269968 CET192.168.2.51.1.1.10x7244Standard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:45.924757004 CET192.168.2.51.1.1.10x7a51Standard query (0)nizaoplov.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:51.034302950 CET192.168.2.51.1.1.10xe04cStandard query (0)153ishak.bestA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:56.143523932 CET192.168.2.51.1.1.10x13bdStandard query (0)ilu21plane.xyzA (IP address)IN (0x0001)false
    Mar 28, 2024 17:20:01.253637075 CET192.168.2.51.1.1.10xb12aStandard query (0)boldidiotruss.xyzA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 28, 2024 17:17:56.686479092 CET1.1.1.1192.168.2.50xfa14Name error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:01.805475950 CET1.1.1.1192.168.2.50x8f8bName error (3)nizaoplov.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:06.916187048 CET1.1.1.1192.168.2.50x6127Name error (3)153ishak.bestnonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:12.037082911 CET1.1.1.1192.168.2.50x4094Name error (3)ilu21plane.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:18.074172974 CET1.1.1.1192.168.2.50x485cName error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:23.181541920 CET1.1.1.1192.168.2.50x32d6Name error (3)nizaoplov.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:28.294584990 CET1.1.1.1192.168.2.50x78beName error (3)153ishak.bestnonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:33.398788929 CET1.1.1.1192.168.2.50x2792Name error (3)ilu21plane.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:38.512949944 CET1.1.1.1192.168.2.50xc73aName error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:43.618526936 CET1.1.1.1192.168.2.50x2844Name error (3)nizaoplov.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:48.726372957 CET1.1.1.1192.168.2.50x4075Name error (3)153ishak.bestnonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:53.836519957 CET1.1.1.1192.168.2.50xb0a0Name error (3)ilu21plane.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:18:58.945770979 CET1.1.1.1192.168.2.50xf12fName error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:04.054058075 CET1.1.1.1192.168.2.50x23a5Name error (3)nizaoplov.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:09.167217970 CET1.1.1.1192.168.2.50x8a1eName error (3)153ishak.bestnonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:14.274790049 CET1.1.1.1192.168.2.50xadcdName error (3)ilu21plane.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:19.382514954 CET1.1.1.1192.168.2.50xad97Name error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:24.505264044 CET1.1.1.1192.168.2.50xc1cfName error (3)nizaoplov.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:29.617474079 CET1.1.1.1192.168.2.50xf444Name error (3)153ishak.bestnonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:35.787507057 CET1.1.1.1192.168.2.50x79a8Name error (3)ilu21plane.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:40.916814089 CET1.1.1.1192.168.2.50x7244Name error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:46.023818016 CET1.1.1.1192.168.2.50x7a51Name error (3)nizaoplov.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:51.133475065 CET1.1.1.1192.168.2.50xe04cName error (3)153ishak.bestnonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:19:56.245662928 CET1.1.1.1192.168.2.50x13bdName error (3)ilu21plane.xyznonenoneA (IP address)IN (0x0001)false
    Mar 28, 2024 17:20:01.359031916 CET1.1.1.1192.168.2.50xb12aName error (3)boldidiotruss.xyznonenoneA (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:17:17:55
    Start date:28/03/2024
    Path:C:\Users\user\Desktop\unpacked_svchost.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\unpacked_svchost.exe"
    Imagebase:0x1000000
    File size:17'197 bytes
    MD5 hash:22631AFC7D9706F566995833748DE97F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:41.3%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:46.3%
      Total number of Nodes:67
      Total number of Limit Nodes:4
      execution_graph 150 100163d 153 10014f9 SHGetFolderPathA 150->153 154 100152f lstrcatA lstrlenA GetUserNameA CreateDirectoryA lstrcatA 153->154 174 100186e 154->174 157 10015a2 158 10015a8 ExitProcess 157->158 178 1001000 CreateFileA 157->178 161 10015c6 197 100133e 161->197 162 10015df 187 1001224 162->187 167 10015ee 169 100133e 4 API calls 167->169 171 1001601 169->171 171->158 203 100109a CreateFileA 171->203 173 1001618 208 10013eb VirtualAlloc 173->208 175 10018bc 174->175 176 1001882 174->176 175->157 176->175 177 10018a4 GetProcessHeap HeapAlloc 176->177 177->175 179 1001024 178->179 180 1001028 GetFileSize 178->180 179->161 179->162 181 100103a GetProcessHeap HeapAlloc 180->181 182 100108b CloseHandle 180->182 181->182 183 1001052 ReadFile 181->183 182->179 184 1001069 183->184 184->182 185 1001077 GetProcessHeap HeapFree 184->185 186 1001089 184->186 185->186 186->182 214 10010f6 187->214 189 1001241 wsprintfA wsprintfW 190 10012dc wsprintfW 189->190 217 100164b WinHttpOpen 190->217 192 1001333 192->158 192->167 193 10012a6 Sleep 194 10012c0 wsprintfW 193->194 195 100128b 193->195 194->190 195->192 195->193 195->194 196 1001295 GetProcessHeap HeapFree 195->196 196->193 198 1001353 197->198 202 10013c4 197->202 199 10013a5 GetProcessHeap HeapAlloc 198->199 198->202 200 10013bc 199->200 199->202 201 100186e 2 API calls 200->201 201->202 202->162 202->173 204 10010c2 WriteFile 203->204 205 10010be 203->205 206 10010e6 CloseHandle 204->206 207 10010d8 204->207 205->173 206->205 207->206 209 10014f3 208->209 210 100141b GetModuleFileNameA lstrcpyA 208->210 209->158 212 10014a6 VirtualProtect 210->212 212->209 216 1001131 wsprintfA 214->216 216->189 218 1001801 217->218 219 1001686 WinHttpConnect 217->219 218->195 220 10017fa WinHttpCloseHandle 219->220 221 10016aa WinHttpOpenRequest 219->221 220->218 222 10017f3 WinHttpCloseHandle 221->222 223 10016da 221->223 222->220 224 10016f7 WinHttpSendRequest 223->224 225 10016df WinHttpSetOption 223->225 226 10017f0 WinHttpCloseHandle 224->226 227 100170e WinHttpReceiveResponse 224->227 225->224 226->222 227->226 228 100171e WinHttpQueryHeaders WinHttpQueryDataAvailable 227->228 229 10017d8 228->229 230 100175e 228->230 229->226 230->229 231 1001775 GetProcessHeap HeapReAlloc 230->231 232 1001787 GetProcessHeap HeapAlloc 230->232 233 100179c WinHttpReadData 230->233 234 10017bb WinHttpQueryDataAvailable 230->234 231->230 232->230 233->229 233->230 234->229 234->230

      Callgraph

      • Executed
      • Not Executed
      • Opacity -> Relevance
      • Disassembly available
      callgraph 0 Function_01001000 1 Function_01001224 2 Function_010010F6 1->2 5 Function_0100164B 1->5 3 Function_010014F9 3->0 3->1 4 Function_0100109A 3->4 6 Function_010013EB 3->6 8 Function_0100186E 3->8 9 Function_0100133E 3->9 7 Function_0100163D 7->3 10 Function_0100180F 8->10 9->8

      Executed Functions

      Function 01001224 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88memorysleepCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 010010F6: wsprintfA.USER32 ref: 01001213
      • wsprintfA.USER32 ref: 0100125B
      • wsprintfW.USER32 ref: 01001284
      • GetProcessHeap.KERNEL32(00000000,?), ref: 01001299
      • HeapFree.KERNEL32(00000000), ref: 010012A0
      • Sleep.KERNELBASE(00001388), ref: 010012AB
      • wsprintfW.USER32 ref: 010012D7
      • wsprintfW.USER32 ref: 010012EE
        • Part of subcall function 0100164B: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,01003050,?), ref: 01001672
        • Part of subcall function 0100164B: WinHttpConnect.WINHTTP(00000000,?,01003000,00000000,75A773E0), ref: 01001690
        • Part of subcall function 0100164B: WinHttpOpenRequest.WINHTTP(00000000,GET,00000008,00000000,00000000,00000000,?,?), ref: 010016CA
        • Part of subcall function 0100164B: WinHttpSetOption.WINHTTP(00000000,0000001F,?,?,?,?,?,?,?,00000004), ref: 010016F1
        • Part of subcall function 0100164B: WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01001700
        • Part of subcall function 0100164B: WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 01001710
        • Part of subcall function 0100164B: WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,?,?,?,?,00000000), ref: 01001738
        • Part of subcall function 0100164B: WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,00000000), ref: 01001750
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: Http$wsprintf$HeapOpenQueryRequest$AvailableConnectDataFreeHeadersOptionProcessReceiveResponseSendSleep
      • String ID: /photo.png?id=%0.2X%0.8X%0.8X%s$boldidiotruss.xyz
      • API String ID: 2449687179-3117748069
      • Opcode ID: 5341d9b7258a2c657583b65b34c7fb742247f385b986e256da08a0a1851c6e4e
      • Instruction ID: a78f5a43c48746d2a076e010366a6cbe19463159886be16f6773bb731528232d
      • Opcode Fuzzy Hash: 5341d9b7258a2c657583b65b34c7fb742247f385b986e256da08a0a1851c6e4e
      • Instruction Fuzzy Hash: 4F318E725043059FE723DB94DC89BABB7ECAB45311F04082AF6C8CA181E7B5D258CB96
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010014F9 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 107stringCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 01001519
      • lstrcatA.KERNEL32(?,010020A8), ref: 0100153C
      • lstrlenA.KERNEL32(?,00000100), ref: 01001549
      • GetUserNameA.ADVAPI32(00000000), ref: 01001558
      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 01001566
      • lstrcatA.KERNEL32(?,\photo.png), ref: 01001578
        • Part of subcall function 01001000: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,010015C1,?), ref: 01001017
        • Part of subcall function 0100133E: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,01001601,00000100,?), ref: 010013A8
        • Part of subcall function 0100133E: HeapAlloc.KERNEL32(00000000,?,?,?,?,01001601,00000100,?), ref: 010013AF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: CreateHeaplstrcat$AllocDirectoryFileFolderNamePathProcessUserlstrlen
      • String ID: \photo.png$c:\Users\Public\
      • API String ID: 2646763722-1729186543
      • Opcode ID: ee0dae92fe41daef42a409118c09ac76a9d379c6628a404b2d5443b535c2ddd2
      • Instruction ID: 2d3c0f2debcb51ee486b59f44f2fd55b25025abfb01e043f1cba9d1d175e5066
      • Opcode Fuzzy Hash: ee0dae92fe41daef42a409118c09ac76a9d379c6628a404b2d5443b535c2ddd2
      • Instruction Fuzzy Hash: 6D315E72A0020EEBEF66DBA4DC44EDE77BDAF48315F0041A9E585E7180EA35DB49CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 01001000 Relevance: 12.1, APIs: 8, Instructions: 67memoryfileCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,010015C1,?), ref: 01001017
      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,010015C1,?), ref: 0100102A
      • GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,010015C1,?), ref: 0100103E
      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,010015C1,?), ref: 01001045
      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,010015C1,?), ref: 0100105D
      • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,010015C1,?), ref: 0100107C
      • HeapFree.KERNEL32(00000000,?,?,?,?,?,010015C1,?), ref: 01001083
      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,010015C1,?), ref: 0100108C
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: Heap$File$Process$AllocCloseCreateFreeHandleReadSize
      • String ID:
      • API String ID: 3250796435-0
      • Opcode ID: 5c8b1affee86901804fb7009c2020b8cbf478982516c2306ee520db0764a93e1
      • Instruction ID: a4ded7d60b430b3b39aaa9a1fbfe8dbcb1747134c3d76384411526b27d05ce36
      • Opcode Fuzzy Hash: 5c8b1affee86901804fb7009c2020b8cbf478982516c2306ee520db0764a93e1
      • Instruction Fuzzy Hash: 6C116A71604314AFF722DB649C8CB3B3AADEB48791F000269FA82D61C1CB75C804CB71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0100164B Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,01003050,?), ref: 01001672
      • WinHttpConnect.WINHTTP(00000000,?,01003000,00000000,75A773E0), ref: 01001690
      • WinHttpOpenRequest.WINHTTP(00000000,GET,00000008,00000000,00000000,00000000,?,?), ref: 010016CA
      • WinHttpSetOption.WINHTTP(00000000,0000001F,?,?,?,?,?,?,?,00000004), ref: 010016F1
      • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01001700
      • WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 01001710
      • WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,?,?,?,?,00000000), ref: 01001738
      • WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,00000000), ref: 01001750
      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000), ref: 01001778
      • HeapReAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 0100177F
      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,00000000), ref: 01001789
      • HeapAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 01001790
      • WinHttpReadData.WINHTTP(00000000,?,00000004,?,?,?,?,00000000), ref: 010017AA
      • WinHttpQueryDataAvailable.WINHTTP(00000000,00000000,?,?,?,00000000), ref: 010017CE
      • WinHttpCloseHandle.WINHTTP(00000000), ref: 010017F1
      • WinHttpCloseHandle.WINHTTP(?), ref: 010017F7
      • WinHttpCloseHandle.WINHTTP(?), ref: 010017FE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: Http$Heap$CloseDataHandleQuery$AllocAvailableOpenProcessRequest$ConnectHeadersOptionReadReceiveResponseSend
      • String ID: GET
      • API String ID: 3448144009-1805413626
      • Opcode ID: 7e160de59f76cf7ce81734cdfcb34be075d40c231de577cf998eb3f65abc68ce
      • Instruction ID: ab859a10779c564eebf9afbd39fe467392e1313ea84b57d28d8790e9b92beb63
      • Opcode Fuzzy Hash: 7e160de59f76cf7ce81734cdfcb34be075d40c231de577cf998eb3f65abc68ce
      • Instruction Fuzzy Hash: 3E514E71204306AFE726CF68DC48A3B7AFDFB48744F04466DB989D6241DB39D904CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0100163D Relevance: 3.0, APIs: 2, Instructions: 3COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 76 100163d call 10014f9 78 1001642-1001644 ExitProcess 76->78
      APIs
        • Part of subcall function 010014F9: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 01001519
        • Part of subcall function 010014F9: lstrcatA.KERNEL32(?,010020A8), ref: 0100153C
        • Part of subcall function 010014F9: lstrlenA.KERNEL32(?,00000100), ref: 01001549
        • Part of subcall function 010014F9: GetUserNameA.ADVAPI32(00000000), ref: 01001558
        • Part of subcall function 010014F9: CreateDirectoryA.KERNELBASE(?,00000000), ref: 01001566
        • Part of subcall function 010014F9: lstrcatA.KERNEL32(?,\photo.png), ref: 01001578
      • ExitProcess.KERNEL32 ref: 01001644
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: lstrcat$CreateDirectoryExitFolderNamePathProcessUserlstrlen
      • String ID:
      • API String ID: 837314502-0
      • Opcode ID: 52e2584f99e0fe83f67bc954ca1736b0666c7c7983be61632434777036a3bda3
      • Instruction ID: 7d9715397bb67a99556cdedc6a2a694cfbe97b5ec4adef8cd1582aa9b8407d13
      • Opcode Fuzzy Hash: 52e2584f99e0fe83f67bc954ca1736b0666c7c7983be61632434777036a3bda3
      • Instruction Fuzzy Hash: D390023414420296F1526760944D74836155710706F018115B585541D68D6540018661
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 010010F6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 107COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 110 10010f6-100112d 111 1001131-100115b 110->111 112 10011a5 111->112 113 100115d 111->113 114 10011a9-10011ac 112->114 115 1001166-100116a 113->115 116 100115f-1001164 113->116 114->111 117 10011ae-1001223 wsprintfA 114->117 115->114 116->115 118 100116c-100116e 116->118 118->112 119 1001170 118->119 120 1001172-1001177 119->120 121 1001179-100117d 119->121 120->121 122 100117f-1001181 120->122 121->114 122->112 123 1001183 122->123 124 1001185-100118a 123->124 125 100118c-1001190 123->125 124->125 126 1001192-1001194 124->126 125->114 126->112 127 1001196 126->127 128 1001198-100119d 127->128 129 100119f-10011a3 127->129 128->112 128->129 129->114
      APIs
      Strings
      • %0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.8X, xrefs: 0100120A
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: wsprintf
      • String ID: %0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.8X
      • API String ID: 2111968516-2948424886
      • Opcode ID: 393b6e7a727989e2f85bd3572413cae13f58d9e9e1293abcd97fbc9744eca62d
      • Instruction ID: 502bf0e8ef48b532bb7d6b85d495ceac2d5a687f3afdf45bba7e8b881dbc9500
      • Opcode Fuzzy Hash: 393b6e7a727989e2f85bd3572413cae13f58d9e9e1293abcd97fbc9744eca62d
      • Instruction Fuzzy Hash: BC315D7150D3825EE36ACF2985002EBFFE6AF99714F18C9AEF5D992292C134C5488B17
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010013EB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94memorystringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 79 10013eb-1001415 VirtualAlloc 80 10014f3-10014f8 79->80 81 100141b-1001421 79->81 82 1001423-1001425 81->82 83 1001435-10014a4 GetModuleFileNameA lstrcpyA 81->83 84 1001427-1001430 82->84 85 10014b3-10014c4 83->85 86 10014a6 83->86 84->84 87 1001432 84->87 89 10014d3-10014f1 VirtualProtect 85->89 90 10014c6 85->90 88 10014a8-10014b1 86->88 87->83 88->85 88->88 89->80 91 10014c8-10014d1 90->91 91->89 91->91
      APIs
      • VirtualAlloc.KERNEL32(00000000,-00000758,00003000,00000004,?,?,?,00000100,00000100,01001627), ref: 0100140B
      • GetModuleFileNameA.KERNEL32(00000000,00000010,00000104,?,?,?,?,00000100,00000100,01001627), ref: 01001479
      • lstrcpyA.KERNEL32(00000114,?,?,?,?,?,00000100,00000100,01001627), ref: 0100148C
      • VirtualProtect.KERNEL32(00000000,?,00000020,?,?,?,?,00000100,00000100,01001627), ref: 010014EB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3304194656.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
      • Associated: 00000000.00000002.3304179836.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304207959.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304219365.0000000001003000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3304230695.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1000000_unpacked_svchost.jbxd
      Similarity
      • API ID: Virtual$AllocFileModuleNameProtectlstrcpy
      • String ID: /index.php
      • API String ID: 3006385884-1864550530
      • Opcode ID: cd27acdf9ce39f1eb94040d6bbcec9055c84cb09a02d6b9da757348408484b1d
      • Instruction ID: 3d116e8dbd6daac6657365eb377f04ed25b6f4cb9c728f952ed7319982c531cd
      • Opcode Fuzzy Hash: cd27acdf9ce39f1eb94040d6bbcec9055c84cb09a02d6b9da757348408484b1d
      • Instruction Fuzzy Hash: 3C312676601B819FE3278F2CC884BA6BFA4FB45700F04825DF6D98B356CA35E504CB60
      Uniqueness

      Uniqueness Score: -1.00%