Click to jump to signature section
Source: unpacked_svchost.exe | Avira: detected |
Source: https://ilu21plane.xyz/ | Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/A_ | Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 | Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T | Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004 | Avira URL Cloud: Label: malware |
Source: https://153ishak.best/A_ | Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/ | Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004 | Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/- | Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 | Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/ | Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/1 | Avira URL Cloud: Label: malware |
Source: ilu21plane.xyz | Virustotal: Detection: 7% | Perma Link |
Source: nizaoplov.xyz | Virustotal: Detection: 10% | Perma Link |
Source: https://ilu21plane.xyz/ | Virustotal: Detection: 7% | Perma Link |
Source: boldidiotruss.xyz | Virustotal: Detection: 13% | Perma Link |
Source: 153ishak.best | Virustotal: Detection: 6% | Perma Link |
Source: https://boldidiotruss.xyz/ | Virustotal: Detection: 13% | Perma Link |
Source: https://nizaoplov.xyz/ | Virustotal: Detection: 10% | Perma Link |
Source: unpacked_svchost.exe | ReversingLabs: Detection: 71% |
Source: unpacked_svchost.exe | Virustotal: Detection: 76% | Perma Link |
Source: Yara match | File source: unpacked_svchost.exe, type: SAMPLE |
Source: unpacked_svchost.exe | Joe Sandbox ML: detected |
Source: unpacked_svchost.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: | DNS query: boldidiotruss.xyz |
Source: | DNS query: nizaoplov.xyz |
Source: | DNS query: ilu21plane.xyz |
Source: | DNS query: boldidiotruss.xyz |
Source: | DNS query: nizaoplov.xyz |
Source: | DNS query: ilu21plane.xyz |
Source: | DNS query: boldidiotruss.xyz |
Source: | DNS query: nizaoplov.xyz |
Source: | DNS query: ilu21plane.xyz |
Source: | DNS query: boldidiotruss.xyz |
Source: | DNS query: nizaoplov.xyz |
Source: | DNS query: ilu21plane.xyz |
Source: | DNS query: boldidiotruss.xyz |
Source: | DNS query: nizaoplov.xyz |
Source: | DNS query: ilu21plane.xyz |
Source: | DNS query: boldidiotruss.xyz |
Source: | DNS query: nizaoplov.xyz |
Source: | DNS query: ilu21plane.xyz |
Source: | DNS query: boldidiotruss.xyz |
Source: unknown | DNS traffic detected: query: nizaoplov.xyz replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 153ishak.best replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: boldidiotruss.xyz replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: ilu21plane.xyz replaycode: Name error (3) |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | DNS traffic detected: queries for: boldidiotruss.xyz |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://153ishak.best/A_ |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://boldidiotruss.xyz/ |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://boldidiotruss.xyz/- |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://boldidiotruss.xyz/1 |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp, unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001339000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004 |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ilu21plane.xyz/ |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://nizaoplov.xyz/ |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://nizaoplov.xyz/A_ |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004 |
Source: unpacked_svchost.exe, 00000000.00000003.2974577476.000000000133B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T |
Source: Yara match | File source: unpacked_svchost.exe, type: SAMPLE |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: unpacked_svchost.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@1/0@25/0 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | File created: C:\Users\user\AppData\Local\user | Jump to behavior |
Source: unpacked_svchost.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unpacked_svchost.exe | ReversingLabs: Detection: 71% |
Source: unpacked_svchost.exe | Virustotal: Detection: 76% |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Code function: 0_2_010010F6 wsprintfA, | 0_2_010010F6 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Stalling execution: Execution stalls by calling Sleep | graph_0-193 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | RDTSC instruction interceptor: First address: 1001131 second address: 1001151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | RDTSC instruction interceptor: First address: 1001151 second address: 1001131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F61651D0F5Ah 0x0000000c jc 00007F61651D0F19h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F61651D0F18h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F61651D0F4Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F61651D0E95h 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Code function: 0_2_01001224 rdtsc | 0_2_01001224 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe TID: 5320 | Thread sleep time: -690000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Last function: Thread delayed |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | API call chain: ExitProcess graph end node | graph_0-158 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Code function: 0_2_01001224 rdtsc | 0_2_01001224 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Code function: 0_2_01001000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, | 0_2_01001000 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe | Code function: 0_2_010014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA, | 0_2_010014F9 |
Source: Yara match | File source: unpacked_svchost.exe, type: SAMPLE |
Source: Yara match | File source: unpacked_svchost.exe, type: SAMPLE |