Windows Analysis Report
conhost.exe

Overview

General Information

Sample Name: conhost.exe
Analysis ID: 753421
MD5: 8c9dca7a1d21e402c885d50af18737d1
SHA1: 39cdfb61bf1a94d064a5ac5648ab552ca20be539
SHA256: 7cb6264b793849e31f23a7eb4f18f59a71fd3e44760be9d6052bbcdc2dfdf15c
Infos:

Detection

CryptOne, SystemBC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Yara detected SystemBC
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Found evasive API chain (may stop execution after checking a module file name)
Creates job files (autostart)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Found large amount of non-executed APIs

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: conhost.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: conhost.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.conhost.exe.2990000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.conhost.exe.2b50174.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.conhost.exe.400000.0.unpack Malware Configuration Extractor: SystemBC {"HOST1": "207.148.1.174", "HOST2": "146.70.53.169", "PORT1": "443", "TOR": ""}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\conhost.exe Unpacked PE file: 1.2.conhost.exe.400000.0.unpack
Uses 32bit PE files
Source: conhost.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 207.148.1.174
Source: Malware configuration extractor URLs: 146.70.53.169
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: TENET-1ZA TENET-1ZA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 146.70.53.169 146.70.53.169
Source: unknown Network traffic detected: HTTP traffic on port 57084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62435 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64616 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61580 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49451 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52633 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49463 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64628 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52645 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51319 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61592 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62411 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62447 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51320 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62460 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64641 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49426 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49438 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62459 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63327 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61543 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60291 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52621 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53844
Source: unknown Network traffic detected: HTTP traffic on port 65521 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53537 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53841
Source: unknown Network traffic detected: HTTP traffic on port 62496 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53850
Source: unknown Network traffic detected: HTTP traffic on port 60675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53855
Source: unknown Network traffic detected: HTTP traffic on port 62868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53852
Source: unknown Network traffic detected: HTTP traffic on port 53910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 65533 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53868
Source: unknown Network traffic detected: HTTP traffic on port 57011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51209
Source: unknown Network traffic detected: HTTP traffic on port 58348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51200
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53866
Source: unknown Network traffic detected: HTTP traffic on port 65508 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53865
Source: unknown Network traffic detected: HTTP traffic on port 54851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51201
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51202
Source: unknown Network traffic detected: HTTP traffic on port 59228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62472 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49499 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53525 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62484 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51218
Source: unknown Network traffic detected: HTTP traffic on port 53922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53871
Source: unknown Network traffic detected: HTTP traffic on port 58336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51215
Source: unknown Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53874
Source: unknown Network traffic detected: HTTP traffic on port 52212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51213
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53880
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60663 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61555 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53805
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60651 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown Network traffic detected: HTTP traffic on port 49487 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53809
Source: unknown Network traffic detected: HTTP traffic on port 62893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53812
Source: unknown Network traffic detected: HTTP traffic on port 61976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53811
Source: unknown Network traffic detected: HTTP traffic on port 61567 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53810
Source: unknown Network traffic detected: HTTP traffic on port 53501 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53824
Source: unknown Network traffic detected: HTTP traffic on port 59649 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53823
Source: unknown Network traffic detected: HTTP traffic on port 51790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53827
Source: unknown Network traffic detected: HTTP traffic on port 55287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53822
Source: unknown Network traffic detected: HTTP traffic on port 64207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53820
Source: unknown Network traffic detected: HTTP traffic on port 58312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64604 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61579 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53835
Source: unknown Network traffic detected: HTTP traffic on port 54430 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53833
Source: unknown Network traffic detected: HTTP traffic on port 53513 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53832
Source: unknown Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53830
Source: unknown Network traffic detected: HTTP traffic on port 59241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49475 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51144
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51145
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51146
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51147
Source: unknown Network traffic detected: HTTP traffic on port 56623 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63129
Source: unknown Network traffic detected: HTTP traffic on port 65077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59637 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51150
Source: unknown Network traffic detected: HTTP traffic on port 53598 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63122
Source: unknown Network traffic detected: HTTP traffic on port 60626 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63125
Source: unknown Network traffic detected: HTTP traffic on port 53116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63127
Source: unknown Network traffic detected: HTTP traffic on port 65089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63140
Source: unknown Network traffic detected: HTTP traffic on port 64256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51159
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51158
Source: unknown Network traffic detected: HTTP traffic on port 54442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51162
Source: unknown Network traffic detected: HTTP traffic on port 57456 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51160
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51161
Source: unknown Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63135
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63137
Source: unknown Network traffic detected: HTTP traffic on port 64232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63136
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63139
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63138
Source: unknown Network traffic detected: HTTP traffic on port 56635 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63150
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51165
Source: unknown Network traffic detected: HTTP traffic on port 60638 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51173
Source: unknown Network traffic detected: HTTP traffic on port 64268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63144
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63146
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63145
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63147
Source: unknown Network traffic detected: HTTP traffic on port 59625 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63160
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63162
Source: unknown Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63161
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63164
Source: unknown Network traffic detected: HTTP traffic on port 57444 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51175
Source: unknown Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51176
Source: unknown Network traffic detected: HTTP traffic on port 61195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51179
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51180
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63155
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63159
Source: unknown Network traffic detected: HTTP traffic on port 53562 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63158
Source: unknown Network traffic detected: HTTP traffic on port 54454 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown Network traffic detected: HTTP traffic on port 56576 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53769
Source: unknown Network traffic detected: HTTP traffic on port 59601 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53768
Source: unknown Network traffic detected: HTTP traffic on port 54395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53761
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53760
Source: unknown Network traffic detected: HTTP traffic on port 57420 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53764
Source: unknown Network traffic detected: HTTP traffic on port 61988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53770
Source: unknown Network traffic detected: HTTP traffic on port 63376 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57503 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown Network traffic detected: HTTP traffic on port 56659 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53776
Source: unknown Network traffic detected: HTTP traffic on port 54466 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59613 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown Network traffic detected: HTTP traffic on port 53550 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53775
Source: unknown Network traffic detected: HTTP traffic on port 56564 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56588 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53780
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60602 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51129
Source: unknown Network traffic detected: HTTP traffic on port 65090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53782
Source: unknown Network traffic detected: HTTP traffic on port 57493 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53787
Source: unknown Network traffic detected: HTTP traffic on port 63388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63107
Source: unknown Network traffic detected: HTTP traffic on port 50836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53791
Source: unknown Network traffic detected: HTTP traffic on port 57432 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63105
Source: unknown Network traffic detected: HTTP traffic on port 54478 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51139
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51133
Source: unknown Network traffic detected: HTTP traffic on port 52694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53796
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51138
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51136
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53797
Source: unknown Network traffic detected: HTTP traffic on port 60614 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56647 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63118
Source: unknown Network traffic detected: HTTP traffic on port 53549 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51140
Source: unknown Network traffic detected: HTTP traffic on port 64244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63112
Source: unknown Network traffic detected: HTTP traffic on port 64173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63116
Source: unknown Network traffic detected: HTTP traffic on port 52682 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56540 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61531 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54491 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 63340 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57527 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57515 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64185 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.53.169
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: unknown TCP traffic detected without corresponding DNS query: 207.148.1.174
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00402A1E select,recv, 1_2_00402A1E
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02909A10 GetClipboardData,GetClipboardData, 1_2_02909A10
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02900A4C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 1_2_02900A4C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.conhost.exe.2b50174.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 1.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 1.2.conhost.exe.2b60000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 1.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000001.00000002.327897370.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects SystemBC Author: ditekSHen
Uses 32bit PE files
Source: conhost.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 1.2.conhost.exe.2b50174.2.raw.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 1.2.conhost.exe.2b50174.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 1.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 1.2.conhost.exe.2b60000.3.raw.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 1.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 1.2.conhost.exe.2b60000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 1.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 1.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000001.00000002.327897370.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000001.00000002.327897370.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: Process Memory Space: conhost.exe PID: 3648, type: MEMORYSTR Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Creates files inside the system directory
Source: C:\Users\user\Desktop\conhost.exe File created: C:\Windows\Tasks\wow64.job Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\conhost.exe Process Stats: CPU usage > 98%
Tries to load missing DLLs
Source: C:\Users\user\Desktop\conhost.exe Section loaded: gggg.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Section loaded: gggg.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Section loaded: gggg.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Section loaded: gggg.dll Jump to behavior
Source: conhost.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\conhost.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\conhost.exe C:\Users\user\Desktop\conhost.exe
Source: unknown Process created: C:\Users\user\Desktop\conhost.exe C:\Users\user\Desktop\conhost.exe start
Source: C:\Users\user\Desktop\conhost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/1@0/2
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_004023E6 CoInitialize,CoCreateInstance,CoUninitialize, 1_2_004023E6
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028E7C40 GetDiskFreeSpaceA, 1_2_028E7C40
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028FD764 GetLastError,FormatMessageA, 1_2_028FD764
Source: C:\Users\user\Desktop\conhost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\wow64
Source: C:\Users\user\Desktop\conhost.exe Mutant created: \BaseNamedObjects\wow64
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028F31C4 FindResourceA, 1_2_028F31C4
Source: Window Recorder Window detected: More than 3 window changes detected
Source: conhost.exe Static file information: File size 1298944 > 1048576

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\conhost.exe Unpacked PE file: 1.2.conhost.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\conhost.exe Unpacked PE file: 1.2.conhost.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00485928 push ecx; ret 1_2_00485B34
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00485E84 push 00485EFFh; ret 1_2_00485EF7
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00485BCC push 00485BF2h; ret 1_2_00485BEA
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_004856F0 push 0048571Ch; ret 1_2_00485714
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_004853F4 push 00485420h; ret 1_2_00485418
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00485B94 push 00485BC0h; ret 1_2_00485BB8
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02906280 push 00426D38h; ret 1_2_029062A4
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0290C28C push 0042CD5Bh; ret 1_2_0290C2C7
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028F0AA8 push 00411581h; ret 1_2_028F0AED
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029062B8 push 00426D70h; ret 1_2_029062DC
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029042A4 push 00424D5Ch; ret 1_2_029042C8
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029052CC push 00425D96h; ret 1_2_02905302
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029062F0 push 00426DA8h; ret 1_2_02906314
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0290C2F0 push 0042CDC8h; ret 1_2_0290C334
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028F02E0 push 00410D98h; ret 1_2_028F0304
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029042E4 push 00424D9Ch; ret 1_2_02904308
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02906210 push 00426CC8h; ret 1_2_02906234
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0290C224 push 0042CCF3h; ret 1_2_0290C25F
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02906248 push 00426D00h; ret 1_2_0290626C
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028E5394 push 00405E4Ch; ret 1_2_028E53B8
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029063A0 push 00426E58h; ret 1_2_029063C4
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0290C3A0 push 0042CE58h; ret 1_2_0290C3C4
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_029063D8 push 00426E90h; ret 1_2_029063FC
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02905314 push 00425DCCh; ret 1_2_02905338
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_028F0B00 push 004115B8h; ret 1_2_028F0B24
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02903B24 push 004245DCh; ret 1_2_02903B48
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02906328 push 00426DE0h; ret 1_2_0290634C
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0291C354 push ecx; mov dword ptr [esp], ecx 1_2_0291C358
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0290C348 push 0042CE1Fh; ret 1_2_0290C38B
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_0290534C push 00425E10h; ret 1_2_0290537C
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02906360 push 00426E18h; ret 1_2_02906384
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02905A14 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_02905A14
Creates job files (autostart)
Source: C:\Users\user\Desktop\conhost.exe File created: C:\Windows\Tasks\wow64.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon.png
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02921E2C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_02921E2C
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02905A14 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_02905A14

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\conhost.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\conhost.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\conhost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\conhost.exe TID: 5944 Thread sleep time: -60000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\conhost.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00402D95 rdtsc 1_2_00402D95
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\conhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\conhost.exe API coverage: 5.2 %
Source: C:\Users\user\Desktop\conhost.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\conhost.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02905A14 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_02905A14
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00402D95 rdtsc 1_2_00402D95
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_00402E3C mov eax, dword ptr fs:[00000030h] 1_2_00402E3C
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_02B523B0 mov eax, dword ptr fs:[00000030h] 1_2_02B523B0
Source: C:\Users\user\Desktop\conhost.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\conhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\conhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\conhost.exe Code function: GetLocaleInfoA, 1_2_028E50F0
Source: C:\Users\user\Desktop\conhost.exe Code function: GetLocaleInfoA, 1_2_028EA848
Source: C:\Users\user\Desktop\conhost.exe Code function: GetLocaleInfoA, 1_2_028EBE5C
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_004020A8 CoInitialize,CoCreateInstance,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize, 1_2_004020A8
Source: C:\Users\user\Desktop\conhost.exe Code function: 1_2_004020A8 CoInitialize,CoCreateInstance,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize, 1_2_004020A8

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.327382635.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SystemBC
Source: Yara match File source: 1.2.conhost.exe.2b50174.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.conhost.exe.2b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.327897370.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: conhost.exe PID: 3648, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.327382635.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SystemBC
Source: Yara match File source: 1.2.conhost.exe.2b50174.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.conhost.exe.2b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.327897370.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: conhost.exe PID: 3648, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753421 Sample: conhost.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 15 Malicious sample detected (through community Yara rule) 2->15 17 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 4 other signatures 2->21 5 conhost.exe 1 2->5         started        8 conhost.exe 2->8         started        process3 dnsIp4 23 Detected unpacking (changes PE section rights) 5->23 25 Detected unpacking (overwrites its own PE header) 5->25 27 Found evasive API chain (may stop execution after checking mutex) 5->27 11 146.70.53.169, 443, 49708, 49710 TENET-1ZA United Kingdom 8->11 13 207.148.1.174, 443, 49707, 49709 AS-CHOOPAUS United States 8->13 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.1.174
 unknown United States
20473 AS-CHOOPAUS true
146.70.53.169
 unknown United Kingdom
2018 TENET-1ZA true

Contacted URLs

Name Malicious Antivirus Detection Reputation
207.148.1.174 true
  • Avira URL Cloud: safe
 unknown
146.70.53.169 true
  • Avira URL Cloud: safe
 unknown