File name: | svchost.exe |
Full analysis: | https://app.any.run/tasks/8e952a14-18c5-4ad1-8e75-751d668af9f2 |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 02:14:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0A935300AD790AD8D03666B1F14E73A4 |
SHA1: | 57BF66E15B0CBF325CE66D4C9D5592088A1A8E00 |
SHA256: | 9B96D15A412A80FB77E790070084CE815945398F9C9B103ECE0ED420850ACE12 |
SSDEEP: | 49152:HRS3ddTQVvnRdoXwG1a/MrkK9daCBCimRL6E84TB:xSk4XwG1lr0PR8iB |
.exe | | | InstallShield setup (36.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
.exe | | | Win64 Executable (generic) (23.6) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
ProductName: | Imba |
---|---|
LegalCopyright: | Copyright (C) 2023, shmaer |
InternalName: | GodGuest |
FilesVersion: | 19.62.99 |
CharacterSet: | Unknown (01F2) |
LanguageCode: | Manipuri |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Unknown (0x20461) |
FileFlags: | (none) |
FileFlagsMask: | 0x121a |
ProductVersionNumber: | 26.0.0.0 |
FileVersionNumber: | 2.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x60d0 |
UninitializedDataSize: | - |
InitializedDataSize: | 498688 |
CodeSize: | 1829888 |
LinkerVersion: | 9 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2022:04:05 12:42:44+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 05-Apr-2022 12:42:44 |
Detected languages: |
|
Debug artifacts: |
|
FilesVersion: | 19.62.99 |
InternalName: | GodGuest |
LegalCopyright: | Copyright (C) 2023, shmaer |
ProductName: | Imba |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 05-Apr-2022 12:42:44 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x001BEA02 | 0x001BEC00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.99081 |
.data | 0x001C0000 | 0x0006F69C | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.22191 |
.rsrc | 0x00230000 | 0x001CE0C8 | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.66912 |
.reloc | 0x003FF000 | 0x00003118 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 2.85703 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.34304 | 460 | UNKNOWN | UNKNOWN | RT_VERSION |
2 | 4.92758 | 2216 | UNKNOWN | Spanish - Mexico | RT_ICON |
3 | 4.72558 | 1736 | UNKNOWN | Spanish - Mexico | RT_ICON |
4 | 4.21503 | 1384 | UNKNOWN | Spanish - Mexico | RT_ICON |
5 | 3.685 | 9640 | UNKNOWN | Spanish - Mexico | RT_ICON |
6 | 3.73421 | 4264 | UNKNOWN | Spanish - Mexico | RT_ICON |
7 | 3.81583 | 2440 | UNKNOWN | Spanish - Mexico | RT_ICON |
8 | 3.88407 | 1128 | UNKNOWN | Spanish - Mexico | RT_ICON |
22 | 3.13936 | 412 | UNKNOWN | UNKNOWN | RT_STRING |
23 | 3.22078 | 620 | UNKNOWN | UNKNOWN | RT_STRING |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1464 | "C:\Users\admin\AppData\Local\Temp\svchost.exe" | C:\Users\admin\AppData\Local\Temp\svchost.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1948 | C:\Users\admin\AppData\Roaming\NTSystem\ntlhost.exe | C:\Users\admin\AppData\Roaming\NTSystem\ntlhost.exe | svchost.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1464 | svchost.exe | C:\Users\admin\AppData\Roaming\NTSystem\ntlhost.exe | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1948 | ntlhost.exe | GET | 200 | 45.159.189.105:80 | http://45.159.189.105/bot/regex | NL | text | 633 b | malicious |
1948 | ntlhost.exe | GET | 200 | 45.159.189.105:80 | http://45.159.189.105/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=USER-PC\admin | NL | text | 2 b | malicious |
1948 | ntlhost.exe | GET | 200 | 45.159.189.105:80 | http://45.159.189.105/bot/regex | NL | text | 633 b | malicious |
1948 | ntlhost.exe | GET | 200 | 45.159.189.105:80 | http://45.159.189.105/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=USER-PC\admin | NL | text | 2 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1948 | ntlhost.exe | 45.159.189.105:80 | — | HOSTING-SOLUTIONS | NL | malicious |
PID | Process | Class | Message |
---|---|---|---|
1948 | ntlhost.exe | A Network Trojan was detected | ET MALWARE Laplas Clipper - Regex CnC Request |
1948 | ntlhost.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
1948 | ntlhost.exe | A Network Trojan was detected | ET MALWARE Laplas Clipper - SetOnline CnC Checkin |
1948 | ntlhost.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
1948 | ntlhost.exe | A Network Trojan was detected | ET MALWARE Laplas Clipper - Regex CnC Request |
1948 | ntlhost.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
1948 | ntlhost.exe | A Network Trojan was detected | ET MALWARE Laplas Clipper - SetOnline CnC Checkin |
1948 | ntlhost.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |