02658bc9801f98dfdf167accf57f6a36

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2008-Sep-16 08:40:04
Detected languages Chinese - PRC
English - United States
CompanyName Microsoft Corporation
FileDescription Generic Host Process for Win32 Services
FileVersion 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName svchost.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename svchost.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.2180

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Microsoft Visual C++ v6.0
Info The PE contains common functions which appear in legitimate applications. Possibly launches other programs:
  • CreateProcessA
Has Internet access capabilities:
  • InternetOpenA
  • InternetConnectA
  • InternetQueryOptionA
  • InternetSetOptionA
  • InternetCloseHandle
  • InternetWriteFile
  • InternetReadFile
Malicious VirusTotal score: 54/67 (Scanned on 2018-02-02 16:57:30) MicroWorld-eScan: Gen:Variant.Zusy.Elzob.7387
nProtect: Trojan-Downloader/W32.Agent.8704.GW
CMC: Trojan-Downloader.Win32.Agent!O
CAT-QuickHeal: Trojan.Connapts.A4
ALYac: Gen:Variant.Zusy.Elzob.7387
Zillya: Downloader.Agent.Win32.168675
AegisLab: Troj.Downloader.W32.Agent!c
Paloalto: generic.ml
TheHacker: Trojan/Agent.pmk
BitDefender: Gen:Variant.Zusy.Elzob.7387
K7GW: Trojan ( 00100e511 )
K7AntiVirus: Trojan ( 00100e511 )
Arcabit: Trojan.Zusy.Elzob.D1CDB
TrendMicro: TROJ_GEN.R002C0DIJ17
Cyren: W32/Trojan.ERJY-2603
Symantec: Trojan.Gen
TrendMicro-HouseCall: TROJ_GEN.R002C0DIJ17
Avast: Win32:Trojan-gen
ClamAV: Win.Trojan.Agent-638097
Kaspersky: Trojan-Downloader.Win32.Agent.gzdp
Cybereason: malicious.1b8fb7
NANO-Antivirus: Trojan.Win32.Agent.cqkvci
Tencent: Suspicious.Heuristic.Gen.b.0
Ad-Aware: Gen:Variant.Zusy.Elzob.7387
Emsisoft: Gen:Variant.Zusy.Elzob.7387 (B)
Comodo: UnclassifiedMalware
F-Secure: Gen:Variant.Zusy.Elzob.7387
DrWeb: Trojan.DownLoad3.21202
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: Artemis!Trojan
Sophos: Mal/Generic-S
Ikarus: Trojan.Win32.Agent
Jiangmin: TrojanDownloader.Agent.fhxy
Webroot: W32.Trojan.Gen
Avira: TR/Downloader.Gen
Antiy-AVL: Trojan[Downloader]/Win32.Agent
Endgame: malicious (high confidence)
ZoneAlarm: Trojan-Downloader.Win32.Agent.gzdp
Microsoft: Trojan:Win32/Connapts
AhnLab-V3: Trojan/Win32.Connapts.C256363
McAfee: Artemis!02658BC9801F
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: TrojanDownloader.Agent
Cylance: Unsafe
ESET-NOD32: Win32/Agent.PMK
Rising: Downloader.Agent!8.B23 (TFE:5:CVRXB1Iz1gL)
Yandex: Trojan.DL.Agent!KhetxqhGsFU
eGambit: Unsafe.AI_Score_88%
GData: Gen:Variant.Zusy.Elzob.7387
AVG: Win32:Trojan-gen
Panda: Generic Suspicious
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM07.1.Malware.Gen

Hashes

MD5 02658bc9801f98dfdf167accf57f6a36
SHA1 dd3570f117f2996792e4d3bf20a6a0aba6409bcc
SHA256 8a35842d3f5963f715def0bbd0a53d7ffaae2d2ca79f56a5ac8bede64749d279
SHA3 29d1fde3d3bb6cbd69780dc3438223bc71fb9a2fd7fedff99383c046b66e64b4
SSDeep 192:Uzy5B0/hiXS65w6gOBnP4oynKWCl8CbW1:Uzyp7w6tB4gWCl8CbW1
Imports Hash 47791490aa2f22e4aca4cb598e98c271

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2008-Sep-16 08:40:04
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0xe00
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x1c3f (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x5000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 da35a1ba421bc66cd4108edab8fbc88e
SHA1 37e7c121790fb38eb487622051b1ccabe36c762d
SHA256 aa0c0ac309bc70a7c43f9ea7b4414ce9ba3e43edfdf9d05d1141187d43866b60
SHA3 0358108aa581564ee0d8e17651b50a57aa60ba5a0915491eee323b8bf39d20d4
VirtualSize 0xd92
VirtualAddress 0x1000
SizeOfRawData 0xe00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.86977

.rdata

MD5 2581bbce27ba78ffb88acc11312f93a0
SHA1 d3539a8bdd8261cfc45941945da4e00e56662b42
SHA256 0abfc8f7797e5d0d282e34d4621d353768f2c07f7b171110e7bdaa3618ac9ae2
SHA3 4876126bd703766f808c709fadcbc4907be998feacb00264fd23e86df7a33f75
VirtualSize 0x564
VirtualAddress 0x2000
SizeOfRawData 0x600
PointerToRawData 0x1200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.51553

.data

MD5 952528624f78c9e89b4fa583ad16463f
SHA1 4d27b7ae940ddb044788448e555f7757056a51e0
SHA256 0a0f3363ece15dbc78e54f13c0d2548594212ceab4887aefdd6ddc3e50aedf96
SHA3 bccd93db98f2a0b860bd4730014981bfa5443e3e1479a70f23ffecbff5ba96f0
VirtualSize 0x244
VirtualAddress 0x3000
SizeOfRawData 0x400
PointerToRawData 0x1800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.58443

.rsrc

MD5 da76d7360ff3d7f8cf8f63b7aeb7d707
SHA1 39250a4474496e141a49f9c247b7346ae6a35919
SHA256 8a921007c58533d1697b94df71de6763ce73a7e424d7b31d775e2f9b2520ccb2
SHA3 994c5eb8defc86a3c2504699765b4f075667873ab7973b533f63b922aef62f52
VirtualSize 0x410
VirtualAddress 0x4000
SizeOfRawData 0x600
PointerToRawData 0x1c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.083

Imports

KERNEL32.dll Sleep
WriteFile
CloseHandle
GetWindowsDirectoryA
ReadFile
PeekNamedPipe
CreateProcessA
CreatePipe
WININET.dll InternetOpenA
InternetConnectA
HttpOpenRequestA
InternetQueryOptionA
InternetSetOptionA
InternetCloseHandle
HttpSendRequestA
HttpSendRequestExA
InternetWriteFile
HttpEndRequestA
InternetReadFile
MSVCRT.dll _controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__CxxFrameHandler
strstr
strlen
memcpy
??3@YAXPAX@Z
fread
strcmp
sprintf
strrchr
ftell
fseek
fclose
fopen
??2@YAPAXI@Z
fwrite
atoi
strcpy
sscanf
strcat
memset
_exit
_XcptFilter
exit
__p___initenv
_strnicmp

Delayed Imports

1

Type RT_VERSION
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x3b8
Entropy 3.56139
MD5 8d773a1d9f8c36de72f0ea1d86094bb1
SHA1 adc37cd331beedd2be6dc7860cb445c23607d2c9
SHA256 f9767742b8894f9cad6eb7c7f6f3ea5c3aab22f722e584de22123544d005fdc6
SHA3 13865c2c010f6ebed1e1ee045364ff3b2a982d1d8bce58a83f776b8fbf067516

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 5.1.2600.2180
ProductVersion 5.1.2600.2180
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Generic Host Process for Win32 Services
FileVersion (#2) 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName svchost.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename svchost.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 5.1.2600.2180
Resource LangID Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

Errors