Manalyze report for 02658bc9801f98dfdf167accf57f6a36

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2008-Sep-16 08:40:04
Detected languages	Chinese - PRC English - United States
CompanyName	Microsoft Corporation
FileDescription	Generic Host Process for Win32 Services
FileVersion	`5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)`
InternalName	svchost.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	svchost.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`5.1.2600.2180`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Info	The PE contains common functions which appear in legitimate applications.	`Possibly launches other programs: CreateProcessA` `Has Internet access capabilities: InternetOpenA InternetConnectA InternetQueryOptionA InternetSetOptionA InternetCloseHandle InternetWriteFile InternetReadFile`
Malicious	VirusTotal score: 54/67 (Scanned on 2018-02-02 16:57:30)	`MicroWorld-eScan: Gen:Variant.Zusy.Elzob.7387` `nProtect: Trojan-Downloader/W32.Agent.8704.GW` `CMC: Trojan-Downloader.Win32.Agent!O` `CAT-QuickHeal: Trojan.Connapts.A4` `ALYac: Gen:Variant.Zusy.Elzob.7387` `Zillya: Downloader.Agent.Win32.168675` `AegisLab: Troj.Downloader.W32.Agent!c` `Paloalto: generic.ml` `TheHacker: Trojan/Agent.pmk` `BitDefender: Gen:Variant.Zusy.Elzob.7387` `K7GW: Trojan ( 00100e511 )` `K7AntiVirus: Trojan ( 00100e511 )` `Arcabit: Trojan.Zusy.Elzob.D1CDB` `TrendMicro: TROJ_GEN.R002C0DIJ17` `Cyren: W32/Trojan.ERJY-2603` `Symantec: Trojan.Gen` `TrendMicro-HouseCall: TROJ_GEN.R002C0DIJ17` `Avast: Win32:Trojan-gen` `ClamAV: Win.Trojan.Agent-638097` `Kaspersky: Trojan-Downloader.Win32.Agent.gzdp` `Cybereason: malicious.1b8fb7` `NANO-Antivirus: Trojan.Win32.Agent.cqkvci` `Tencent: Suspicious.Heuristic.Gen.b.0` `Ad-Aware: Gen:Variant.Zusy.Elzob.7387` `Emsisoft: Gen:Variant.Zusy.Elzob.7387 (B)` `Comodo: UnclassifiedMalware` `F-Secure: Gen:Variant.Zusy.Elzob.7387` `DrWeb: Trojan.DownLoad3.21202` `VIPRE: Trojan.Win32.Generic!BT` `McAfee-GW-Edition: Artemis!Trojan` `Sophos: Mal/Generic-S` `Ikarus: Trojan.Win32.Agent` `Jiangmin: TrojanDownloader.Agent.fhxy` `Webroot: W32.Trojan.Gen` `Avira: TR/Downloader.Gen` `Antiy-AVL: Trojan[Downloader]/Win32.Agent` `Endgame: malicious (high confidence)` `ZoneAlarm: Trojan-Downloader.Win32.Agent.gzdp` `Microsoft: Trojan:Win32/Connapts` `AhnLab-V3: Trojan/Win32.Connapts.C256363` `McAfee: Artemis!02658BC9801F` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=100)` `VBA32: TrojanDownloader.Agent` `Cylance: Unsafe` `ESET-NOD32: Win32/Agent.PMK` `Rising: Downloader.Agent!8.B23 (TFE:5:CVRXB1Iz1gL)` `Yandex: Trojan.DL.Agent!KhetxqhGsFU` `eGambit: Unsafe.AI_Score_88%` `GData: Gen:Variant.Zusy.Elzob.7387` `AVG: Win32:Trojan-gen` `Panda: Generic Suspicious` `CrowdStrike: malicious_confidence_100% (D)` `Qihoo-360: HEUR/QVM07.1.Malware.Gen`

Hashes

MD5	`02658bc9801f98dfdf167accf57f6a36`
SHA1	`dd3570f117f2996792e4d3bf20a6a0aba6409bcc`
SHA256	`8a35842d3f5963f715def0bbd0a53d7ffaae2d2ca79f56a5ac8bede64749d279`
SHA3	`10cbd607309b87d5f31ee0d7d6d7c7e6593afbaec3d869b7b231045a7fc51799`
SSDeep	`192:Uzy5B0/hiXS65w6gOBnP4oynKWCl8CbW1:Uzyp7w6tB4gWCl8CbW1`
Imports Hash	`47791490aa2f22e4aca4cb598e98c271`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2008-Sep-16 08:40:04
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0xe00`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001C3F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x2000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x5000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`da35a1ba421bc66cd4108edab8fbc88e`
SHA1	`37e7c121790fb38eb487622051b1ccabe36c762d`
SHA256	`aa0c0ac309bc70a7c43f9ea7b4414ce9ba3e43edfdf9d05d1141187d43866b60`
SHA3	`bb771fe2164ab628309027c7b60150d0e85d98718007aa764aca22017a6a2cfc`
VirtualSize	`0xd92`
VirtualAddress	`0x1000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.86977`

.rdata

MD5	`2581bbce27ba78ffb88acc11312f93a0`
SHA1	`d3539a8bdd8261cfc45941945da4e00e56662b42`
SHA256	`0abfc8f7797e5d0d282e34d4621d353768f2c07f7b171110e7bdaa3618ac9ae2`
SHA3	`b1838d81aae20d8bf1652413a6d611783584228f6e17166b38c5dfef273c5b9c`
VirtualSize	`0x564`
VirtualAddress	`0x2000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.51553`

.data

MD5	`952528624f78c9e89b4fa583ad16463f`
SHA1	`4d27b7ae940ddb044788448e555f7757056a51e0`
SHA256	`0a0f3363ece15dbc78e54f13c0d2548594212ceab4887aefdd6ddc3e50aedf96`
SHA3	`8bacf1bd7cd9808c8295678224d96f33b2c35f25d639027d946f03247dde9b04`
VirtualSize	`0x244`
VirtualAddress	`0x3000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.58443`

.rsrc

MD5	`da76d7360ff3d7f8cf8f63b7aeb7d707`
SHA1	`39250a4474496e141a49f9c247b7346ae6a35919`
SHA256	`8a921007c58533d1697b94df71de6763ce73a7e424d7b31d775e2f9b2520ccb2`
SHA3	`9007098e65f4e216510606a3413815dedcc7eb10a848356ef164492f7e3cf918`
VirtualSize	`0x410`
VirtualAddress	`0x4000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.083`

Imports

KERNEL32.dll	`Sleep` `WriteFile` `CloseHandle` `GetWindowsDirectoryA` `ReadFile` `PeekNamedPipe` `CreateProcessA` `CreatePipe`
WININET.dll	`InternetOpenA` `InternetConnectA` `HttpOpenRequestA` `InternetQueryOptionA` `InternetSetOptionA` `InternetCloseHandle` `HttpSendRequestA` `HttpSendRequestExA` `InternetWriteFile` `HttpEndRequestA` `InternetReadFile`
MSVCRT.dll	`_controlfp` `_except_handler3` `__set_app_type` `__p__fmode` `__p__commode` `_adjust_fdiv` `__setusermatherr` `_initterm` `__getmainargs` `__CxxFrameHandler` `strstr` `strlen` `memcpy` `??3@YAXPAX@Z` `fread` `strcmp` `sprintf` `strrchr` `ftell` `fseek` `fclose` `fopen` `??2@YAPAXI@Z` `fwrite` `atoi` `strcpy` `sscanf` `strcat` `memset` `_exit` `_XcptFilter` `exit` `__p___initenv` `_strnicmp`

Delayed Imports

1

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x3b8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.56139`
MD5	`8d773a1d9f8c36de72f0ea1d86094bb1`
SHA1	`adc37cd331beedd2be6dc7860cb445c23607d2c9`
SHA256	`f9767742b8894f9cad6eb7c7f6f3ea5c3aab22f722e584de22123544d005fdc6`
SHA3	`eb493c7f59a1d799a3106ed1cc3482664151e307cd6c098c055efbbd7c37e1c5`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.1.2600.2180
ProductVersion	5.1.2600.2180
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Generic Host Process for Win32 Services
FileVersion (#2)	5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName	svchost.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	svchost.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	5.1.2600.2180

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xdc567155`
Unmarked objects	`0`
12 (7291)	`1`
14 (7299)	`3`
C objects (8047)	`11`
Linker (8047)	`2`
Imports (2179)	`2`
Total imports	`55`
19 (8034)	`3`
C++ objects (VS98 build 8168)	`3`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

02658bc9801f98dfdf167accf57f6a36

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors