Edit tour
Windows
Analysis Report
whost.exe
Overview
General Information
| Sample Name: | whost.exe |
| Analysis ID: | 798066 |
| MD5: | c0eb3eac96511077dafc0afa64c6388c |
| SHA1: | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256: | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| Infos: |  |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Program does not show much activity (idle)
Yara detected NetSupport remote tool
Classification
- System is w10x64native
whost.exe (PID: 7744 cmdline: C:\Users\u ser\Deskto p\whost.ex e MD5: C0EB3EAC96511077DAFC0AFA64C6388C)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 14% | Virustotal | Browse | ||
| 17% | ReversingLabs | Win32.Trojan.NetSup |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 798066 |
| Start date and time: | 2023-02-03 18:17:04 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 5m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | whost.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, ba ckgroundTaskHost.exe - Excluded domains from analysis
(whitelisted): wdcpalt.micros oft.com, client.wns.windows.co m, login.live.com, tile-servic e.weather.microsoft.com, wdcp. microsoft.com - Execution Graph export aborted
for target whost.exe, PID 774 4 because there are no execute d function
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.257879279950983 |
| TrID: |
|
| File name: | whost.exe |
| File size: | 120232 |
| MD5: | c0eb3eac96511077dafc0afa64c6388c |
| SHA1: | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256: | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512: | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
| SSDEEP: | 768:YGpVZl6FhWr80/9P3r2pe/sIQKFKcMkjr2pe/9n/FKFKcMkW:YO0hG1Pbee/6IrTee/7Ira |
| TLSH: | 3AC3B30F429DE173EA42E97DC4819B050DA4BEC5B5B458FB405EF63E3E3138E2B6416A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.g.W.g.W.g.^...U.g.8...T.g.W.f.R.g.8...V.g.8...V.g.8...V.g.RichW.g.........PE..L......c.....................r...... ...... |
 | |
| Icon Hash: | 050d124130a1c151 |
| Entrypoint: | 0x401020 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x631A0A10 [Thu Sep 8 15:28:16 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | a9d50692e95b79723f3e76fcf70d023e |
| Signature Valid: | true |
| Signature Issuer: | CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | B4B9567796080BF425A67176A1167937 |
| Thumbprint SHA-1: | 120710637F1F0AF0646B4D694DCDAB66DF563E4F |
| Thumbprint SHA-256: | 90BF5505DD3326758B00EF28F9E12548E344470CE4C987130039B26AB2A85137 |
| Serial: | 1F6C98CAAD2AE7C18ABBCAAD |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 44h |
| push esi |
| call dword ptr [00402000h] |
| mov esi, eax |
| cmp word ptr [esi], 0022h |
| jne 00007F638089471Dh |
| movzx eax, word ptr [esi+02h] |
| add esi, 02h |
| test ax, ax |
| je 00007F63808946B4h |
| cmp ax, 0022h |
| je 00007F63808946B4h |
| movzx eax, word ptr [esi+02h] |
| add esi, 02h |
| test ax, ax |
| jne 00007F6380894690h |
| cmp word ptr [esi], 0022h |
| jne 00007F63808946A5h |
| add esi, 02h |
| movzx eax, word ptr [esi] |
| test ax, ax |
| je 00007F63808946B4h |
| cmp ax, 0020h |
| jnbe 00007F63808946AEh |
| movzx eax, word ptr [esi+02h] |
| add esi, 02h |
| test ax, ax |
| jne 00007F6380894690h |
| lea eax, dword ptr [ebp-44h] |
| push eax |
| mov dword ptr [ebp-18h], 00000000h |
| call dword ptr [0040200Ch] |
| test byte ptr [ebp-18h], 00000001h |
| movzx eax, word ptr [ebp-14h] |
| jne 00007F63808946A7h |
| mov eax, 0000000Ah |
| push eax |
| push esi |
| push 00000000h |
| push 00000000h |
| call dword ptr [00402008h] |
| push eax |
| call 00007F63808945FDh |
| push eax |
| call dword ptr [00402004h] |
| nop |
| cmp word ptr [esi], 0020h |
| jbe 00007F6380894648h |
| add esi, 02h |
| jmp 00007F6380894697h |
| int3 |
| jmp dword ptr [00402014h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x203c | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3000 | 0x16c08 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x17800 | 0x5da8 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1a000 | 0x14 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2020 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xc2 | 0x200 | False | 0.318359375 | data | 2.779985066068698 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2000 | 0x15e | 0x200 | False | 0.466796875 | data | 3.5226937659007778 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x3000 | 0x16c08 | 0x16e00 | False | 0.10605575478142076 | data | 4.132524574049277 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1a000 | 0x6c | 0x200 | False | 0.060546875 | data | 0.22167620545804623 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x32c8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | ||
| RT_ICON | 0x3b70 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | ||
| RT_ICON | 0x40d8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | ||
| RT_ICON | 0x14900 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | ||
| RT_ICON | 0x16ea8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | ||
| RT_ICON | 0x17f50 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | ||
| RT_ICON | 0x188d8 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 1680 | ||
| RT_ICON | 0x18f90 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | ||
| RT_STRING | 0x193f8 | 0x62 | data | ||
| RT_GROUP_ICON | 0x1945c | 0x76 | data | ||
| RT_VERSION | 0x194d4 | 0x3ac | data | ||
| RT_MANIFEST | 0x19880 | 0x385 | XML 1.0 document, ASCII text, with CRLF line terminators |
| DLL | Import |
|---|---|
| PCICL32.dll | _NSMClient32@8 |
| KERNEL32.dll | GetCommandLineW, ExitProcess, GetModuleHandleW, GetStartupInfoW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node
Report size exceeds maximum size, please checkout the PCAP download to see all network behavior
Click to jump to process
Click to jump to process
| Target ID: | 1 |
| Start time: | 18:18:58 |
| Start date: | 03/02/2023 |
| Path: | C:\Users\user\Desktop\whost.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x930000 |
| File size: | 120232 bytes |
| MD5 hash: | C0EB3EAC96511077DAFC0AFA64C6388C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
