conhost.exe

First submission 2024-02-10 06:02:03

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Mime type: application/x-dosexec
File size: 456.29 KB (467240 bytes)
Compile time: 2016-12-11 22:50:41
MD5: 5d591e339ce6468026b1653b11bea227
SHA1: 1e43d89ddd60cb62a72665ee5c6e914c43d513dc
SHA256: b5adda867292bc4f34284d626bb67d44ed341c2a6a5cf7f356f643c25af9b400
Import Hash : e2a592076b17ef8bfb48b7e03965a3fc
Sections 5 .text .rdata .data .ndata .rsrc
Directories 3 import resource security
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://23.94.206.104/6090/conhost.exe VirusTotal Report 23.94.206.104 VirusTotal Report 2024-02-10 06:02:03

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x608d 25088 d588fdcb1f1811e6558ba5f1396583f2632e26e5 cb7d22acb65c3a2c3c99f2945502e753
.rdata 0x8000 0x13a4 5120 f46e25906115494a3e5a8eee74d42b5efd1c5524 2fd23f25ba6d052f3a4f032544496f73
.data 0xa000 0x202f8 1536 760ce1648880a0c26330ceca2c097ce58dd586df f1cb8dba3161e1fa8a7a13abce8fe504
.ndata 0x2b000 0x58000 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x83000 0x2b20 11264 e58606518fd9dada60037fd10a397cb1c682de29 cf14f010e23f36bb4a2d8cd61e5b86ed

PE Resources 6

Name Language Sublanguage Offset Size Data
RT_BITMAP LANG_ENGLISH SUBLANG_ENGLISH_US 0x832b0 872
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x83618 6534
RT_DIALOG LANG_ENGLISH SUBLANG_ENGLISH_US 0x85510 96
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x85570 20
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x85588 596
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x857e0 830

Meta infos 6

LegalCopyright: visuelle tugthuskandidats
CompanyName: afbrkningens cloister dizz
Translation: 0x0409 0x04e4
FileDescription: clavis
LegalTrademarks: tonotactic
ProductName: sjippetove nonuplicate

Anti debug functions 2

FindWindowExW
GetLastError

File signature

MD5 SHA1 Block size Virtual Address
12adc05d6a2a210af1f07fae251d0ae5 a34fd79fc76b42b840fad7c6d53074263e0b4358 5112 462128

Strings analysis - File found

Library
%s%s.dll
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
USER32.dll
GDI32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

Name Latest seen MD5
loki.exe 2023-06-19 13:24:03 78c56c6fd7ed0ff5c69ec132d61e27b3
DaHost.exe 2023-06-21 10:47:02 0b359f7313105869be34d6abe847c38b
ip_network.exe 2023-06-27 09:00:08 5e6ffe8f38644e73dbf42cfc39300028
Rgss.exe 2023-06-28 16:54:03 899eacd4bbe1ad8d2503a9aba92c685a
Rgss.exe 2023-06-29 10:32:03 7f6e2a0959481ac955ffa5c591a1e25e
wlanext.exe 2023-12-11 17:39:04 0b96e8a9f710917f8ebbeba13040e308
conhost.exe 2024-02-09 19:44:02 9fdff46eaca66307a8d668263bbd9174