conhost.exe

First submission 2024-02-09 19:44:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Mime type: application/x-dosexec
File size: 459.24 KB (470264 bytes)
Compile time: 2016-12-11 22:50:41
MD5: 9fdff46eaca66307a8d668263bbd9174
SHA1: c520f01e369303d5be361b4c7e413a8395878f02
SHA256: fa99b97ae8564e4a6a87d79855b665a462a80a9eeabe5b2d2ccc03a5bea52d10
Import Hash : e2a592076b17ef8bfb48b7e03965a3fc
Sections 5 .text .rdata .data .ndata .rsrc
Directories 3 import resource security
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://23.94.206.104/9080/conhost.exe VirusTotal Report 23.94.206.104 VirusTotal Report 2024-02-09 19:44:02

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x608d 25088 d588fdcb1f1811e6558ba5f1396583f2632e26e5 cb7d22acb65c3a2c3c99f2945502e753
.rdata 0x8000 0x13a4 5120 f46e25906115494a3e5a8eee74d42b5efd1c5524 2fd23f25ba6d052f3a4f032544496f73
.data 0xa000 0x202f8 1536 760ce1648880a0c26330ceca2c097ce58dd586df f1cb8dba3161e1fa8a7a13abce8fe504
.ndata 0x2b000 0x58000 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x83000 0x2b28 11264 41e370fb53673e42ec9b95be776159134ac70916 702a987adf0b0f607a833ab6dafc400b

PE Resources 6

Name Language Sublanguage Offset Size Data
RT_BITMAP LANG_ENGLISH SUBLANG_ENGLISH_US 0x832b0 872
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x83618 6539
RT_DIALOG LANG_ENGLISH SUBLANG_ENGLISH_US 0x85518 96
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x85578 20
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x85590 596
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x857e8 830

Meta infos 6

LegalCopyright: visuelle tugthuskandidats
CompanyName: afbrkningens cloister dizz
Translation: 0x0409 0x04e4
FileDescription: clavis
LegalTrademarks: tonotactic
ProductName: sjippetove nonuplicate

Anti debug functions 2

FindWindowExW
GetLastError

File signature

MD5 SHA1 Block size Virtual Address
408e76a31cdd1bb0748bcf60fa623ea7 95bcceb789324dbad7ac94d42b5394c9003e1da4 5224 465040

Strings analysis - File found

Library
%s%s.dll
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
USER32.dll
GDI32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

Name Latest seen MD5
loki.exe 2023-06-19 13:24:03 78c56c6fd7ed0ff5c69ec132d61e27b3
DaHost.exe 2023-06-21 10:47:02 0b359f7313105869be34d6abe847c38b
ip_network.exe 2023-06-27 09:00:08 5e6ffe8f38644e73dbf42cfc39300028
Rgss.exe 2023-06-28 16:54:03 899eacd4bbe1ad8d2503a9aba92c685a
Rgss.exe 2023-06-29 10:32:03 7f6e2a0959481ac955ffa5c591a1e25e
wlanext.exe 2023-12-11 17:39:04 0b96e8a9f710917f8ebbeba13040e308
conhost.exe 2024-02-10 06:02:03 5d591e339ce6468026b1653b11bea227