4.6
中危
66 个模型检测该样本为恶意!
重新分析
更多

571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044

02d37ed4bc3422b573fce8265a434d1b.exe

分析耗时

20s

最近分析

文件大小

562.0KB
静态报毒 动态报毒 100% 1NY3U3QKVEI AI SCORE=81 AIDETECTVM ARTEMIS CLASSIC CONFIDENCE CRKZMZ CYBERGATE ELDORADO FILEREPMALWARE GENASA HIGH CONFIDENCE LGNR LLAC LQUL MALICIOUS PE MALWARE1 PASSWORDSTEALER PICSYS R + W32 R856 REBHIP SCORE SPATET SPYNET SPYRAT STATIC AI SUSGEN TSPY UNSAFE ~ULR@1QGDFH 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:Win32/Rebhip.9125442f 20190527 0.3.0.5
Baidu Win32.Trojan.Agent.co 20190318 1.0.0.2
Avast Win32:Malware-gen 20201123 20.10.5736.0
Tencent Trojan.Win32.Downloader.aat 20201123 1.0.0.1
Kingsoft 20201123 2017.9.26.565
McAfee Artemis!02D37ED4BC34 20201120 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable uses a known packer (1 个事件)
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1620119621.324653
__exception__
stacktrace: 
02d37ed4bc3422b573fce8265a434d1b+0xb142 @ 0x40b142
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1638148
registers.edi: 0
registers.eax: 1
registers.ebp: 1638160
registers.edx: 5898612
registers.ebx: 0
registers.esi: 0
registers.ecx: 4215218
exception.instruction_r: 0f 3f 07 0b 36 8b 04 24 64 89 05 00 00 00 00 83
exception.symbol: 02d37ed4bc3422b573fce8265a434d1b+0x518a
exception.address: 0x40518a
exception.module: 02d37ed4bc3422b573fce8265a434d1b.exe
exception.exception_code: 0xc000001d
exception.offset: 20874
success 0 0
1620119621.324653
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1638156
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1638280
registers.edx: 5920344
registers.ebx: 1013774098
registers.esi: 0
registers.ecx: 10
exception.instruction_r: ed b8 01 00 00 00 eb 13 8b 44 24 0c c7 80 b8 00
exception.symbol: 02d37ed4bc3422b573fce8265a434d1b+0x5144
exception.instruction: in eax, dx
exception.module: 02d37ed4bc3422b573fce8265a434d1b.exe
exception.exception_code: 0xc0000096
exception.offset: 20804
exception.address: 0x405144
success 0 0
行为判定
动态指标
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.820983721617658 section {'size_of_data': '0x00088200', 'virtual_address': '0x0002f000', 'entropy': 7.820983721617658, 'name': 'UPX1', 'virtual_size': '0x00089000'} description A section with a high entropy has been found
entropy 0.9705882352941176 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates known SpyNet files, registry changes and/or mutexes. (2 个事件)
mutex _x_X_PASSWORDLIST_X_x_
mutex _x_X_BLOCKMOUSE_X_x_
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1620119621.324653
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1638156
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1638280
registers.edx: 5920344
registers.ebx: 1013774098
registers.esi: 0
registers.ecx: 10
exception.instruction_r: ed b8 01 00 00 00 eb 13 8b 44 24 0c c7 80 b8 00
exception.symbol: 02d37ed4bc3422b573fce8265a434d1b+0x5144
exception.instruction: in eax, dx
exception.module: 02d37ed4bc3422b573fce8265a434d1b.exe
exception.exception_code: 0xc0000096
exception.offset: 20804
exception.address: 0x405144
success 0 0
File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Generic.Rebhip.3356BA74
FireEye Generic.mg.02d37ed4bc3422b5
CAT-QuickHeal Worm.Rebhip.A8
ALYac Generic.Rebhip.3356BA74
Cylance Unsafe
Zillya Trojan.Llac.Win32.65920
Sangfor Malware
K7AntiVirus Trojan ( 00193f571 )
Alibaba TrojanSpy:Win32/Rebhip.9125442f
K7GW Trojan ( 00193f571 )
Cybereason malicious.4bc342
Arcabit Generic.Rebhip.3356BA74
Invincea Mal/Generic-R + W32/Rebhip-AR
Baidu Win32.Trojan.Agent.co
Cyren W32/Rebhip.B.gen!Eldorado
Symantec W32.Spyrat
TotalDefense Win32/Spyrat!generic
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Trojan.Agent-36200
Kaspersky Trojan.Win32.Llac.lgnr
BitDefender Generic.Rebhip.3356BA74
NANO-Antivirus Trojan.Win32.Llac.crkzmz
Paloalto generic.ml
ViRobot Trojan.Win32.Llac.297472[UPX]
Tencent Trojan.Win32.Downloader.aat
Ad-Aware Generic.Rebhip.3356BA74
Sophos W32/Rebhip-AR
Comodo TrojWare.Win32.MalPack.~ULR@1qgdfh
F-Secure Backdoor:W32/Spyrat.A
DrWeb BackDoor.Cybergate.1
VIPRE Worm.Win32.Rebhip.A (v)
TrendMicro TSPY_SPATET.SMT
McAfee-GW-Edition BehavesLike.Win32.Picsys.hc
MaxSecure Trojan.Malware.300983.susgen
Emsisoft Generic.Rebhip.3356BA74 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan/Llac.kzj
Avira TR/Spy.Gen
Antiy-AVL Trojan/Win32.Llac.bdm
Microsoft TrojanSpy:Win32/Rebhip
AegisLab Trojan.Win32.Llac.lqUL
ZoneAlarm Trojan.Win32.Llac.lgnr
GData Generic.Rebhip.3356BA74
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Llac.R856
Acronis suspicious
McAfee Artemis!02D37ED4BC34
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:
0x4bbec4 LoadLibraryA
0x4bbec8 GetProcAddress
0x4bbecc VirtualProtect
0x4bbed0 VirtualAlloc
0x4bbed4 VirtualFree
0x4bbed8 ExitProcess
Library advapi32.dll:
0x4bbee0 LsaClose
Library crypt32.dll:
0x4bbee8 CryptUnprotectData
Library ole32.dll:
0x4bbef0 CoTaskMemFree
Library oleaut32.dll:
0x4bbef8 SysFreeString
Library pstorec.dll:
Library rasapi32.dll:
0x4bbf08 RasEnumEntriesA
Library shell32.dll:
Library user32.dll:
0x4bbf18 ToAscii

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.