8.6
极危
52 个模型检测该样本为恶意!
重新分析
更多

3454d1b1285c305c1c5daecdf0a452e9cad2d726cbbc144d14f8972b3e0e761a

0913bdbc98c0ccbb923ac6865733d299.exe

分析耗时

83s

最近分析

文件大小

594.0KB
静态报毒 动态报毒 AGENSLA AGENTTESLA AI SCORE=83 ATTRIBUTE AUTO BTTC1E CLOUD CONFIDENCE ELDORADO EMGD FAREIT GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE IGENT KRYPTIK LM0@AWG6A8K MALICIOUS PE MALWARE@#8V2WS0N5IJ0Q MALWAREX MSILIN SIGGEN2 TROJANPWS TSCOPE UNSAFE VSNW0AF20 ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:MSIL/AgentTesla.f46dd967 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent Win32.Trojan.Inject.Auto 20200620 1.0.0.1
Kingsoft 20200620 2013.8.14.323
McAfee Fareit-FUR!0913BDBC98C0 20200620 6.0.6.653
Avast Win32:MalwareX-gen [Trj] 20200619 18.4.3895.0
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619167994.984
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619167997.952
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 74 个事件)
Time & API Arguments Status Return Repeated
1619167938.936875
IsDebuggerPresent
failed 0 0
1619167942.295875
IsDebuggerPresent
failed 0 0
1619167942.811875
IsDebuggerPresent
failed 0 0
1619167943.326875
IsDebuggerPresent
failed 0 0
1619167943.811875
IsDebuggerPresent
failed 0 0
1619167944.326875
IsDebuggerPresent
failed 0 0
1619167944.811875
IsDebuggerPresent
failed 0 0
1619167945.342875
IsDebuggerPresent
failed 0 0
1619167945.811875
IsDebuggerPresent
failed 0 0
1619167946.342875
IsDebuggerPresent
failed 0 0
1619167946.811875
IsDebuggerPresent
failed 0 0
1619167947.342875
IsDebuggerPresent
failed 0 0
1619167947.811875
IsDebuggerPresent
failed 0 0
1619167948.342875
IsDebuggerPresent
failed 0 0
1619167948.811875
IsDebuggerPresent
failed 0 0
1619167949.342875
IsDebuggerPresent
failed 0 0
1619167949.811875
IsDebuggerPresent
failed 0 0
1619167950.342875
IsDebuggerPresent
failed 0 0
1619167950.811875
IsDebuggerPresent
failed 0 0
1619167951.342875
IsDebuggerPresent
failed 0 0
1619167951.811875
IsDebuggerPresent
failed 0 0
1619167952.342875
IsDebuggerPresent
failed 0 0
1619167952.811875
IsDebuggerPresent
failed 0 0
1619167953.342875
IsDebuggerPresent
failed 0 0
1619167953.811875
IsDebuggerPresent
failed 0 0
1619167954.342875
IsDebuggerPresent
failed 0 0
1619167954.811875
IsDebuggerPresent
failed 0 0
1619167955.342875
IsDebuggerPresent
failed 0 0
1619167955.811875
IsDebuggerPresent
failed 0 0
1619167956.342875
IsDebuggerPresent
failed 0 0
1619167956.811875
IsDebuggerPresent
failed 0 0
1619167957.342875
IsDebuggerPresent
failed 0 0
1619167957.811875
IsDebuggerPresent
failed 0 0
1619167958.342875
IsDebuggerPresent
failed 0 0
1619167958.811875
IsDebuggerPresent
failed 0 0
1619167959.342875
IsDebuggerPresent
failed 0 0
1619167959.811875
IsDebuggerPresent
failed 0 0
1619167960.342875
IsDebuggerPresent
failed 0 0
1619167960.811875
IsDebuggerPresent
failed 0 0
1619167961.342875
IsDebuggerPresent
failed 0 0
1619167961.811875
IsDebuggerPresent
failed 0 0
1619167962.342875
IsDebuggerPresent
failed 0 0
1619167962.811875
IsDebuggerPresent
failed 0 0
1619167963.342875
IsDebuggerPresent
failed 0 0
1619167963.811875
IsDebuggerPresent
failed 0 0
1619167964.342875
IsDebuggerPresent
failed 0 0
1619167964.811875
IsDebuggerPresent
failed 0 0
1619167965.342875
IsDebuggerPresent
failed 0 0
1619167965.811875
IsDebuggerPresent
failed 0 0
1619167966.342875
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619167940.514875
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619168000.515
__exception__
stacktrace: 
0x471ec9d
0x471df37
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 5959064
registers.edi: 5959096
registers.eax: 0
registers.ebp: 5959112
registers.edx: 158
registers.ebx: 0
registers.esi: 41339364
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 ef f3 dd 64 eb 86 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x471f0f1
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 115 个事件)
Time & API Arguments Status Return Repeated
1619167937.904875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00460000
success 0 0
1619167937.904875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00480000
success 0 0
1619167938.733875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619167938.951875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061a000
success 0 0
1619167938.951875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619167938.951875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00612000
success 0 0
1619167939.592875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00622000
success 0 0
1619167939.842875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00623000
success 0 0
1619167939.889875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0065b000
success 0 0
1619167939.889875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00657000
success 0 0
1619167939.983875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062c000
success 0 0
1619167940.248875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f60000
success 0 0
1619167940.498875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f61000
success 0 0
1619167940.514875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00624000
success 0 0
1619167940.545875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f62000
success 0 0
1619167940.545875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f63000
success 0 0
1619167940.592875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f64000
success 0 0
1619167941.154875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f65000
success 0 0
1619167941.248875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f66000
success 0 0
1619167941.264875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00355000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00355000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x002c0000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x002c0000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x002c0000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x002c2000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.264875
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0034a000
success 0 0
1619167941.733875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00625000
success 0 0
1619167941.795875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f68000
success 0 0
1619167941.811875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f69000
success 0 0
1619167941.951875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064a000
success 0 0
1619167941.998875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00642000
success 0 0
1619167942.076875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00655000
success 0 0
1619167942.608875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00626000
success 0 0
1619167942.733875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0063a000
success 0 0
1619167942.733875
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00637000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.620260711698961 section {'size_of_data': '0x00093e00', 'virtual_address': '0x00002000', 'entropy': 7.620260711698961, 'name': '.text', 'virtual_size': '0x00093c24'} description A section with a high entropy has been found
entropy 0.9966301600673968 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619167941.904875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619167990.765
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619167994.374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 472
process_handle: 0x0000021c
failed 0 0
1619167994.374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 472
process_handle: 0x0000021c
failed 3221225738 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619167977.592875
NtAllocateVirtualMemory
process_identifier: 580
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002c4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619167977.592875
WriteProcessMemory
process_identifier: 580
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#ü×^à \>z €@ À@…ðyK€   H.textDZ \ `.rsrc€^@@.reloc  b@B
process_handle: 0x000002c4
base_address: 0x00400000
success 1 0
1619167977.608875
WriteProcessMemory
process_identifier: 580
buffer: €0€HX€¤¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNameZvlRCfBlhVnAoTnakkHmhLjOcsnrUK.exe(LegalCopyright p#OriginalFilenameZvlRCfBlhVnAoTnakkHmhLjOcsnrUK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000002c4
base_address: 0x00448000
success 1 0
1619167977.608875
WriteProcessMemory
process_identifier: 580
buffer: p @:
process_handle: 0x000002c4
base_address: 0x0044a000
success 1 0
1619167977.608875
WriteProcessMemory
process_identifier: 580
buffer: @
process_handle: 0x000002c4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619167977.592875
WriteProcessMemory
process_identifier: 580
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#ü×^à \>z €@ À@…ðyK€   H.textDZ \ `.rsrc€^@@.reloc  b@B
process_handle: 0x000002c4
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 472 called NtSetContextThread to modify thread in remote process 580
Time & API Arguments Status Return Repeated
1619167977.608875
NtSetContextThread
thread_handle: 0x000002c0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4487742
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 580
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 472 resumed a thread in remote process 580
Time & API Arguments Status Return Repeated
1619167977.967875
NtResumeThread
thread_handle: 0x000002c0
suspend_count: 1
process_identifier: 580
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619167938.936875
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 472
success 0 0
1619167939.061875
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 472
success 0 0
1619167942.233875
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 472
success 0 0
1619167942.264875
NtResumeThread
thread_handle: 0x00000240
suspend_count: 1
process_identifier: 472
success 0 0
1619167977.592875
CreateProcessInternalW
thread_identifier: 2948
thread_handle: 0x000002c0
process_identifier: 580
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0913bdbc98c0ccbb923ac6865733d299.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0913bdbc98c0ccbb923ac6865733d299.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002c4
inherit_handles: 0
success 1 0
1619167977.592875
NtGetContextThread
thread_handle: 0x000002c0
success 0 0
1619167977.592875
NtAllocateVirtualMemory
process_identifier: 580
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002c4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619167977.592875
WriteProcessMemory
process_identifier: 580
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#ü×^à \>z €@ À@…ðyK€   H.textDZ \ `.rsrc€^@@.reloc  b@B
process_handle: 0x000002c4
base_address: 0x00400000
success 1 0
1619167977.592875
WriteProcessMemory
process_identifier: 580
buffer:
process_handle: 0x000002c4
base_address: 0x00402000
success 1 0
1619167977.608875
WriteProcessMemory
process_identifier: 580
buffer: €0€HX€¤¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNameZvlRCfBlhVnAoTnakkHmhLjOcsnrUK.exe(LegalCopyright p#OriginalFilenameZvlRCfBlhVnAoTnakkHmhLjOcsnrUK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000002c4
base_address: 0x00448000
success 1 0
1619167977.608875
WriteProcessMemory
process_identifier: 580
buffer: p @:
process_handle: 0x000002c4
base_address: 0x0044a000
success 1 0
1619167977.608875
WriteProcessMemory
process_identifier: 580
buffer: @
process_handle: 0x000002c4
base_address: 0x7efde008
success 1 0
1619167977.608875
NtSetContextThread
thread_handle: 0x000002c0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4487742
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 580
success 0 0
1619167977.967875
NtResumeThread
thread_handle: 0x000002c0
suspend_count: 1
process_identifier: 580
success 0 0
1619167978.343
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 580
success 0 0
1619167978.405
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 580
success 0 0
1619167997.624
NtResumeThread
thread_handle: 0x000002d4
suspend_count: 1
process_identifier: 580
success 0 0
1619167997.765
NtResumeThread
thread_handle: 0x00000308
suspend_count: 1
process_identifier: 580
success 0 0
1619168001.015
NtResumeThread
thread_handle: 0x00000370
suspend_count: 1
process_identifier: 580
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
MicroWorld-eScan Trojan.GenericKD.34003624
FireEye Generic.mg.0913bdbc98c0ccbb
CAT-QuickHeal Trojanpws.Msil
ALYac Trojan.GenericKD.34003624
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2044512
K7AntiVirus Trojan ( 005687531 )
Alibaba Backdoor:MSIL/AgentTesla.f46dd967
K7GW Trojan ( 005687531 )
Cybereason malicious.f26244
Arcabit Trojan.Generic.D206DAA8
TrendMicro TROJ_FRS.VSNW0AF20
F-Prot W32/MSIL_Agent.BJV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.34003624
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.34003624
Sophos Troj/MSILIn-SI
Comodo Malware@#8v2ws0n5ij0q
DrWeb Trojan.PWS.Siggen2.50283
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Emsisoft Trojan.GenericKD.34003624 (B)
SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Agent.BJV.gen!Eldorado
Webroot W32.Trojan.Gen
MAX malware (ai score=83)
Microsoft Backdoor:MSIL/AgentTesla.SBR!MSR
Endgame malicious (high confidence)
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.34003624
AhnLab-V3 Malware/Win32.RL_Generic.C4123537
McAfee Fareit-FUR!0913BDBC98C0
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
Panda Trj/GdSda.A
ESET-NOD32 a variant of MSIL/Kryptik.WGW
TrendMicro-HouseCall TROJ_FRS.VSNW0AF20
Rising Backdoor.AgentTesla!8.103C4 (CLOUD)
Yandex Trojan.Igent.bTTC1e.102
Ikarus Trojan.Inject
Fortinet MSIL/GenKryptik.EMGD!tr
BitDefenderTheta Gen:NN.ZemsilF.34128.Lm0@aWG6A8k
AVG Win32:MalwareX-gen [Trj]
Avast Win32:MalwareX-gen [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-11 00:56:17

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62319 239.255.255.250 3702
192.168.56.101 62321 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.