SmartHawk

3.8

中危

55 个模型检测该样本为恶意！

重新分析

下载样本

e3946cc34862a6a0ddbb0ce84c97d30df5b695b102a41a2e7042941b5788d0e8

1247eb94b70aeafac0e3124dae363f8b.exe

分析耗时

71s

最近分析

文件大小

536.5KB

静态报毒动态报毒 AGENTTESLA AI SCORE=86 CONFIDENCE DVFZ FAREIT GDSDA GENERICKD HCUBL HEAPOVERRIDE HIGH CONFIDENCE HOSVEF HU0@AQL72ZJ KRYPTIK MALICIOUS PE MALWARE@#1ROOU1X86WPCY PWSX R339940 REMCOS SCORE SIGGEN2 SUSGEN THFAOBO UNSAFE WACATAC YMACCO ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:Win32/Ymacco.af802ef1	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200808	18.4.3895.0
Tencent	Msil.Backdoor.Remcos.Dvfz	20200808	1.0.0.1
Kingsoft		20200808	2013.8.14.323
McAfee	Fareit-FUP!1247EB94B70A	20200807	6.0.6.653
CrowdStrike	win/malicious_confidence_60% (D)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119662.698139 GetComputerNameA	computer_name: OSKAR-PC	success	1	0
1620119662.698139 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (50 out of 89 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119616.823139 IsDebuggerPresent		failed	0	0
1620119616.823139 IsDebuggerPresent		failed	0	0
1620119628.901139 IsDebuggerPresent		failed	0	0
1620119629.401139 IsDebuggerPresent		failed	0	0
1620119629.932139 IsDebuggerPresent		failed	0	0
1620119630.401139 IsDebuggerPresent		failed	0	0
1620119630.932139 IsDebuggerPresent		failed	0	0
1620119631.401139 IsDebuggerPresent		failed	0	0
1620119631.932139 IsDebuggerPresent		failed	0	0
1620119632.401139 IsDebuggerPresent		failed	0	0
1620119632.932139 IsDebuggerPresent		failed	0	0
1620119633.401139 IsDebuggerPresent		failed	0	0
1620119633.932139 IsDebuggerPresent		failed	0	0
1620119634.401139 IsDebuggerPresent		failed	0	0
1620119634.932139 IsDebuggerPresent		failed	0	0
1620119635.401139 IsDebuggerPresent		failed	0	0
1620119635.932139 IsDebuggerPresent		failed	0	0
1620119636.401139 IsDebuggerPresent		failed	0	0
1620119636.932139 IsDebuggerPresent		failed	0	0
1620119637.401139 IsDebuggerPresent		failed	0	0
1620119637.932139 IsDebuggerPresent		failed	0	0
1620119638.401139 IsDebuggerPresent		failed	0	0
1620119638.932139 IsDebuggerPresent		failed	0	0
1620119639.401139 IsDebuggerPresent		failed	0	0
1620119639.932139 IsDebuggerPresent		failed	0	0
1620119640.401139 IsDebuggerPresent		failed	0	0
1620119640.932139 IsDebuggerPresent		failed	0	0
1620119641.401139 IsDebuggerPresent		failed	0	0
1620119641.932139 IsDebuggerPresent		failed	0	0
1620119642.401139 IsDebuggerPresent		failed	0	0
1620119642.932139 IsDebuggerPresent		failed	0	0
1620119643.401139 IsDebuggerPresent		failed	0	0
1620119643.932139 IsDebuggerPresent		failed	0	0
1620119644.401139 IsDebuggerPresent		failed	0	0
1620119644.932139 IsDebuggerPresent		failed	0	0
1620119645.557139 IsDebuggerPresent		failed	0	0
1620119645.948139 IsDebuggerPresent		failed	0	0
1620119646.573139 IsDebuggerPresent		failed	0	0
1620119646.948139 IsDebuggerPresent		failed	0	0
1620119647.573139 IsDebuggerPresent		failed	0	0
1620119647.948139 IsDebuggerPresent		failed	0	0
1620119648.573139 IsDebuggerPresent		failed	0	0
1620119648.963139 IsDebuggerPresent		failed	0	0
1620119649.573139 IsDebuggerPresent		failed	0	0
1620119649.963139 IsDebuggerPresent		failed	0	0
1620119650.604139 IsDebuggerPresent		failed	0	0
1620119650.963139 IsDebuggerPresent		failed	0	0
1620119651.667139 IsDebuggerPresent		failed	0	0
1620119651.963139 IsDebuggerPresent		failed	0	0
1620119652.667139 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119616.917139 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	X\x1d\x13\x1c\x0eW\|P
section

Allocates read-write-execute memory (usually to unpack itself) (50 out of 88 个事件)

Time & API	Arguments	Status
1620119616.135139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00390000	success
1620119616.135139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success
1620119616.463139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00920000	success
1620119616.463139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00960000	success
1620119616.635139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1620119616.823139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x009a0000	success
1620119616.823139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b0000	success
1620119616.838139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044a000	success
1620119616.838139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1620119616.838139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00442000	success
1620119617.276139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00662000	success
1620119617.542139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00685000	success
1620119617.542139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0068b000	success
1620119617.542139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00687000	success
1620119617.651139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00663000	success
1620119617.682139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0066c000	success
1620119617.698139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00664000	success
1620119617.745139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca0000	success
1620119617.963139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca1000	success
1620119618.042139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00665000	success
1620119618.042139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 454656 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01322000	success
1620119627.604139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca2000	success
1620119627.620139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca3000	success
1620119627.620139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca4000	success
1620119627.776139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca5000	success
1620119627.776139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca6000	success
1620119628.167139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00666000	success
1620119628.385139 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca7000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01320000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01320000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01320000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01320000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01320000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success
1620119628.385139 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01392000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.999632421198508

section

{'size_of_data': '0x0006f000', 'virtual_address': '0x00002000', 'entropy': 7.999632421198508, 'name': 'X\\x1d\\x13\\x1c\\x0eW|P', 'virtual_size': '0x0006ee34'}

description

A section with a high entropy has been found

entropy

0.8291316526610645

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119618.026139 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

MicroWorld-eScan	Trojan.GenericKD.33998929
FireEye	Generic.mg.1247eb94b70aeafa
CAT-QuickHeal	Trojan.Wacatac
ALYac	Trojan.Agent.Wacatac
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2300027
Sangfor	Malware
K7AntiVirus	Trojan ( 00568e211 )
Alibaba	Backdoor:Win32/Ymacco.af802ef1
K7GW	Trojan ( 00568e211 )
Cybereason	malicious.d8935f
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZemsilF.34152.Hu0@aqL72zj
Symantec	Trojan Horse
ESET-NOD32	a variant of MSIL/Kryptik.WFL
TrendMicro-HouseCall	Trojan.MSIL.WACATAC.THFAOBO
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
BitDefender	Trojan.GenericKD.33998929
NANO-Antivirus	Trojan.Win32.Remcos.hosvef
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Remcos.m!c
Tencent	Msil.Backdoor.Remcos.Dvfz
Endgame	malicious (high confidence)
Emsisoft	Trojan.GenericKD.33998929 (B)
Comodo	Malware@#1roou1x86wpcy
F-Secure	Trojan.TR/Dropper.MSIL.hcubl
DrWeb	Trojan.PWS.Siggen2.50289
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.MSIL.WACATAC.THFAOBO
Fortinet	MSIL/Kryptik.WFL!tr
Sophos	Troj/MSIL-OXH
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Dropper.MSIL.hcubl
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Backdoor]/MSIL.Remcos
Microsoft	Trojan:MSIL/AgentTesla.E!MTB
Arcabit	Trojan.Generic.D206C851
AhnLab-V3	Trojan/Win32.Kryptik.R339940
ZoneAlarm	HEUR:Backdoor.MSIL.Remcos.gen
GData	Trojan.GenericKD.33998929
Cynet	Malicious (score: 100)
McAfee	Fareit-FUP!1247EB94B70A
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Spyware.AgentTesla
Ikarus	Trojan.MSIL.Inject
SentinelOne	DFI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Ad-Aware	Trojan.GenericKD.33998929

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-09 21:16:18

Imports

Library mscoree.dll:

• 0x48e000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51966	239.255.255.250	1900
192.168.56.101	57757	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	65005	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.