5.6
高危
25 个模型检测该样本为恶意!
重新分析
更多

653ff3fc01f3ffb56745213bd8189f0f37f0237da57411c67429583eedcaa261

13d15a4418acbb20a6690b4ac7ab1de2.exe

分析耗时

102s

最近分析

文件大小

445.5KB
静态报毒 动态报毒 100% ARTEMIS ATTRIBUTE BMGJSZFQILI BU0@AKLOJXI CONFIDENCE DOMTHM DZAF FILEREPMETAGEN HIGH HIGH CONFIDENCE HIGHCONFIDENCE MALICIOUS MALICIOUS PE SCORE UNSAFE WACATAC YZY0ON1FPRXBF5NM ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!13D15A4418AC 20200617 6.0.6.653
Avast 20200617 18.4.3895.0
Alibaba 20190527 0.3.0.5
Tencent Win32.Trojan.Generic.Dzaf 20200617 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200617 2013.8.14.323
CrowdStrike win/malicious_confidence_80% (D) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1620119625.375205
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620119625.375205
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620119621.141205
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section .enigma1
section .enigma2
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (26 个事件)
Time & API Arguments Status Return Repeated
1620119620.110205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x020c0000
success 0 0
1620119620.110205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02140000
success 0 0
1620119620.875205
NtProtectVirtualMemory
process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1620119621.157205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0207a000
success 0 0
1620119621.157205
NtProtectVirtualMemory
process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1620119621.157205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02072000
success 0 0
1620119621.657205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02082000
success 0 0
1620119621.782205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02083000
success 0 0
1620119621.782205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020cb000
success 0 0
1620119621.782205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c7000
success 0 0
1620119621.797205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0208c000
success 0 0
1620119622.219205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02084000
success 0 0
1620119622.219205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02085000
success 0 0
1620119622.266205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02086000
success 0 0
1620119622.282205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04680000
success 0 0
1620119622.360205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0209a000
success 0 0
1620119622.360205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02097000
success 0 0
1620119622.360205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020aa000
success 0 0
1620119622.391205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0207b000
success 0 0
1620119622.516205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020a2000
success 0 0
1620119622.578205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c5000
success 0 0
1620119623.032205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04950000
success 0 0
1620119623.047205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02096000
success 0 0
1620119623.157205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02087000
success 0 0
1620119623.266205
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0208a000
success 0 0
1620138819.47725
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004060000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.0935042293732185 section {'size_of_data': '0x00028000', 'virtual_address': '0x0000a000', 'entropy': 7.0935042293732185, 'name': '.enigma1', 'virtual_size': '0x00002000'} description A section with a high entropy has been found
entropy 0.35995500562429694 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk
File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 个事件)
FireEye Generic.mg.13d15a4418acbb20
McAfee Artemis!13D15A4418AC
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34128.Bu0@aKLOjxi
Symantec ML.Attribute.HighConfidence
APEX Malicious
NANO-Antivirus Trojan.Win32.Inject.domthm
AegisLab Trojan.Win32.Generic.4!c
Tencent Win32.Trojan.Generic.Dzaf
McAfee-GW-Edition BehavesLike.Win32.Injector.gh
Trapmine malicious.high.ml.score
Microsoft Trojan:Win32/Wacatac.C!ml
Endgame malicious (high confidence)
Cynet Malicious (score: 100)
Panda Trj/CI.A
Rising Trojan.Win32.Generic.1820358F (C64:YzY0On1FpRXbF5nM)
Yandex Trojan.Agent!bmGjszFqilI
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_100%
Fortinet W32/Generic!tr
Webroot W32.Adware.Gen
AVG FileRepMetagen [Malware]
CrowdStrike win/malicious_confidence_80% (D)
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.27.142:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-02-01 03:13:01

Imports

Library kernel32.dll:
0x441178 VirtualFree
0x44117c VirtualAlloc
0x441180 LocalFree
0x441184 LocalAlloc
0x441188 GetTickCount
0x441190 GetVersion
0x441194 GetCurrentThreadId
0x4411a0 VirtualQuery
0x4411a4 WideCharToMultiByte
0x4411a8 MultiByteToWideChar
0x4411ac lstrlenA
0x4411b0 lstrcpynA
0x4411b4 LoadLibraryExA
0x4411b8 GetThreadLocale
0x4411bc GetStartupInfoA
0x4411c0 GetProcAddress
0x4411c4 GetModuleHandleA
0x4411c8 GetModuleFileNameA
0x4411cc GetLocaleInfoA
0x4411d0 GetCommandLineA
0x4411d4 FreeLibrary
0x4411d8 FindFirstFileA
0x4411dc FindClose
0x4411e0 ExitProcess
0x4411e4 ExitThread
0x4411e8 WriteFile
0x4411f0 RtlUnwind
0x4411f4 RaiseException
0x4411f8 GetStdHandle
Library user32.dll:
0x441200 GetKeyboardType
0x441204 LoadStringA
0x441208 MessageBoxA
0x44120c CharNextA
Library advapi32.dll:
0x441214 RegQueryValueExA
0x441218 RegOpenKeyExA
0x44121c RegCloseKey
Library oleaut32.dll:
0x441224 SysFreeString
0x441228 SysReAllocStringLen
0x44122c SysAllocStringLen
Library kernel32.dll:
0x441234 TlsSetValue
0x441238 TlsGetValue
0x44123c TlsFree
0x441240 TlsAlloc
0x441244 LocalFree
0x441248 LocalAlloc
Library advapi32.dll:
0x441250 RegOpenKeyA
Library kernel32.dll:
0x441258 WriteProcessMemory
0x44125c WriteFile
0x441260 WideCharToMultiByte
0x441264 WaitForSingleObject
0x441268 VirtualQuery
0x44126c VirtualProtectEx
0x441270 VirtualProtect
0x441274 VirtualFree
0x441278 VirtualAllocEx
0x44127c VirtualAlloc
0x441284 SizeofResource
0x441288 SetThreadContext
0x44128c SetLastError
0x441290 SetFileTime
0x441294 SetFilePointer
0x441298 SetFileAttributesW
0x44129c SetFileAttributesA
0x4412a0 SetEvent
0x4412a4 SetEndOfFile
0x4412b0 ResetEvent
0x4412b4 RemoveDirectoryW
0x4412b8 RemoveDirectoryA
0x4412bc ReadProcessMemory
0x4412c0 ReadFile
0x4412c4 QueryDosDeviceW
0x4412cc MultiByteToWideChar
0x4412d0 LockResource
0x4412d4 LoadResource
0x4412d8 LoadLibraryW
0x4412dc LoadLibraryA
0x4412e4 IsBadWritePtr
0x4412e8 IsBadStringPtrW
0x4412ec IsBadReadPtr
0x4412fc GetVersionExA
0x441300 GetVersion
0x441304 GetThreadLocale
0x441308 GetThreadContext
0x44130c GetTempPathW
0x441310 GetTempPathA
0x441314 GetTempFileNameW
0x441318 GetTempFileNameA
0x44131c GetSystemDirectoryW
0x441320 GetSystemDirectoryA
0x441324 GetStringTypeExW
0x441328 GetStringTypeExA
0x44132c GetStdHandle
0x441330 GetProcAddress
0x441334 GetModuleHandleA
0x441338 GetModuleFileNameW
0x44133c GetModuleFileNameA
0x441344 GetLocaleInfoW
0x441348 GetLocaleInfoA
0x44134c GetLocalTime
0x441350 GetLastError
0x441354 GetFullPathNameW
0x441358 GetFullPathNameA
0x44135c GetFileSize
0x441360 GetFileAttributesW
0x441364 GetFileAttributesA
0x441368 GetDiskFreeSpaceA
0x44136c GetDateFormatA
0x441370 GetCurrentThreadId
0x441374 GetCurrentProcessId
0x441378 GetCurrentProcess
0x441384 GetCPInfo
0x441388 GetACP
0x44138c FreeResource
0x441390 FreeLibrary
0x441394 FormatMessageA
0x44139c FindResourceW
0x4413a0 FindNextFileW
0x4413a4 FindNextFileA
0x4413a8 FindFirstFileW
0x4413ac FindFirstFileA
0x4413b0 FindClose
0x4413bc ExitProcess
0x4413c0 EnumCalendarInfoA
0x4413c8 DeleteFileW
0x4413cc DeleteFileA
0x4413d4 CreateFileW
0x4413d8 CreateFileA
0x4413dc CreateEventA
0x4413e0 CreateDirectoryW
0x4413e4 CreateDirectoryA
0x4413e8 CompareStringW
0x4413ec CompareStringA
0x4413f0 CloseHandle
Library user32.dll:
0x4413f8 MessageBoxA
0x4413fc LoadStringA
0x441400 GetSystemMetrics
0x441404 CharUpperBuffW
0x441408 CharUpperW
0x44140c CharLowerBuffW
0x441410 CharLowerW
0x441414 CharNextA
0x441418 CharLowerA
0x44141c CharUpperA
0x441420 CharToOemA
Library kernel32.dll:
0x441428 Sleep
Library ole32.dll:
0x441434 CoUninitialize
0x441438 CoInitialize
Library oleaut32.dll:
0x441440 GetErrorInfo
0x441444 SysFreeString
Library oleaut32.dll:
0x44144c SafeArrayPtrOfIndex
0x441450 SafeArrayGetUBound
0x441454 SafeArrayGetLBound
0x441458 SafeArrayCreate
0x44145c VariantChangeType
0x441460 VariantCopy
0x441464 VariantClear
0x441468 VariantInit
Library ntdll.dll:
Library SHFolder.dll:
0x441484 SHGetFolderPathW
0x441488 SHGetFolderPathA
Library ntdll.dll:
Library shlwapi.dll:
0x441498 PathMatchSpecW
Library ntdll.dll:
0x4414a8 RtlInitAnsiString
0x4414b0 LdrLoadDll

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 57875 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.