5.0
中危
50 个模型检测该样本为恶意!
重新分析
更多

a8e3663104dfdf6c4af8ea7d71ecb8a7a6810947e3acf8a382f21e47fc20c25a

1ace4a0d623355da2f5f302af70bffc2.exe

分析耗时

58s

最近分析

文件大小

155.0KB
静态报毒 动态报毒 100% A VARIANT OF GENERIK AI SCORE=87 ATTRIBUTE CLIPBANKER CONFIDENCE DG2KMWXKLNS GDSDA GENERICRXLJ HIGH CONFIDENCE HIGHCONFIDENCE HNZTDJ JQ0@AEAOEFP MALICIOUS PE MALWARE@#UAIGR3TQMDE2 MRBEULU MSILPERSEUS PKWU R002C0WGD20 REDCAP SCORE SFBRGUHCAVS STREALER SUSGEN TROJANBANKER TSCOPE UNSAFE WLSNK YMACCO ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXLJ-FS!1ACE4A0D6233 20201029 6.0.6.653
Alibaba TrojanBanker:Win32/ClipBanker.9a1787ee 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201029 18.4.3895.0
Kingsoft 20201029 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620134563.79202
IsDebuggerPresent
failed 0 0
1620134563.80702
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable has a PDB path (1 个事件)
pdb_path KMService.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620134563.94802
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sdata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620134598.02602
__exception__
stacktrace: 
RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40 @ 0x77c17a40
RtlGetUserInfoHeap+0x66 RtlCompactHeap-0x31a ntdll+0xed316 @ 0x77c3d316
GlobalSize+0x58 GlobalUnlock-0x118 kernel32+0x4e458 @ 0x77a7e458
OleCreateFromData+0x1f5 CoGetInstanceFromIStorage-0x535b ole32+0x1667d5 @ 0x7feffdb67d5
OleCreateFromData+0x4cc CoGetInstanceFromIStorage-0x5084 ole32+0x166aac @ 0x7feffdb6aac
DllRegisterServerInternal-0x1da9 clr+0x1f37 @ 0x7fef1961f37
system+0x711edb @ 0x7feefca1edb
0x7ff003cd119
0x7ff003ca761
0x7ff003ca605
0x7ff003ca544
0x7ff003c646b
0x7ff003c63d9
0x7ff003c4327
0x7ff0016b33d
0x7ff00169a20
StrongNameSignatureVerification+0x1b357 GetMetaDataPublicInterfaceFromInternal-0x31429 clr+0xdcae7 @ 0x7fef1a3cae7
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77949bd1
SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x779472cb
IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x77946829
KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x77ba1225
SetClipboardViewer+0xa CheckMenuItem-0x972 user32+0x1f78a @ 0x7794f78a
DllRegisterServerInternal-0x2519 clr+0x17c7 @ 0x7fef19617c7
0x7ff003c638b
0x7ff003c390a
0x7ff00187fb4
0x7ff00187c01
0x7ff003c37d9
0x7ff003c2d5e
mscorlib+0x37181c @ 0x7fef08b181c
mscorlib+0x37172b @ 0x7fef08b172b
mscorlib+0xa9928d @ 0x7fef0fd928d
CoUninitializeEE+0x3d374 CreateAssemblyNameObject-0x2d7dc clr+0x410b4 @ 0x7fef19a10b4
CoUninitializeEE+0x3d489 CreateAssemblyNameObject-0x2d6c7 clr+0x411c9 @ 0x7fef19a11c9
CoUninitializeEE+0x3d505 CreateAssemblyNameObject-0x2d64b clr+0x41245 @ 0x7fef19a1245
CoUninitializeEE+0x44a50 CreateAssemblyNameObject-0x26100 clr+0x48790 @ 0x7fef19a8790
CopyPDBs+0x2017c ClrCreateManagedInstance-0xc568 clr+0x12e810 @ 0x7fef1a8e810
StrongNameSignatureVerification+0x15906 GetMetaDataPublicInterfaceFromInternal-0x36e7a clr+0xd7096 @ 0x7fef1a37096
StrongNameSignatureVerification+0x1589b GetMetaDataPublicInterfaceFromInternal-0x36ee5 clr+0xd702b @ 0x7fef1a3702b
StrongNameSignatureVerification+0x15808 GetMetaDataPublicInterfaceFromInternal-0x36f78 clr+0xd6f98 @ 0x7fef1a36f98
StrongNameSignatureVerification+0x1595f GetMetaDataPublicInterfaceFromInternal-0x36e21 clr+0xd70ef @ 0x7fef1a370ef
CopyPDBs+0x1ffcc ClrCreateManagedInstance-0xc718 clr+0x12e660 @ 0x7fef1a8e660
StrongNameErrorInfo+0x18986 _CorDllMain-0x191ba clr+0x2247c6 @ 0x7fef1b847c6
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 3407872
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 514
registers.r8: 0
registers.rdx: -16
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 527563936
registers.rax: 527557112
registers.r13: 0
exception.instruction_r: 80 7a 0f 05 75 0b 0f b6 42 0e 48 c1 e0 04 48 2b
exception.symbol: RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40
exception.instruction: cmp byte ptr [rdx + 0xf], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 817728
exception.address: 0x77c17a40
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 269 个事件)
Time & API Arguments Status Return Repeated
1620134561.82302
NtAllocateVirtualMemory
process_identifier: 376
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000008a0000
success 0 0
1620134561.83902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000950000
success 0 0
1620134562.54202
NtAllocateVirtualMemory
process_identifier: 376
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000021a0000
success 0 0
1620134562.54202
NtAllocateVirtualMemory
process_identifier: 376
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002200000
success 0 0
1620134562.85402
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1961000
success 0 0
1620134562.85402
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1961000
success 0 0
1620134562.99502
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1fe0000
success 0 0
1620134563.77602
NtAllocateVirtualMemory
process_identifier: 376
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000002320000
success 0 0
1620134563.79202
NtAllocateVirtualMemory
process_identifier: 376
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002410000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.87002
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.88602
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.88602
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.88602
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.88602
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1963000
success 0 0
1620134563.88602
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1961000
success 0 0
1620134563.88602
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.90102
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.90102
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.90102
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134563.91702
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1962000
success 0 0
1620134564.46402
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1620134564.51102
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1620134564.71402
NtAllocateVirtualMemory
process_identifier: 376
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1620134564.71402
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620134564.71402
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620134564.72902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620134564.72902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007ffffef0000
success 0 0
1620134564.72902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ffffef0000
success 0 0
1620134564.74502
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002a000
success 0 0
1620134564.80702
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00033000
success 0 0
1620134564.82302
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000dc000
success 0 0
1620134564.83902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00106000
success 0 0
1620134564.83902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000e0000
success 0 0
1620134565.21402
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00034000
success 0 0
1620134565.26102
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003c000
success 0 0
1620134565.57302
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00035000
success 0 0
1620134565.62002
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00150000
success 0 0
1620134567.49502
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002b000
success 0 0
1620134572.04202
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00036000
success 0 0
1620134574.07302
NtAllocateVirtualMemory
process_identifier: 376
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00151000
success 0 0
1620134576.33902
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00037000
success 0 0
1620134576.52602
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0015c000
success 0 0
1620134576.65102
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003a000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 个事件)
Time & API Arguments Status Return Repeated
1620134577.04202
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620134588.71402
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620134588.76102
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620134594.69802
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620134594.77602
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMService reg_value "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\1ace4a0d623355da2f5f302af70bffc2.exe"
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T13_11_43.130072200Z\agent.pyw
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.MSILPerseus.194717
McAfee GenericRXLJ-FS!1ACE4A0D6233
Cylance Unsafe
Sangfor Malware
Alibaba TrojanBanker:Win32/ClipBanker.9a1787ee
Cybereason malicious.44b554
Arcabit Trojan.MSILPerseus.D2F89D
Invincea Mal/Generic-S
Cyren W32/Trojan.PKWU-8526
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan-Banker.MSIL.ClipBanker.gen
BitDefender Gen:Variant.MSILPerseus.194717
NANO-Antivirus Trojan.Win32.MSILPerseus.hnztdj
Paloalto generic.ml
Ad-Aware Gen:Variant.MSILPerseus.194717
Emsisoft Gen:Variant.MSILPerseus.194717 (B)
Comodo Malware@#uaigr3tqmde2
F-Secure Trojan.TR/Redcap.wlsnk
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0WGD20
McAfee-GW-Edition GenericRXLJ-FS!1ACE4A0D6233
FireEye Generic.mg.1ace4a0d623355da
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Injector
eGambit Unsafe.AI_Score_100%
Avira TR/Redcap.wlsnk
MAX malware (ai score=87)
Microsoft Trojan:Win32/Ymacco.AA8D
AegisLab Trojan.MSIL.ClipBanker.7!c
ZoneAlarm HEUR:Trojan-Banker.MSIL.ClipBanker.gen
GData Gen:Variant.MSILPerseus.194717
Cynet Malicious (score: 85)
BitDefenderTheta Gen:NN.ZemsilF.34590.jq0@aeaOEfp
ALYac Gen:Variant.MSILPerseus.194717
VBA32 TScope.Trojan.MSIL
ESET-NOD32 a variant of Generik.MRBEULU
TrendMicro-HouseCall TROJ_GEN.R002C0WGD20
Rising Malware.Strealer!8.1EF (TFE:C:dG2kMWxKlnS)
Yandex Trojan.Agent!SfBRguhCaVs
SentinelOne DFI - Malicious PE
MaxSecure Trojan.Malware.73489558.susgen
Fortinet W32/ClipBanker!tr
Webroot W32.Trojan.MSIL.ClipBanker
AVG Win32:Malware-gen
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Trojan.f6f
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-05 19:18:12

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 50005 239.255.255.250 3702
192.168.56.101 51966 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.