2.2
中危
4 个模型检测该样本为恶意!
重新分析
更多

e9e09d0e33795a1f4ef502bccd1b769f191affab7ff29e1a986a447832f8f5db

1e6b711db4b3a4a89cc6c10967479c90.exe

分析耗时

17s

最近分析

文件大小

587.0KB
静态报毒 动态报毒 AIDETECT CONFIDENCE MALWARE2 ROZENA STATIC AI SUSPICIOUS PE XFRTYCDL1R0 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20210312 6.0.6.653
Alibaba 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_60% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Avast 20210312 21.1.5827.0
Kingsoft 20210312 2017.9.26.565
Tencent 20210312 1.0.0.1
静态指标
Command line console output was observed (50 out of 52 个事件)
Time & API Arguments Status Return Repeated
1620119613.409762
WriteConsoleA
buffer: Plink: command-line connection utility
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: Release 0.73
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: Usage: plink [options] [user@]host [command]
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: ("host" can also be a PuTTY saved session name)
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: Options:
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: -V print version information and exit
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: -pgpfp print PGP key fingerprints and exit
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: -v show verbose messages
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: -load sessname Load settings from saved session
console_handle: 0x00000007
success 1 0
1620119613.409762
WriteConsoleA
buffer: -ssh -telnet -rlogin -raw -serial
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: force use of a particular protocol
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -P port connect to specified port
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -l user connect with specified username
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -batch disable all interactive prompts
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -proxycmd command
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: use 'command' as local proxy
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -sercfg configuration-string (e.g. 19200,8,n,1,X)
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: Specify the serial configuration (serial only)
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: The following options only apply to SSH connections:
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -pw passw login with specified password
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -D [listen-IP:]listen-port
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: Dynamic SOCKS-based port forwarding
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -L [listen-IP:]listen-port:host:port
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: Forward local port to remote address
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -R [listen-IP:]listen-port:host:port
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: Forward remote port to local address
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -X -x enable / disable X11 forwarding
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -A -a enable / disable agent forwarding
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -t -T enable / disable pty allocation
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -1 -2 force use of particular protocol version
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -4 -6 force use of IPv4 or IPv6
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -C enable compression
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -i key private key file for user authentication
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -noagent disable use of Pageant
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -agent enable use of Pageant
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -noshare disable use of connection sharing
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -share enable use of connection sharing
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -hostkey aa:bb:cc:...
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: manually specify a host key (may be repeated)
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -sanitise-stderr, -sanitise-stdout, -no-sanitise-stderr, -no-sanitise-stdout
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: do/don't strip control chars from standard output/error
console_handle: 0x00000007
success 1 0
1620119613.424762
WriteConsoleA
buffer: -no-antispoof omit anti-spoofing prompt after authentication
console_handle: 0x00000007
success 1 0
1620119613.440762
WriteConsoleA
buffer: -m file read remote command(s) from file
console_handle: 0x00000007
success 1 0
1620119613.440762
WriteConsoleA
buffer: -s remote command is an SSH subsystem (SSH-2 only)
console_handle: 0x00000007
success 1 0
1620119613.440762
WriteConsoleA
buffer: -N don't start a shell/command (SSH-2 only)
console_handle: 0x00000007
success 1 0
1620119613.440762
WriteConsoleA
buffer: -nc host:port
console_handle: 0x00000007
success 1 0
1620119613.440762
WriteConsoleA
buffer: open tunnel in place of session (SSH-2 only)
console_handle: 0x00000007
success 1 0
1620119613.440762
WriteConsoleA
buffer: -sshlog file
console_handle: 0x00000007
success 1 0
1620119613.456762
WriteConsoleA
buffer: -sshrawlog file
console_handle: 0x00000007
success 1 0
1620119613.456762
WriteConsoleA
buffer: log protocol details to a file
console_handle: 0x00000007
success 1 0
This executable is signed
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section .00cfg
section .gfids
行为判定
动态指标
File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 个事件)
Bkav W32.AIDetect.malware2
CrowdStrike win/malicious_confidence_60% (W)
Yandex Trojan.Rozena!XFrTycDL1R0
SentinelOne Static AI - Suspicious PE
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-09-22 17:28:30

Imports

Library ADVAPI32.dll:
0x487e68 CopySid
0x487e6c EqualSid
0x487e70 GetLengthSid
0x487e74 GetUserNameA
0x487e7c RegCloseKey
0x487e80 RegCreateKeyA
0x487e84 RegOpenKeyA
0x487e88 RegQueryValueExA
0x487e8c RegSetValueExA
Library USER32.dll:
0x487e9c FindWindowA
0x487ea0 GetCapture
0x487ea4 GetClipboardOwner
0x487ea8 GetCursorPos
0x487eac GetForegroundWindow
0x487eb0 GetQueueStatus
0x487eb8 PeekMessageA
0x487ebc SendMessageA
Library KERNEL32.dll:
0x487ec4 ClearCommBreak
0x487ec8 CloseHandle
0x487ecc CompareStringW
0x487ed0 ConnectNamedPipe
0x487ed4 CreateEventA
0x487ed8 CreateFileA
0x487edc CreateFileMappingA
0x487ee0 CreateFileW
0x487ee4 CreateMutexA
0x487ee8 CreateNamedPipeA
0x487eec CreatePipe
0x487ef0 CreateProcessA
0x487ef4 CreateThread
0x487ef8 DecodePointer
0x487f00 DeleteFileA
0x487f08 EnumSystemLocalesW
0x487f0c ExitProcess
0x487f10 FindClose
0x487f14 FindFirstFileA
0x487f18 FindFirstFileExA
0x487f1c FindNextFileA
0x487f20 FlushFileBuffers
0x487f24 FormatMessageA
0x487f2c FreeLibrary
0x487f30 GetACP
0x487f34 GetCPInfo
0x487f38 GetCommState
0x487f3c GetCommandLineA
0x487f40 GetCommandLineW
0x487f44 GetConsoleCP
0x487f48 GetConsoleMode
0x487f4c GetCurrentProcess
0x487f50 GetCurrentProcessId
0x487f54 GetCurrentThread
0x487f58 GetCurrentThreadId
0x487f5c GetDateFormatW
0x487f6c GetFileType
0x487f70 GetLastError
0x487f74 GetLocalTime
0x487f78 GetLocaleInfoW
0x487f7c GetModuleFileNameA
0x487f80 GetModuleFileNameW
0x487f84 GetModuleHandleExW
0x487f88 GetModuleHandleW
0x487f8c GetOEMCP
0x487f90 GetOverlappedResult
0x487f94 GetProcAddress
0x487f98 GetProcessHeap
0x487f9c GetProcessTimes
0x487fa0 GetStartupInfoW
0x487fa4 GetStdHandle
0x487fa8 GetStringTypeW
0x487fac GetSystemDirectoryA
0x487fb4 GetThreadTimes
0x487fb8 GetTickCount
0x487fbc GetTimeFormatW
0x487fc4 GetUserDefaultLCID
0x487fcc GlobalMemoryStatus
0x487fd0 HeapAlloc
0x487fd4 HeapFree
0x487fd8 HeapReAlloc
0x487fdc HeapSize
0x487fe4 InitializeSListHead
0x487fe8 IsDebuggerPresent
0x487ff0 IsValidCodePage
0x487ff4 IsValidLocale
0x487ff8 LCMapStringW
0x488000 LoadLibraryA
0x488004 LoadLibraryExA
0x488008 LoadLibraryExW
0x48800c LocalAlloc
0x488014 LocalFree
0x488018 MapViewOfFile
0x48801c MultiByteToWideChar
0x488020 OpenProcess
0x488024 OutputDebugStringW
0x48802c RaiseException
0x488030 ReadConsoleW
0x488034 ReadFile
0x488038 ReleaseMutex
0x48803c RtlUnwind
0x488040 SetCommBreak
0x488044 SetCommState
0x488048 SetCommTimeouts
0x48804c SetConsoleMode
0x488050 SetEndOfFile
0x488058 SetEvent
0x48805c SetFilePointerEx
0x488064 SetLastError
0x488068 SetStdHandle
0x488070 TerminateProcess
0x488074 TlsAlloc
0x488078 TlsFree
0x48807c TlsGetValue
0x488080 TlsSetValue
0x488088 UnmapViewOfFile
0x48808c WaitForSingleObject
0x488094 WaitNamedPipeA
0x488098 WideCharToMultiByte
0x48809c WriteConsoleW
0x4880a0 WriteFile

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.