5.6
高危
54 个模型检测该样本为恶意!
重新分析
更多

6c128029b6b3128fc0a632325716e76882929a50cdb2bb1809d3bb9c3400c1da

2140fa5d7b9799daadcf5d4b78d1e368.exe

分析耗时

48s

最近分析

文件大小

277.7KB
静态报毒 动态报毒 100% AI SCORE=88 CONFIDENCE CRYPTINJECT DISFA DOWNLOADER33 GDSDA GENERICKD HIGH CONFIDENCE HNUM KRYPTIK MALICIOUS PE MODERATE MULTIPACKED NYMK R017C0GD220 RQ2@AIQX25FG SCORE SUSGEN TSCOPE UNSAFE XTGMOJ5PIRC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.grp 20200429 6.0.6.653
Alibaba Trojan:MSIL/CryptInject.8c419b0e 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200428 18.4.3895.0
Kingsoft 20200429 2013.8.14.323
Tencent Msil.Trojan.Disfa.Hnum 20200429 1.0.0.1
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619268801.678352
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619268801.912352
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sdata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619268833.912352
__exception__
stacktrace: 
0x7ff00184c5d
0x7ff00184b6b
0x7ff00184a3a
0x7ff001849d9
0x7ff00183cf5
0x7ff00180203
IEE+0xda16 GetUserStore-0xa7e mscorwks+0x2c1612 @ 0x7fef1cb1612
CreateAssemblyNameObject+0x5cbb CompareAssemblyIdentity-0x6ff9 mscorwks+0x1eee13 @ 0x7fef1bdee13
CreateAssemblyNameObject+0x5b6e CompareAssemblyIdentity-0x7146 mscorwks+0x1eecc6 @ 0x7fef1bdecc6
StrongNameTokenFromPublicKey+0x80537 CreateAssemblyNameObject-0x1b6f1 mscorwks+0x1cda67 @ 0x7fef1bbda67
StrongNameTokenFromPublicKey+0x743ad CreateAssemblyNameObject-0x2787b mscorwks+0x1c18dd @ 0x7fef1bb18dd
PreBindAssembly+0x24978 LoadStringRC-0x7a568 mscorwks+0x646b38 @ 0x7fef2036b38
PreBindAssembly+0x10032 LoadStringRC-0x8eeae mscorwks+0x6321f2 @ 0x7fef20221f2
StrongNameTokenFromPublicKey+0x7a42a CreateAssemblyNameObject-0x217fe mscorwks+0x1c795a @ 0x7fef1bb795a
IEE+0xd8fb GetUserStore-0xb99 mscorwks+0x2c14f7 @ 0x7fef1cb14f7
0x7ff001801a5
IEE+0xda16 GetUserStore-0xa7e mscorwks+0x2c1612 @ 0x7fef1cb1612
CreateAssemblyNameObject+0x5cbb CompareAssemblyIdentity-0x6ff9 mscorwks+0x1eee13 @ 0x7fef1bdee13
CreateAssemblyNameObject+0x5b6e CompareAssemblyIdentity-0x7146 mscorwks+0x1eecc6 @ 0x7fef1bdecc6
StrongNameTokenFromPublicKey+0x80537 CreateAssemblyNameObject-0x1b6f1 mscorwks+0x1cda67 @ 0x7fef1bbda67
StrongNameTokenFromPublicKey+0x743ad CreateAssemblyNameObject-0x2787b mscorwks+0x1c18dd @ 0x7fef1bb18dd
PreBindAssembly+0x24978 LoadStringRC-0x7a568 mscorwks+0x646b38 @ 0x7fef2036b38
CompareAssemblyIdentity+0xebe3 StrongNameFreeBuffer-0x6421 mscorwks+0x2049ef @ 0x7fef1bf49ef
CreateAssemblyNameObject+0x7e97 CompareAssemblyIdentity-0x4e1d mscorwks+0x1f0fef @ 0x7fef1be0fef
CreateAssemblyNameObject+0x297f CompareAssemblyIdentity-0xa335 mscorwks+0x1ebad7 @ 0x7fef1bdbad7
CreateAssemblyNameObject+0x2494 CompareAssemblyIdentity-0xa820 mscorwks+0x1eb5ec @ 0x7fef1bdb5ec
CreateAssemblyNameObject+0x9d7f CompareAssemblyIdentity-0x2f35 mscorwks+0x1f2ed7 @ 0x7fef1be2ed7
StrongNameErrorInfo-0x20114 mscorwks+0xd71f4 @ 0x7fef1ac71f4
GetAssemblyIdentityFromFile+0x19405 LegacyNGenFreeZapper-0x17cab mscorwks+0x787c85 @ 0x7fef2177c85
StrongNameErrorInfo-0x10ded mscorwks+0xe651b @ 0x7fef1ad651b
_CorExeMain+0xac GetCLRFunction-0x72b8 mscorwks+0x103e60 @ 0x7fef1af3e60
_CorExeMain+0x49 CreateConfigStream-0x307 mscoreei+0x3309 @ 0x7fef4133309
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef41c5b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 301771
registers.rsi: 0
registers.r10: 8791798267424
registers.rbx: 0
registers.rdi: 0
registers.r11: 40767240
registers.r8: 0
registers.rdx: 40750736
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 2685488
registers.rax: 40767240
registers.r13: 0
exception.instruction_r: 80 3b 00 48 8b 03 48 c7 44 24 28 00 00 00 00 4c
exception.instruction: cmp byte ptr [rbx], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7ff00184c5d
success 0 0
行为判定
动态指标
Performs some HTTP requests (3 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D
request GET http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCECAIpN%2FOILCUXgEDH8pUz9w%3D
Allocates read-write-execute memory (usually to unpack itself) (42 个事件)
Time & API Arguments Status Return Repeated
1619268800.224352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 2555904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000790000
success 0 0
1619268800.224352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000980000
success 0 0
1619268801.271352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a31000
success 0 0
1619268801.568352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cae000
success 0 0
1619268801.584352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cae000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1caf000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb0000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb0000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb0000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb0000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb0000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb1000
success 0 0
1619268801.693352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb1000
success 0 0
1619268801.709352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb1000
success 0 0
1619268801.709352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cb1000
success 0 0
1619268801.709352
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1cae000
success 0 0
1619268802.099352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1619268830.990352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1619268830.990352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619268831.006352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619268831.006352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007ffffef0000
success 0 0
1619268831.006352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ffffef0000
success 0 0
1619268831.006352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000ea000
success 0 0
1619268831.021352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1619268831.396352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00033000
success 0 0
1619268831.396352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fa000
success 0 0
1619268831.412352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00122000
success 0 0
1619268831.412352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fd000
success 0 0
1619268831.443352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003c000
success 0 0
1619268831.709352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000e2000
success 0 0
1619268832.740352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000e3000
success 0 0
1619268832.834352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00034000
success 0 0
1619268832.896352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00180000
success 0 0
1619268832.912352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00035000
success 0 0
1619268833.334352
NtAllocateVirtualMemory
process_identifier: 472
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00181000
success 0 0
Foreign language identified in PE resource (1 个事件)
name RT_VERSION language LANG_KOREAN offset 0x000457d4 filetype data sublanguage SUBLANG_KOREAN size 0x00000240
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619268805.349352
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.97659424142205 section {'size_of_data': '0x00009c00', 'virtual_address': '0x0001e000', 'entropy': 7.97659424142205, 'name': '.sdata', 'virtual_size': '0x00009a40'} description A section with a high entropy has been found
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
MicroWorld-eScan Trojan.GenericKD.32464340
McAfee RDN/Generic.grp
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 004af9b61 )
Alibaba Trojan:MSIL/CryptInject.8c419b0e
K7GW Trojan ( 004af9b61 )
CrowdStrike win/malicious_confidence_100% (W)
TrendMicro TROJ_GEN.R017C0GD220
Cyren W32/Trojan.NYMK-2150
ESET-NOD32 a variant of MSIL/Kryptik.TKN
APEX Malicious
Paloalto generic.ml
GData Trojan.GenericKD.32464340
Kaspersky HEUR:Trojan.MSIL.Disfa.gen
BitDefender Trojan.GenericKD.32464340
AegisLab Trojan.MSIL.Disfa.4!c
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.32464340
Sophos Mal/Generic-S
F-Secure Trojan.TR/Dropper.Gen
DrWeb Trojan.DownLoader33.25730
Zillya Trojan.MultiPacked.Win32.264
Invincea heuristic
McAfee-GW-Edition RDN/Generic.grp
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.2140fa5d7b9799da
Emsisoft Trojan.GenericKD.32464340 (B)
Ikarus Trojan.MSIL.Injector
MaxSecure Trojan.Malware.73686406.susgen
Avira TR/Dropper.Gen
Antiy-AVL Trojan/MSIL.Disfa
Endgame malicious (high confidence)
Arcabit Trojan.Generic.D1EF5DD4
ViRobot Trojan.Win32.Z.Agent.284409
ZoneAlarm HEUR:Trojan.MSIL.Disfa.gen
Microsoft Trojan:MSIL/CryptInject!MSR
AhnLab-V3 PUP/Win32.RL_Generic.C3500565
Acronis suspicious
BitDefenderTheta Gen:NN.ZemsilF.34108.rq2@aiqx25fG
ALYac Trojan.GenericKD.32464340
MAX malware (ai score=88)
VBA32 TScope.Trojan.MSIL
TrendMicro-HouseCall TROJ_GEN.R017C0GD220
Tencent Msil.Trojan.Disfa.Hnum
Yandex Trojan.Kryptik!xTgmoJ5pIRc
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_88%
Fortinet MSIL/Disfa.TKN!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-02-22 21:02:26

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49177 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49181 23.51.123.27 tl.symcd.com 80
192.168.56.101 49180 23.65.11.27 t2.symcb.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCECAIpN%2FOILCUXgEDH8pUz9w%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCECAIpN%2FOILCUXgEDH8pUz9w%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: tl.symcd.com
http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: t2.symcb.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.