8.8
极危
57 个模型检测该样本为恶意!
重新分析
更多

2bff2eb9a8f7c497688208e9031adfc146bad406453325a3eeeb052f840e163f

237cef094a2dee443dabf8969f23fb19.exe

分析耗时

83s

最近分析

文件大小

806.0KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=83 ATTRIBUTE AWVW CLOUD CONFIDENCE ELDORADO ERFB FAREIT FYTSFT9M+ GDSDA GENKRYPTIK HGIASOQA HIGH CONFIDENCE HIGHCONFIDENCE HPSE HTQNVX KCLOUD KRYPTIK MALWARE@#2CCT6A09JIH80 MALWAREX MSILPERSEUS NOON PACKED2 R349403 REMCOS SAVE SCORE STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE YAKBEEXMSIL YM0@A45IRGD YPDHQ ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:MSIL/AgentTesla.c220c769 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20210203 1.0
Avast Win32:MalwareX-gen [Trj] 20210318 21.1.5827.0
Tencent Msil.Trojan-spy.Noon.Hpse 20210319 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20210319 2017.9.26.565
McAfee Fareit-FYE!237CEF094A2D 20210318 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619292009.9795
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619269228.290671
IsDebuggerPresent
failed 0 0
1619269228.290671
IsDebuggerPresent
failed 0 0
1619291997.6355
IsDebuggerPresent
failed 0 0
1619291997.6355
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619269228.322671
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 112 个事件)
Time & API Arguments Status Return Repeated
1619269227.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619269227.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e0000
success 0 0
1619269227.744671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00620000
success 0 0
1619269227.744671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00670000
success 0 0
1619269227.931671
NtProtectVirtualMemory
process_identifier: 2296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619269228.290671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619269228.290671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619269228.290671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0063a000
success 0 0
1619269228.306671
NtProtectVirtualMemory
process_identifier: 2296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619269228.306671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00632000
success 0 0
1619269228.603671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00642000
success 0 0
1619269228.775671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00665000
success 0 0
1619269228.775671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0066b000
success 0 0
1619269228.775671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00667000
success 0 0
1619269228.884671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00643000
success 0 0
1619269228.994671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00644000
success 0 0
1619269229.009671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00645000
success 0 0
1619269229.025671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064c000
success 0 0
1619269229.447671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00646000
success 0 0
1619269229.462671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00648000
success 0 0
1619269229.556671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00880000
success 0 0
1619269229.822671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0065a000
success 0 0
1619269229.822671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00657000
success 0 0
1619269229.931671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00649000
success 0 0
1619269229.947671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00890000
success 0 0
1619269230.165671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00656000
success 0 0
1619269230.228671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00881000
success 0 0
1619269230.228671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00891000
success 0 0
1619269230.290671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00892000
success 0 0
1619269230.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619269230.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619269230.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619269230.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef48000
success 0 0
1619269230.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619269230.337671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1619269230.384671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00882000
success 0 0
1619269230.587671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00893000
success 0 0
1619269230.603671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00883000
success 0 0
1619269282.072671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00884000
success 0 0
1619269282.134671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064d000
success 0 0
1619269282.134671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00885000
success 0 0
1619269282.150671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00886000
success 0 0
1619269282.150671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00894000
success 0 0
1619269282.181671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00887000
success 0 0
1619269282.353671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00671000
success 0 0
1619269282.494671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088b000
success 0 0
1619269282.525671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00895000
success 0 0
1619269282.525671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00896000
success 0 0
1619269282.525671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00897000
success 0 0
1619269282.525671
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00898000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8087579512510255 section {'size_of_data': '0x000c8600', 'virtual_address': '0x00002000', 'entropy': 7.8087579512510255, 'name': '.text', 'virtual_size': '0x000c8418'} description A section with a high entropy has been found
entropy 0.9950341402855369 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619292009.4795
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619269282.869671
NtAllocateVirtualMemory
process_identifier: 1160
region_size: 360448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000224
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELäO1_à  Î= @@ €@…t=W@P`  H.textÔ  `.rsrcP@ @@.reloc `&@B
process_handle: 0x00000224
base_address: 0x00400000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer:  €P€8€€h€ @ÄdCêÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNameAhbzCbFtjcKtqbLIIAJWrGrEdWFudlresjKSMhA.exe(LegalCopyright €,OriginalFilenameAhbzCbFtjcKtqbLIIAJWrGrEdWFudlresjKSMhA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000224
base_address: 0x00454000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: 0 Ð=
process_handle: 0x00000224
base_address: 0x00456000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: @
process_handle: 0x00000224
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELäO1_à  Î= @@ €@…t=W@P`  H.textÔ  `.rsrcP@ @@.reloc `&@B
process_handle: 0x00000224
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2296 called NtSetContextThread to modify thread in remote process 1160
Time & API Arguments Status Return Repeated
1619269282.869671
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4537806
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1160
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2296 resumed a thread in remote process 1160
Time & API Arguments Status Return Repeated
1619269283.150671
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 1160
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619269228.290671
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2296
success 0 0
1619269228.306671
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2296
success 0 0
1619269228.337671
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2296
success 0 0
1619269282.853671
CreateProcessInternalW
thread_identifier: 2796
thread_handle: 0x00000220
process_identifier: 1160
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\237cef094a2dee443dabf8969f23fb19.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\237cef094a2dee443dabf8969f23fb19.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000224
inherit_handles: 0
success 1 0
1619269282.869671
NtGetContextThread
thread_handle: 0x00000220
success 0 0
1619269282.869671
NtAllocateVirtualMemory
process_identifier: 1160
region_size: 360448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000224
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELäO1_à  Î= @@ €@…t=W@P`  H.textÔ  `.rsrcP@ @@.reloc `&@B
process_handle: 0x00000224
base_address: 0x00400000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer:
process_handle: 0x00000224
base_address: 0x00402000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer:  €P€8€€h€ @ÄdCêÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNameAhbzCbFtjcKtqbLIIAJWrGrEdWFudlresjKSMhA.exe(LegalCopyright €,OriginalFilenameAhbzCbFtjcKtqbLIIAJWrGrEdWFudlresjKSMhA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000224
base_address: 0x00454000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: 0 Ð=
process_handle: 0x00000224
base_address: 0x00456000
success 1 0
1619269282.869671
WriteProcessMemory
process_identifier: 1160
buffer: @
process_handle: 0x00000224
base_address: 0x7efde008
success 1 0
1619269282.869671
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4537806
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1160
success 0 0
1619269283.150671
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 1160
success 0 0
1619269283.150671
NtResumeThread
thread_handle: 0x00000240
suspend_count: 1
process_identifier: 2296
success 0 0
1619291997.6355
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1160
success 0 0
1619291997.6355
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1160
success 0 0
1619291997.8075
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 1160
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.Packed2.42555
Cynet Malicious (score: 100)
FireEye Generic.mg.237cef094a2dee44
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Gen:Variant.MSILPerseus.231886
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2423581
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056d5d31 )
Alibaba TrojanSpy:MSIL/AgentTesla.c220c769
K7GW Trojan ( 0056d5d31 )
CrowdStrike win/malicious_confidence_90% (W)
BitDefenderTheta Gen:NN.ZemsilF.34628.Ym0@a45IRGd
Cyren W32/MSIL_Kryptik.BLS.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.XMD
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Gen:Variant.MSILPerseus.231886
NANO-Antivirus Trojan.Win32.Noon.htqnvx
Paloalto generic.ml
ViRobot Trojan.Win32.Z.Kryptik.825344.S
MicroWorld-eScan Gen:Variant.MSILPerseus.231886
Tencent Msil.Trojan-spy.Noon.Hpse
Ad-Aware Gen:Variant.MSILPerseus.231886
Emsisoft Gen:Variant.MSILPerseus.231886 (B)
Comodo Malware@#2cct6a09jih80
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.MSIL.REMCOS.SM
McAfee-GW-Edition Fareit-FYE!237CEF094A2D
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin TrojanSpy.MSIL.awvw
Avira TR/Kryptik.ypdhq
MAX malware (ai score=83)
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:MSIL/AgentTesla.AR!MTB
AegisLab Trojan.MSIL.Noon.l!c
ZoneAlarm HEUR:Trojan-Spy.MSIL.Noon.gen
GData Gen:Variant.MSILPerseus.231886
AhnLab-V3 Trojan/Win32.Kryptik.R349403
McAfee Fareit-FYE!237CEF094A2D
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack.PNG.Generic
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Rising Spyware.Noon!8.E7C9 (CLOUD)
Yandex Trojan.Kryptik!FyTsfT9M+/U
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-27 11:32:47

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.