7.2
高危
56 个模型检测该样本为恶意!
重新分析
更多

18271c11925b94e6310672889885575ab4786e36a4c404e478accf3cb24172be

249014fafb4ebd48fabc0b693b9c6843.exe

分析耗时

78s

最近分析

文件大小

523.5KB
静态报毒 动态报毒 100% AGEN AI SCORE=87 ATTRIBUTE CLASSIC CONFIDENCE DOWNEKS ELDORADO GDSDA GENERICRXIR GM0@AELCBFG HIGH CONFIDENCE HIGHCONFIDENCE HQVG MALICIOUS PE MALWARE@#2SKY56SG0QE53 MINTLUKS MSILFC PASSWORDSTEALERA QUASAR R03AC0DF520 S7085615 SCORE SUBTI TOOL UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXIR-VO!249014FAFB4E 20200614 6.0.6.653
Alibaba Backdoor:MSIL/Quasar.c26a5450 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast MSIL:Rat-B [Trj] 20200614 18.4.3895.0
Tencent Msil.Backdoor.Quasar.Hqvg 20200614 1.0.0.1
Kingsoft 20200614 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (8 个事件)
Time & API Arguments Status Return Repeated
1620136631.513374
IsDebuggerPresent
failed 0 0
1620136631.513374
IsDebuggerPresent
failed 0 0
1620136649.404876
IsDebuggerPresent
failed 0 0
1620136649.419876
IsDebuggerPresent
failed 0 0
1620136666.388751
IsDebuggerPresent
failed 0 0
1620136666.404751
IsDebuggerPresent
failed 0 0
1620136682.216124
IsDebuggerPresent
failed 0 0
1620136682.216124
IsDebuggerPresent
failed 0 0
Command line console output was observed (11 个事件)
Time & API Arguments Status Return Repeated
1620136637.373124
WriteConsoleW
buffer: DONT CLOSE THIS WINDOW!
console_handle: 0x00000007
success 1 0
1620136649.888124
WriteConsoleW
buffer: The batch file cannot be found.
console_handle: 0x0000000b
success 1 0
1620136635.748499
WriteConsoleW
buffer: Active code page: 65001
console_handle: 0x00000013
success 1 0
1620136654.419751
WriteConsoleW
buffer: DONT CLOSE THIS WINDOW!
console_handle: 0x00000007
success 1 0
1620136666.716751
WriteConsoleW
buffer: The batch file cannot be found.
console_handle: 0x0000000b
success 1 0
1620136653.451249
WriteConsoleW
buffer: Active code page: 65001
console_handle: 0x00000013
success 1 0
1620136670.715999
WriteConsoleW
buffer: DONT CLOSE THIS WINDOW!
console_handle: 0x00000007
success 1 0
1620136682.512999
WriteConsoleW
buffer: The batch file cannot be found.
console_handle: 0x0000000b
success 1 0
1620136669.685249
WriteConsoleW
buffer: Active code page: 65001
console_handle: 0x00000013
success 1 0
1620136686.044249
WriteConsoleW
buffer: DONT CLOSE THIS WINDOW!
console_handle: 0x00000007
success 1 0
1620136685.294751
WriteConsoleW
buffer: Active code page: 65001
console_handle: 0x00000013
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Users\sanip\OneDrive\Desktop\QuasarRAT-master\bin\Debug\Client.all.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620136631.560374
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 120 个事件)
Time & API Arguments Status Return Repeated
1620136630.638374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1620136630.638374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1620136631.060374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00ca0000
success 0 0
1620136631.060374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e50000
success 0 0
1620136631.263374
NtProtectVirtualMemory
process_identifier: 2988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1620136631.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00530000
success 0 0
1620136631.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00550000
success 0 0
1620136631.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032a000
success 0 0
1620136631.513374
NtProtectVirtualMemory
process_identifier: 2988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1620136631.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00322000
success 0 0
1620136632.060374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00332000
success 0 0
1620136632.373374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00355000
success 0 0
1620136632.373374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0035b000
success 0 0
1620136632.373374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00357000
success 0 0
1620136632.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00333000
success 0 0
1620136632.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00334000
success 0 0
1620136632.513374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00335000
success 0 0
1620136632.544374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033c000
success 0 0
1620136632.982374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1620136632.998374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00338000
success 0 0
1620136633.107374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00600000
success 0 0
1620136633.279374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00551000
success 0 0
1620136633.294374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00552000
success 0 0
1620136633.732374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00339000
success 0 0
1620136633.826374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00346000
success 0 0
1620136633.904374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00620000
success 0 0
1620136633.904374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1620136633.904374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00347000
success 0 0
1620136633.919374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00601000
success 0 0
1620136634.044374
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e51000
success 0 0
1620136649.060876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00350000
success 0 0
1620136649.060876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00380000
success 0 0
1620136649.169876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a30000
success 0 0
1620136649.169876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ac0000
success 0 0
1620136649.185876
NtProtectVirtualMemory
process_identifier: 1888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73801000
success 0 0
1620136649.404876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b00000
success 0 0
1620136649.404876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b80000
success 0 0
1620136649.419876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1620136649.419876
NtProtectVirtualMemory
process_identifier: 1888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73802000
success 0 0
1620136649.419876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1620136649.638876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00402000
success 0 0
1620136649.716876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a5000
success 0 0
1620136649.716876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ab000
success 0 0
1620136649.716876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a7000
success 0 0
1620136649.779876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00403000
success 0 0
1620136649.779876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00404000
success 0 0
1620136649.779876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1620136649.810876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040c000
success 0 0
1620136649.935876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00406000
success 0 0
1620136649.935876
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00408000
success 0 0
Creates executable files on the filesystem (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0Ww6kZOevjNC.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\wgKuCCKz9Rtb.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YdXRuVXKJnMQ.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\jp6ACs3r7nYm.bat
Drops a binary and executes it (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YdXRuVXKJnMQ.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\wgKuCCKz9Rtb.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0Ww6kZOevjNC.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\jp6ACs3r7nYm.bat
A process created a hidden window (4 个事件)
Time & API Arguments Status Return Repeated
1620136634.779374
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YdXRuVXKJnMQ.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YdXRuVXKJnMQ.bat
show_type: 0
success 1 0
1620136651.873876
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\wgKuCCKz9Rtb.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\wgKuCCKz9Rtb.bat
show_type: 0
success 1 0
1620136668.419751
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0Ww6kZOevjNC.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0Ww6kZOevjNC.bat
show_type: 0
success 1 0
1620136683.951124
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\jp6ACs3r7nYm.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\jp6ACs3r7nYm.bat
show_type: 0
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline ping -n 10 localhost
cmdline chcp 65001
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.34
host 203.208.41.65
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\wgKuCCKz9Rtb.bat
Resumed a suspended thread in a remote process potentially indicative of process injection (6 个事件)
Process injection Process 2760 resumed a thread in remote process 1888
Process injection Process 2656 resumed a thread in remote process 2188
Process injection Process 3140 resumed a thread in remote process 3412
Time & API Arguments Status Return Repeated
1620136649.607124
NtResumeThread
thread_handle: 0x00000080
suspend_count: 0
process_identifier: 1888
success 0 0
1620136666.623751
NtResumeThread
thread_handle: 0x00000080
suspend_count: 0
process_identifier: 2188
success 0 0
1620136682.434999
NtResumeThread
thread_handle: 0x00000080
suspend_count: 0
process_identifier: 3412
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
MicroWorld-eScan Generic.MSIL.PasswordStealerA.4EC6515B
FireEye Generic.mg.249014fafb4ebd48
CAT-QuickHeal Backdoor.MsilFC.S7085615
McAfee GenericRXIR-VO!249014FAFB4E
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 00562f821 )
Alibaba Backdoor:MSIL/Quasar.c26a5450
K7GW Spyware ( 004bf6371 )
Cybereason malicious.afb4eb
Arcabit Generic.MSIL.PasswordStealerA.4EC6515B
BitDefenderTheta Gen:NN.ZemsilF.34128.Gm0@aelCBfg
F-Prot W32/MSIL_Mintluks.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast MSIL:Rat-B [Trj]
ClamAV Win.Tool.Quasar-6791498-0
Kaspersky HEUR:Backdoor.MSIL.Quasar.gen
BitDefender Generic.MSIL.PasswordStealerA.4EC6515B
Paloalto generic.ml
ViRobot Trojan.Win32.Z.Quasar.536064.F
Tencent Msil.Backdoor.Quasar.Hqvg
Ad-Aware Generic.MSIL.PasswordStealerA.4EC6515B
Sophos Troj/Subti-A
Comodo Malware@#2sky56sg0qe53
F-Secure Heuristic.HEUR/AGEN.1127308
DrWeb BackDoor.Quasar.76
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03AC0DF520
McAfee-GW-Edition GenericRXIR-VO!249014FAFB4E
Emsisoft Generic.MSIL.PasswordStealerA.4EC6515B (B)
SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Mintluks.A.gen!Eldorado
Webroot W32.Trojan.Quasar
Avira HEUR/AGEN.1127308
MAX malware (ai score=87)
Antiy-AVL Trojan[Backdoor]/MSIL.Quasar
Microsoft Trojan:MSIL/Quasar.PA!MTB
Endgame malicious (high confidence)
ZoneAlarm HEUR:Backdoor.MSIL.Quasar.gen
GData Generic.MSIL.PasswordStealerA.4EC6515B
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Downeks.C2783124
VBA32 Trojan.MSIL.gen.c.6
ALYac Generic.MSIL.PasswordStealerA.4EC6515B
Malwarebytes Backdoor.Quasar
ESET-NOD32 a variant of MSIL/Spy.Agent.AES
TrendMicro-HouseCall TROJ_GEN.R03AC0DF520
Rising Backdoor.Quasar!1.B1DD (CLASSIC)
Ikarus Trojan.MSIL.Agent
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 203.208.41.65:80
dead_host 192.168.56.101:49179
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-25 22:38:24

Imports

Library mscoree.dll:
0x483f04 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 51966 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.