3.2
中危
56 个模型检测该样本为恶意!
重新分析
更多

3527457b184139953c43be59287281eb8f797e9cc8f3e9d637362276fe4f83a2

2524d1a6ee8061056d643d8a603a6791.exe

分析耗时

21s

最近分析

文件大小

677.4KB
静态报毒 动态报毒 9O0FRINDKXQ3HEDPCI AGEN AI SCORE=87 AIDETECTVM BSCOPE CONFIDENCE ELDORADO GAMEHACK GDSDA GENERIC@ML HDCK HIGH CONFIDENCE HLEHQO HOOI INVALIDSIG KCLOUD KRYPTIK MALWARE2 MALWARE@#3GUZA3Q7VT9R5 MDCWX NOON OAQEQ R066C0DIK20 R335321 RDMK SCORE SISS SKEEYAH STATIC AI SUSGEN SUSPICIOUS PE UNSAFE ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:Win32/Inject.513c3b73 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201228 21.1.5827.0
Tencent Win32.Trojan-spy.Noon.Hooi 20201228 1.0.0.1
Kingsoft Win32.Troj.Noon.ay.(kcloud) 20201228 2017.9.26.565
McAfee RDN/Generic.grp 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619269225.491474
IsDebuggerPresent
failed 0 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path C:\Codes\Version9\TYPER\Release\TYPER.pdb
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619269227.648474
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fe0000
success 0 0
1619269227.663474
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fe0000
success 0 0
1619269227.773474
NtAllocateVirtualMemory
process_identifier: 648
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03800000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.953650269658537 section {'size_of_data': '0x00099e00', 'virtual_address': '0x0000e000', 'entropy': 7.953650269658537, 'name': '.rsrc', 'virtual_size': '0x00099d58'} description A section with a high entropy has been found
entropy 0.9172876304023845 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.302797
FireEye Generic.mg.2524d1a6ee806105
ALYac Gen:Variant.Zusy.302797
Cylance Unsafe
K7AntiVirus Trojan ( 005661071 )
Alibaba TrojanSpy:Win32/Inject.513c3b73
K7GW Trojan ( 005661071 )
Cybereason malicious.6ee806
Arcabit Trojan.Zusy.D49ECD
Cyren W32/Kryptik.BMH.gen!Eldorado
Symantec Trojan.Gen.MBT
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan-Spy.Win32.Noon.vho
BitDefender Gen:Variant.Zusy.302797
NANO-Antivirus Trojan.Win32.Kryptik.hlehqo
Paloalto generic.ml
Tencent Win32.Trojan-spy.Noon.Hooi
Ad-Aware Gen:Variant.Zusy.302797
Sophos Mal/Generic-S
Comodo Malware@#3guza3q7vt9r5
F-Secure Heuristic.HEUR/AGEN.1135342
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R066C0DIK20
McAfee-GW-Edition RDN/Generic.grp
Emsisoft Gen:Variant.Zusy.302797 (B)
Ikarus Trojan.Inject
Jiangmin TrojanSpy.Noon.pcx
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1135342
eGambit PE.Heur.InvalidSig
MAX malware (ai score=87)
Antiy-AVL Trojan[Spy]/Win32.Noon
Kingsoft Win32.Troj.Noon.ay.(kcloud)
Microsoft Trojan:Win32/Inject.LO!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.vho
GData Gen:Variant.Zusy.302797
Cynet Malicious (score: 85)
AhnLab-V3 Unwanted/Win32.GameHack.R335321
McAfee RDN/Generic.grp
VBA32 BScope.Trojan.Skeeyah
Malwarebytes Trojan.MalPack.Siss
Zoner Trojan.Win32.89647
ESET-NOD32 a variant of Win32/Kryptik.HDCK
TrendMicro-HouseCall TROJ_GEN.R066C0DIK20
Rising Trojan.Generic@ML.92 (RDMK:9O0FrINDkXQ3hedPCi/O3A)
Yandex Trojan.Kryptik!mdCwx/oAQeQ
SentinelOne Static AI - Suspicious PE
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-04 16:16:23

Imports

Library KERNEL32.dll:
0x40801c GetConsoleCP
0x408020 FlushFileBuffers
0x408024 GetStringTypeW
0x408028 LCMapStringEx
0x40802c GetConsoleMode
0x408030 HeapReAlloc
0x408034 HeapSize
0x408038 RtlUnwind
0x40803c LoadLibraryW
0x408040 OutputDebugStringW
0x408044 GetCPInfo
0x408048 GetOEMCP
0x40804c GetACP
0x408050 IsValidCodePage
0x408054 SetStdHandle
0x408058 SetFilePointerEx
0x40805c WriteConsoleW
0x408060 CloseHandle
0x408064 VirtualProtect
0x408068 GetLastError
0x40806c HeapFree
0x408070 HeapAlloc
0x408074 GetCommandLineA
0x408078 IsDebuggerPresent
0x408080 EncodePointer
0x408084 DecodePointer
0x408088 RaiseException
0x40808c GetProcessHeap
0x408094 ExitProcess
0x408098 GetModuleHandleExW
0x40809c GetProcAddress
0x4080a0 MultiByteToWideChar
0x4080a4 GetStdHandle
0x4080a8 WriteFile
0x4080ac GetModuleFileNameW
0x4080b0 SetLastError
0x4080b8 GetCurrentThreadId
0x4080bc GetFileType
0x4080c8 InitOnceExecuteOnce
0x4080cc GetStartupInfoW
0x4080d0 GetModuleFileNameA
0x4080dc GetTickCount64
0x4080e8 WideCharToMultiByte
0x4080f4 FlsAlloc
0x4080f8 FlsGetValue
0x4080fc FlsSetValue
0x408100 FlsFree
0x408104 GetCurrentProcess
0x408108 TerminateProcess
0x40810c GetModuleHandleW
0x408118 Sleep
0x40811c LoadLibraryExW
0x408120 CreateFileW
Library USER32.dll:
0x408128 DestroyWindow
0x40812c DefWindowProcW
0x408130 PostQuitMessage
0x408134 EndPaint
0x408138 BeginPaint
0x40813c SendMessageW
0x408140 DestroyCaret
0x408144 HideCaret
0x408148 ShowCaret
0x40814c CreateCaret
0x408150 InvalidateRect
0x408154 SetCaretPos
0x408158 GetFocus
0x40815c ReleaseDC
0x408160 GetDC
0x408164 DispatchMessageW
0x408168 TranslateMessage
0x40816c GetMessageW
0x408170 UpdateWindow
0x408174 ShowWindow
0x408178 CreateWindowExW
0x40817c MessageBoxW
0x408180 RegisterClassW
0x408184 LoadCursorW
0x408188 LoadIconW
Library GDI32.dll:
0x408000 DeleteObject
0x408004 GetTextMetricsW
0x408008 CreateFontW
0x40800c SelectObject
0x408010 GetStockObject
0x408014 TextOutW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.