8.2
高危
50 个模型检测该样本为恶意!
重新分析
更多

bf917cc47a3577a28454b035977120f80f9c9834d443e389433917dc406f39e0

2e520186a3c7076d5bc15205eac3b30b.exe

分析耗时

82s

最近分析

文件大小

428.5KB
静态报毒 动态报毒 0NA103FD20 100% AGENSLA AGENTTESLA AI SCORE=81 AM0@AI7G3YN ATTRIBUTE AUTO AVSARHER BLUTEAL BSIDR7 CLOUD CONFIDENCE ELDORADO EMIF FAREIT GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK LOKIBOT MALICIOUS PE MALWARE@#3BPNBX570214U SCORE SIGGEN2 UNSAFE YAKBEEXMSIL YSGQP ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FUW!2E520186A3C7 20200821 6.0.6.653
Alibaba TrojanSpy:MSIL/AgentTesla.aa927f55 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200821 18.4.3895.0
Kingsoft 20200821 2013.8.14.323
Tencent Win32.Trojan.Inject.Auto 20200821 1.0.0.1
静态指标
Checks if process is being debugged by a debugger (50 out of 76 个事件)
Time & API Arguments Status Return Repeated
1619363181.316125
IsDebuggerPresent
failed 0 0
1619363182.925125
IsDebuggerPresent
failed 0 0
1619363183.394125
IsDebuggerPresent
failed 0 0
1619363183.972125
IsDebuggerPresent
failed 0 0
1619363184.394125
IsDebuggerPresent
failed 0 0
1619363184.972125
IsDebuggerPresent
failed 0 0
1619363185.394125
IsDebuggerPresent
failed 0 0
1619363185.972125
IsDebuggerPresent
failed 0 0
1619363186.394125
IsDebuggerPresent
failed 0 0
1619363186.972125
IsDebuggerPresent
failed 0 0
1619363187.394125
IsDebuggerPresent
failed 0 0
1619363187.972125
IsDebuggerPresent
failed 0 0
1619363188.394125
IsDebuggerPresent
failed 0 0
1619363188.972125
IsDebuggerPresent
failed 0 0
1619363189.394125
IsDebuggerPresent
failed 0 0
1619363189.972125
IsDebuggerPresent
failed 0 0
1619363190.394125
IsDebuggerPresent
failed 0 0
1619363190.972125
IsDebuggerPresent
failed 0 0
1619363191.394125
IsDebuggerPresent
failed 0 0
1619363191.972125
IsDebuggerPresent
failed 0 0
1619363192.394125
IsDebuggerPresent
failed 0 0
1619363192.972125
IsDebuggerPresent
failed 0 0
1619363193.394125
IsDebuggerPresent
failed 0 0
1619363193.972125
IsDebuggerPresent
failed 0 0
1619363194.394125
IsDebuggerPresent
failed 0 0
1619363194.972125
IsDebuggerPresent
failed 0 0
1619363195.394125
IsDebuggerPresent
failed 0 0
1619363195.972125
IsDebuggerPresent
failed 0 0
1619363196.394125
IsDebuggerPresent
failed 0 0
1619363196.972125
IsDebuggerPresent
failed 0 0
1619363197.394125
IsDebuggerPresent
failed 0 0
1619363197.972125
IsDebuggerPresent
failed 0 0
1619363198.394125
IsDebuggerPresent
failed 0 0
1619363198.972125
IsDebuggerPresent
failed 0 0
1619363199.394125
IsDebuggerPresent
failed 0 0
1619363199.972125
IsDebuggerPresent
failed 0 0
1619363200.394125
IsDebuggerPresent
failed 0 0
1619363200.972125
IsDebuggerPresent
failed 0 0
1619363201.394125
IsDebuggerPresent
failed 0 0
1619363201.972125
IsDebuggerPresent
failed 0 0
1619363202.394125
IsDebuggerPresent
failed 0 0
1619363202.972125
IsDebuggerPresent
failed 0 0
1619363203.394125
IsDebuggerPresent
failed 0 0
1619363203.972125
IsDebuggerPresent
failed 0 0
1619363204.394125
IsDebuggerPresent
failed 0 0
1619363204.972125
IsDebuggerPresent
failed 0 0
1619363205.394125
IsDebuggerPresent
failed 0 0
1619363205.972125
IsDebuggerPresent
failed 0 0
1619363206.394125
IsDebuggerPresent
failed 0 0
1619363206.972125
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619363218.504125
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 68 个事件)
Time & API Arguments Status Return Repeated
1619363180.550125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b70000
success 0 0
1619363180.550125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d20000
success 0 0
1619363181.254125
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619363181.316125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002aa000
success 0 0
1619363181.316125
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619363181.316125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a2000
success 0 0
1619363181.660125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f2000
success 0 0
1619363181.769125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f3000
success 0 0
1619363181.785125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032b000
success 0 0
1619363181.785125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00327000
success 0 0
1619363181.863125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002fc000
success 0 0
1619363182.004125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1619363182.238125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f4000
success 0 0
1619363182.316125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002fa000
success 0 0
1619363182.425125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0031a000
success 0 0
1619363182.504125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00312000
success 0 0
1619363182.566125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00325000
success 0 0
1619363182.769125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00791000
success 0 0
1619363183.066125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00792000
success 0 0
1619363183.144125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0030a000
success 0 0
1619363183.144125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00307000
success 0 0
1619363183.300125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f5000
success 0 0
1619363218.207125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ab000
success 0 0
1619363218.519125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00793000
success 0 0
1619363218.519125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f6000
success 0 0
1619363218.535125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x055c0000
success 0 0
1619363218.535125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05790000
success 0 0
1619363218.535125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05791000
success 0 0
1619363218.566125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05792000
success 0 0
1619363218.582125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05793000
success 0 0
1619363218.582125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05794000
success 0 0
1619363218.597125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05795000
success 0 0
1619363218.597125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05796000
success 0 0
1619363218.629125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00306000
success 0 0
1619363218.629125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00794000
success 0 0
1619363218.644125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05798000
success 0 0
1619363218.644125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0579c000
success 0 0
1619363218.644125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x057ad000
success 0 0
1619363218.644125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x057ae000
success 0 0
1619363218.644125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x057af000
success 0 0
1619363218.722125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00795000
success 0 0
1619363219.050125
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f7000
success 0 0
1619363219.582375
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00690000
success 0 0
1619363219.582375
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f0000
success 0 0
1619363219.613375
NtProtectVirtualMemory
process_identifier: 3036
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619363219.613375
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ba000
success 0 0
1619363219.613375
NtProtectVirtualMemory
process_identifier: 3036
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619363219.613375
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b2000
success 0 0
1619363219.629375
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c2000
success 0 0
1619363219.629375
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c3000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.910131330206744 section {'size_of_data': '0x0006a800', 'virtual_address': '0x00002000', 'entropy': 7.910131330206744, 'name': '.text', 'virtual_size': '0x0006a744'} description A section with a high entropy has been found
entropy 0.9953271028037384 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619363182.363125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619363220.019375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619363219.254125
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000284
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÃ^à ª^É à@  @… ÉOàØ  H.textd© ª `.rsrcØà¬@@.reloc °@B
process_handle: 0x00000284
base_address: 0x00400000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: €0€HXà||4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNamepvDSXHhuhGpXbdmZphkj.exe(LegalCopyright \OriginalFilenamepvDSXHhuhGpXbdmZphkj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000284
base_address: 0x0044e000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: À `9
process_handle: 0x00000284
base_address: 0x00450000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: @
process_handle: 0x00000284
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÃ^à ª^É à@  @… ÉOàØ  H.textd© ª `.rsrcØà¬@@.reloc °@B
process_handle: 0x00000284
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2468 called NtSetContextThread to modify thread in remote process 3036
Time & API Arguments Status Return Repeated
1619363219.254125
NtSetContextThread
thread_handle: 0x00000280
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4507998
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3036
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2468 resumed a thread in remote process 3036
Time & API Arguments Status Return Repeated
1619363219.410125
NtResumeThread
thread_handle: 0x00000280
suspend_count: 1
process_identifier: 3036
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (16 个事件)
Time & API Arguments Status Return Repeated
1619363181.316125
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2468
success 0 0
1619363181.379125
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2468
success 0 0
1619363182.754125
NtResumeThread
thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2468
success 0 0
1619363182.785125
NtResumeThread
thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2468
success 0 0
1619363219.254125
CreateProcessInternalW
thread_identifier: 2732
thread_handle: 0x00000280
process_identifier: 3036
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2e520186a3c7076d5bc15205eac3b30b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2e520186a3c7076d5bc15205eac3b30b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000284
inherit_handles: 0
success 1 0
1619363219.254125
NtGetContextThread
thread_handle: 0x00000280
success 0 0
1619363219.254125
NtAllocateVirtualMemory
process_identifier: 3036
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000284
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÃ^à ª^É à@  @… ÉOàØ  H.textd© ª `.rsrcØà¬@@.reloc °@B
process_handle: 0x00000284
base_address: 0x00400000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer:
process_handle: 0x00000284
base_address: 0x00402000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: €0€HXà||4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNamepvDSXHhuhGpXbdmZphkj.exe(LegalCopyright \OriginalFilenamepvDSXHhuhGpXbdmZphkj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000284
base_address: 0x0044e000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: À `9
process_handle: 0x00000284
base_address: 0x00450000
success 1 0
1619363219.254125
WriteProcessMemory
process_identifier: 3036
buffer: @
process_handle: 0x00000284
base_address: 0x7efde008
success 1 0
1619363219.254125
NtSetContextThread
thread_handle: 0x00000280
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4507998
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3036
success 0 0
1619363219.410125
NtResumeThread
thread_handle: 0x00000280
suspend_count: 1
process_identifier: 3036
success 0 0
1619363219.613375
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3036
success 0 0
1619363219.629375
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 3036
success 0 0
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34010108
FireEye Generic.mg.2e520186a3c7076d
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FUW!2E520186A3C7
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2062569
Sangfor Malware
K7AntiVirus Trojan ( 005689471 )
Alibaba TrojanSpy:MSIL/AgentTesla.aa927f55
K7GW Trojan ( 005689471 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D206F3FC
Invincea heuristic
Cyren W32/MSIL_Kryptik.AWS.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
ClamAV Win.Packed.Agenttesla-8108304-0
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.34010108
ViRobot Trojan.Win32.Z.Highconfidence.438784
Avast Win32:Trojan-gen
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ad-Aware Trojan.GenericKD.34010108
Comodo Malware@#3bpnbx570214u
DrWeb Trojan.PWS.Siggen2.50472
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_FRS.0NA103FD20
Sophos Mal/Generic-S
Ikarus Trojan-Spy.LokiBot
Avira TR/AD.AgentTesla.ysgqp
Microsoft Trojan:Win32/Bluteal!rfn
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.34010108
Cynet Malicious (score: 85)
BitDefenderTheta Gen:NN.ZemsilF.34186.Am0@ai7G3Yn
ALYac Trojan.GenericKD.34010108
MAX malware (ai score=81)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.WIR
TrendMicro-HouseCall TROJ_FRS.0NA103FD20
Tencent Win32.Trojan.Inject.Auto
Yandex Trojan.AvsArher.bSIdr7
SentinelOne DFI - Malicious PE
Fortinet MSIL/GenKryptik.EMIF!tr
AVG Win32:Trojan-gen
Panda Trj/CI.A
Qihoo-360 Generic/Trojan.PSW.374
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2053-03-28 15:27:57

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56807 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.