9.0
极危
54 个模型检测该样本为恶意!
重新分析
更多

945ececcb2fd0b7d3a4fd86464737752ba8c1cf215159868595bd9d167a337a2

3095c5f904ca04b34f31174d88332d76.exe

分析耗时

113s

最近分析

文件大小

417.0KB
静态报毒 动态报毒 AGENSLA AGENTTESLA AI SCORE=86 AM0@A0MWIS ATTRIBUTE AVSARHER BTJEKX CLOUD CONFIDENCE CRYPTERX ELDORADO FAREIT GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HPBIUS KRYPTIK LIGR MALICIOUS PE MALWARE@#1ZQZ9G4ZNJ2VL MASSLOGGER NEGASTEAL QVM03 R345839 SMAUJ SUSGEN THGBDBO TROJANPSW TROJANPWS TSCOPE UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXH!3095C5F904CA 20200818 6.0.6.653
Alibaba TrojanPSW:MSIL/AgentTesla.6a843e98 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20200818 18.4.3895.0
Kingsoft 20200818 2013.8.14.323
Tencent Msil.Trojan.Kryptik.Ligr 20200818 1.0.0.1
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619366298.60775
IsDebuggerPresent
failed 0 0
1619366345.732625
IsDebuggerPresent
failed 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 74 个事件)
Time & API Arguments Status Return Repeated
1619366297.70075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619366297.70075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
1619366298.45075
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619366298.60775
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058a000
success 0 0
1619366298.60775
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619366298.60775
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1619366298.90375
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00592000
success 0 0
1619366298.95075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00593000
success 0 0
1619366298.98275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1619366298.98275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c7000
success 0 0
1619366299.02875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059c000
success 0 0
1619366299.13875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00700000
success 0 0
1619366299.20075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00fb0000
success 0 0
1619366299.20075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01020000
success 0 0
1619366299.20075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01021000
success 0 0
1619366299.23275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01022000
success 0 0
1619366299.24775
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00594000
success 0 0
1619366299.24775
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a6000
success 0 0
1619366299.27875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00701000
success 0 0
1619366299.27875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01023000
success 0 0
1619366299.45075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1619366299.45075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01024000
success 0 0
1619366299.51375
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619366299.51375
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619366299.52875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00702000
success 0 0
1619366299.88875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00595000
success 0 0
1619366300.04475
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1619366304.20075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c5000
success 0 0
1619366305.85775
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00596000
success 0 0
1619366344.34175
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00703000
success 0 0
1619366344.45075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005bc000
success 0 0
1619366344.57575
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00597000
success 0 0
1619366344.57575
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01025000
success 0 0
1619366344.57575
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01026000
success 0 0
1619366344.57575
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0102a000
success 0 0
1619366344.59175
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0103b000
success 0 0
1619366344.59175
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0103c000
success 0 0
1619366344.60775
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0103d000
success 0 0
1619366344.62275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00704000
success 0 0
1619366344.62275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0103e000
success 0 0
1619366344.62275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0103f000
success 0 0
1619366344.62275
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00705000
success 0 0
1619366344.95075
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00598000
success 0 0
1619366345.02875
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00706000
success 0 0
1619366345.18575
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059a000
success 0 0
1619366345.57575
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058b000
success 0 0
1619366345.700625
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006f0000
success 0 0
1619366345.700625
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00880000
success 0 0
1619366345.732625
NtProtectVirtualMemory
process_identifier: 1124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619366345.732625
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.555768236050067 section {'size_of_data': '0x00067a00', 'virtual_address': '0x00002000', 'entropy': 7.555768236050067, 'name': '.text', 'virtual_size': '0x000678e0'} description A section with a high entropy has been found
entropy 0.9951980792316927 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619366357.622625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619366345.24775
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619366345.24775
WriteProcessMemory
process_identifier: 1124
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELMç_à Ji €@ À@…¸hS€ð   H.textI J `.rsrcð€L@@.reloc  P@B
process_handle: 0x000001f0
base_address: 0x00400000
success 1 0
1619366345.27875
WriteProcessMemory
process_identifier: 1124
buffer: €0€HX€””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameWKOqLFWgDqwthcGIbjbKnHpLSA.exe(LegalCopyright hOriginalFilenameWKOqLFWgDqwthcGIbjbKnHpLSA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000001f0
base_address: 0x00448000
success 1 0
1619366345.27875
WriteProcessMemory
process_identifier: 1124
buffer: ` 9
process_handle: 0x000001f0
base_address: 0x0044a000
success 1 0
1619366345.27875
WriteProcessMemory
process_identifier: 1124
buffer: @
process_handle: 0x000001f0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619366345.24775
WriteProcessMemory
process_identifier: 1124
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELMç_à Ji €@ À@…¸hS€ð   H.textI J `.rsrcð€L@@.reloc  P@B
process_handle: 0x000001f0
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1940 called NtSetContextThread to modify thread in remote process 1124
Time & API Arguments Status Return Repeated
1619366345.27875
NtSetContextThread
thread_handle: 0x000001ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4483342
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1124
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1940 resumed a thread in remote process 1124
Time & API Arguments Status Return Repeated
1619366345.56075
NtResumeThread
thread_handle: 0x000001ec
suspend_count: 1
process_identifier: 1124
success 0 0
Executed a process and injected code into it, probably while unpacking (15 个事件)
Time & API Arguments Status Return Repeated
1619366298.60775
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1940
success 0 0
1619366298.65375
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 1940
success 0 0
1619366345.24775
CreateProcessInternalW
thread_identifier: 2648
thread_handle: 0x000001ec
process_identifier: 1124
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3095c5f904ca04b34f31174d88332d76.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3095c5f904ca04b34f31174d88332d76.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001f0
inherit_handles: 0
success 1 0
1619366345.24775
NtGetContextThread
thread_handle: 0x000001ec
success 0 0
1619366345.24775
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619366345.24775
WriteProcessMemory
process_identifier: 1124
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELMç_à Ji €@ À@…¸hS€ð   H.textI J `.rsrcð€L@@.reloc  P@B
process_handle: 0x000001f0
base_address: 0x00400000
success 1 0
1619366345.26375
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001f0
base_address: 0x00402000
success 1 0
1619366345.27875
WriteProcessMemory
process_identifier: 1124
buffer: €0€HX€””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameWKOqLFWgDqwthcGIbjbKnHpLSA.exe(LegalCopyright hOriginalFilenameWKOqLFWgDqwthcGIbjbKnHpLSA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000001f0
base_address: 0x00448000
success 1 0
1619366345.27875
WriteProcessMemory
process_identifier: 1124
buffer: ` 9
process_handle: 0x000001f0
base_address: 0x0044a000
success 1 0
1619366345.27875
WriteProcessMemory
process_identifier: 1124
buffer: @
process_handle: 0x000001f0
base_address: 0x7efde008
success 1 0
1619366345.27875
NtSetContextThread
thread_handle: 0x000001ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4483342
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1124
success 0 0
1619366345.56075
NtResumeThread
thread_handle: 0x000001ec
suspend_count: 1
process_identifier: 1124
success 0 0
1619366345.57575
NtResumeThread
thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 1940
success 0 0
1619366345.732625
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1124
success 0 0
1619366345.732625
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1124
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34224076
FireEye Generic.mg.3095c5f904ca04b3
CAT-QuickHeal Trojanpws.Msil
McAfee Fareit-FXH!3095C5F904CA
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2312426
Sangfor Malware
K7AntiVirus Trojan ( 0056b1e61 )
Alibaba TrojanPSW:MSIL/AgentTesla.6a843e98
K7GW Trojan ( 0056b1b71 )
Cybereason malicious.ef7354
TrendMicro TrojanSpy.MSIL.NEGASTEAL.THGBDBO
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
GData Trojan.GenericKD.34224076
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.34224076
NANO-Antivirus Trojan.Win32.Agensla.hpbius
AegisLab Trojan.MSIL.Agensla.i!c
Avast Win32:CrypterX-gen [Trj]
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ad-Aware Trojan.GenericKD.34224076
Comodo Malware@#1zqz9g4znj2vl
DrWeb Trojan.PWS.Stealer.28935
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Troj.XW.gen!Eldorado
Webroot W32.Trojan.Gen
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Arcabit Trojan.Generic.D20A37CC
ViRobot Trojan.Win32.Z.Genkryptik.427008.A
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft Trojan:MSIL/AgentTesla.AR!MTB
AhnLab-V3 Trojan/Win32.Fareit.R345839
BitDefenderTheta Gen:NN.ZemsilF.34152.Am0@a0MWIS
ALYac Trojan.GenericKD.34224076
MAX malware (ai score=86)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Crypt.MSIL.Generic
ESET-NOD32 a variant of MSIL/Kryptik.XAF
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.SMAUJ
Tencent Msil.Trojan.Kryptik.Ligr
Yandex Trojan.AvsArher.bTJEKx
Ikarus Trojan-Spy.MassLogger
Fortinet MSIL/Agent.BMW!tr
MaxSecure Trojan.Malware.74499699.susgen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-23 22:12:12

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.