4.0
中危
49 个模型检测该样本为恶意!
重新分析
更多

2db7f75de0144ddcefea785a8d717f96107a0511568b3f27b49c1445164e828f

36b646875a393758bce6b40ac084b8fd.exe

分析耗时

73s

最近分析

文件大小

549.0KB
静态报毒 动态报毒 AGENSLA AGENTTESLA AI SCORE=80 CONFIDENCE ELDORADO ENTQ FAREIT FKVPU FORMBOOK GENERICKD GENKRYPTIK HNBRDT IGENERIC INJECTNET KRYPTIK LLHM MALICIOUS MALWARE@#2CO9BZV1M28AE PASSWORDSTEALER QQPASS QQROB R06BC0DG820 R343383 RATX SCORE TROJANPSW UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FWR!36B646875A39 20200801 6.0.6.653
Alibaba TrojanPSW:MSIL/Formbook.78cc3aa4 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win64:RATX-gen [Trj] 20200801 18.4.3895.0
Kingsoft 20200801 2013.8.14.323
Tencent Msil.Trojan-qqpass.Qqrob.Llhm 20200801 1.0.0.1
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619345086.180988
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619345089.227988
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619345034.055988
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345034.274988
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619345090.727988
__exception__
stacktrace: 
0x7ff00192468
0x7ff00191c9d
0x7ff00190a2d
IEE+0xda16 GetUserStore-0xa7e mscorwks+0x2c1612 @ 0x7fef1c61612
CreateAssemblyNameObject+0x5cbb CompareAssemblyIdentity-0x6ff9 mscorwks+0x1eee13 @ 0x7fef1b8ee13
PreBindAssembly+0x79a91 LoadStringRC-0x2544f mscorwks+0x69bc51 @ 0x7fef203bc51
GetCLRFunction+0x988a CreateApplicationContext-0xd636 mscorwks+0x1149a2 @ 0x7fef1ab49a2
CorLaunchApplication+0x19d71 TranslateSecurityAttributes-0xd04f mscorwks+0x70e6f1 @ 0x7fef20ae6f1
mscorlib+0x36b1c8 @ 0x7fef0d6b1c8
mscorlib+0x36ae86 @ 0x7fef0d6ae86
0x7ff00184ed2
0x7ff00184da0
IEE+0xda16 GetUserStore-0xa7e mscorwks+0x2c1612 @ 0x7fef1c61612
CreateAssemblyNameObject+0x5cbb CompareAssemblyIdentity-0x6ff9 mscorwks+0x1eee13 @ 0x7fef1b8ee13
PreBindAssembly+0x79a91 LoadStringRC-0x2544f mscorwks+0x69bc51 @ 0x7fef203bc51
GetCLRFunction+0x988a CreateApplicationContext-0xd636 mscorwks+0x1149a2 @ 0x7fef1ab49a2
CorLaunchApplication+0x19d71 TranslateSecurityAttributes-0xd04f mscorwks+0x70e6f1 @ 0x7fef20ae6f1
mscorlib+0x36b1c8 @ 0x7fef0d6b1c8
mscorlib+0x36ae86 @ 0x7fef0d6ae86
mscorlib+0x9d1df1 @ 0x7fef13d1df1
0x7ff00181b24
0x7ff00160a8c
IEE+0xda16 GetUserStore-0xa7e mscorwks+0x2c1612 @ 0x7fef1c61612
CreateAssemblyNameObject+0x5cbb CompareAssemblyIdentity-0x6ff9 mscorwks+0x1eee13 @ 0x7fef1b8ee13
PreBindAssembly+0x79a91 LoadStringRC-0x2544f mscorwks+0x69bc51 @ 0x7fef203bc51
GetCLRFunction+0x988a CreateApplicationContext-0xd636 mscorwks+0x1149a2 @ 0x7fef1ab49a2
CorLaunchApplication+0x19d71 TranslateSecurityAttributes-0xd04f mscorwks+0x70e6f1 @ 0x7fef20ae6f1
mscorlib+0x36b387 @ 0x7fef0d6b387
mscorlib+0x36ae86 @ 0x7fef0d6ae86
mscorlib+0x9d1df1 @ 0x7fef13d1df1
0x7ff001603fd
0x7ff001601c5
0x7ff00160161
IEE+0xda16 GetUserStore-0xa7e mscorwks+0x2c1612 @ 0x7fef1c61612
CreateAssemblyNameObject+0x5cbb CompareAssemblyIdentity-0x6ff9 mscorwks+0x1eee13 @ 0x7fef1b8ee13
PreBindAssembly+0x79a91 LoadStringRC-0x2544f mscorwks+0x69bc51 @ 0x7fef203bc51
GetCLRFunction+0xccaf CreateApplicationContext-0xa211 mscorwks+0x117dc7 @ 0x7fef1ab7dc7
StrongNameErrorInfo-0x31f0 mscorwks+0xf4118 @ 0x7fef1a94118
GetAssemblyIdentityFromFile+0x195bd LegacyNGenFreeZapper-0x17af3 mscorwks+0x787e3d @ 0x7fef2127e3d
StrongNameErrorInfo-0x10ded mscorwks+0xe651b @ 0x7fef1a8651b
_CorExeMain+0xac GetCLRFunction-0x72b8 mscorwks+0x103e60 @ 0x7fef1aa3e60
_CorExeMain+0x49 CreateConfigStream-0x307 mscoreei+0x3309 @ 0x7fef4133309
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef41c5b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8791502441720
registers.rbx: 0
registers.rdi: 0
registers.r11: 0
registers.r8: 0
registers.rdx: 8791502611800
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 4587152
registers.rax: 0
registers.r13: 0
exception.instruction_r: 49 8b 03 49 8b cb ff 50 40 48 89 45 20 b8 6f ef
exception.instruction: mov rax, qword ptr [r11]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7ff00192468
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 116 个事件)
Time & API Arguments Status Return Repeated
1619345032.586988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000bd0000
success 0 0
1619345032.586988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000d30000
success 0 0
1619345033.743988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef19e1000
success 0 0
1619345033.946988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5e000
success 0 0
1619345033.961988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5e000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5f000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c60000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c60000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c60000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c60000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c60000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c61000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c61000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c61000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c61000
success 0 0
1619345034.071988
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c5e000
success 0 0
1619345034.477988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1619345034.555988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff10000
success 0 0
1619345034.555988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1619345034.555988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1619345034.555988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1619345034.555988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619345034.571988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000da000
success 0 0
1619345034.586988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00012000
success 0 0
1619345034.774988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00023000
success 0 0
1619345034.805988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000ea000
success 0 0
1619345034.805988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00112000
success 0 0
1619345034.805988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000ed000
success 0 0
1619345035.430988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00024000
success 0 0
1619345035.430988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00026000
success 0 0
1619345035.493988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00027000
success 0 0
1619345035.493988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002c000
success 0 0
1619345035.680988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00160000
success 0 0
1619345035.868988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000d2000
success 0 0
1619345036.430988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000db000
success 0 0
1619345036.461988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00028000
success 0 0
1619345036.836988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000d3000
success 0 0
1619345036.914988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00161000
success 0 0
1619345069.946988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00029000
success 0 0
1619345069.977988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00162000
success 0 0
1619345070.055988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00163000
success 0 0
1619345070.289988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0016b000
success 0 0
1619345070.305988
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00013000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.489737571005762 section {'size_of_data': '0x00088c00', 'virtual_address': '0x00002000', 'entropy': 7.489737571005762, 'name': '.text', 'virtual_size': '0x00088bbc'} description A section with a high entropy has been found
entropy 0.9972652689152234 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619345084.868988
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
MicroWorld-eScan Trojan.GenericKD.43452226
FireEye Trojan.GenericKD.43452226
CAT-QuickHeal Trojan.IGENERIC
McAfee Fareit-FWR!36B646875A39
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2185319
Sangfor Malware
K7AntiVirus Trojan ( 0056a3691 )
Alibaba TrojanPSW:MSIL/Formbook.78cc3aa4
K7GW Trojan ( 0056a3691 )
Arcabit Trojan.Generic.D2970742
TrendMicro TROJ_GEN.R06BC0DG820
Cyren W64/Agent.BVW.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.43452226
NANO-Antivirus Trojan.Win64.Agensla.hnbrdt
AegisLab Trojan.MSIL.Agensla.i!c
Avast Win64:RATX-gen [Trj]
Ad-Aware Trojan.GenericKD.43452226
Emsisoft Trojan.GenericKD.43452226 (B)
Comodo Malware@#2co9bzv1m28ae
F-Secure Trojan.TR/AD.AgentTesla.fkvpu
DrWeb Trojan.InjectNET.14
VIPRE Trojan.Win32.Generic!BT
Sophos Mal/Generic-S
F-Prot W64/Agent.BVW.gen!Eldorado
Avira TR/AD.AgentTesla.fkvpu
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:MSIL/Formbook.VN!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.43452226
AhnLab-V3 Trojan/Win32.Kryptik.R343383
ALYac Trojan.GenericKD.43452226
MAX malware (ai score=80)
VBA32 TrojanPSW.MSIL.Agensla
Malwarebytes Spyware.PasswordStealer
ESET-NOD32 a variant of MSIL/Kryptik.WTF
TrendMicro-HouseCall TROJ_GEN.R06BC0DG820
Tencent Msil.Trojan-qqpass.Qqrob.Llhm
Ikarus Trojan-Spy.Win64.Agent
eGambit Unsafe.AI_Score_95%
Fortinet MSIL/GenKryptik.ENTQ!tr
AVG Win64:RATX-gen [Trj]
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_60% (W)
Qihoo-360 Generic/Trojan.PSW.374
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-07 12:39:54

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.