8.8
极危
41 个模型检测该样本为恶意!
重新分析
更多

d0d8ca50b3046b2c5a6a992a4a4308e449e897446dcfefef9d0c4640538f9965

3984fc6f08dc5b53f6b564e6c2fdbf16.exe

分析耗时

73s

最近分析

文件大小

1.0MB
静态报毒 动态报毒 ACCG AI SCORE=80 ANGMY ATRAPS ATTRIBUTE BADCERT CLASSIC CRYPTINJECT DANGEROUSSIG GENCIRC GENERICKD GENERICRXLV HIGH CONFIDENCE HIGHCONFIDENCE HSWVNI MALCERT MALWARE@#1R08HU4DJKP4H UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXLV-VX!3984FC6F08DC 20201023 6.0.6.653
Alibaba Trojan:Win32/DangerousSig.e7377b66 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:DangerousSig [Trj] 20201023 18.4.3895.0
Tencent Malware.Win32.Gencirc.11af4b9a 20201023 1.0.0.1
Kingsoft 20201023 2013.8.14.323
静态指标
Command line console output was observed (50 out of 141 个事件)
Time & API Arguments Status Return Repeated
1619345038.38885
WriteConsoleA
buffer: F
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: i
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: l
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: e
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: n
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: a
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: m
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: e
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.38885
WriteConsoleA
buffer: u
console_handle: 0x00000007
success 1 0
1619345038.40385
WriteConsoleA
buffer: c
console_handle: 0x00000007
success 1 0
1619345038.40385
WriteConsoleA
buffer: c
console_handle: 0x00000007
success 1 0
1619345038.40385
WriteConsoleA
buffer: e
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: C
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: U
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: e
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: r
console_handle: 0x00000007
success 1 0
1619345038.41985
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: A
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: d
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: m
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: i
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: n
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: i
console_handle: 0x00000007
success 1 0
1619345038.43585
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: t
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: r
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: a
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: t
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: o
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: r
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: O
console_handle: 0x00000007
success 1 0
1619345038.45085
WriteConsoleA
buffer: s
console_handle: 0x00000007
success 1 0
1619345038.46685
WriteConsoleA
buffer: k
console_handle: 0x00000007
success 1 0
1619345038.46685
WriteConsoleA
buffer: a
console_handle: 0x00000007
success 1 0
1619345038.46685
WriteConsoleA
buffer: r
console_handle: 0x00000007
success 1 0
1619345038.46685
WriteConsoleA
buffer: P
console_handle: 0x00000007
success 1 0
1619345038.46685
WriteConsoleA
buffer: C
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: A
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: p
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: p
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: D
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: a
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: t
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: a
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: L
console_handle: 0x00000007
success 1 0
1619345038.48285
WriteConsoleA
buffer: o
console_handle: 0x00000007
success 1 0
This executable is signed
行为判定
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619345045.77885
NtAllocateVirtualMemory
process_identifier: 2824
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345051.88885
NtAllocateVirtualMemory
process_identifier: 0
region_size: 65537
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225480 0
Manipulates memory of a non-child process indicative of process injection (3 个事件)
Process injection Process 324 manipulating memory of non-child process 0
Time & API Arguments Status Return Repeated
1619345051.88885
NtUnmapViewOfSection
process_identifier: 0
region_size: 0
process_handle: 0x00000000
base_address: 0x00400000
failed 3221225480 0
1619345051.88885
NtAllocateVirtualMemory
process_identifier: 0
region_size: 65537
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225480 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619345045.77885
WriteProcessMemory
process_identifier: 2824
buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $ÂN ²†/dá†/dá†/dáéYÏá‘/dáéYúáˆ/dáéYÎáÒ/dáW÷áƒ/dá†/eáÍ/dáéYËá‡/dáéYùá‡/dáRich†/dáPELu iWà  l@z€@Bá@d<à´ðìPؙ@ D€.textpl `.rdata0€$p@@.data0°”@À.rsrcà¢@@.relocœ ð ¤@B+ž$X MY+}J¹Y8USER32.dllKERNEL32.dllNTDLL.DLL
process_handle: 0x000003c0
base_address: 0x00400000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer: Næ@»±¿D`Ë@`Ë@„@t@        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×  ÿÿÿÿ€ ÿÿÿÿÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZxµ@¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þþÿÿÿC<@8@4@0@,@(@$@@@ @@ô@ì@à@܏@؏@ԏ@Џ@̏@ȏ@ď@À@¼@¸@´@°@¨@œ@”@Œ@̏@„@|@t@h@`@T@H@D@@@4@ @@  @@üŽ@ôŽ@ìŽ@äŽ@܎@̎@¼Ž@¬Ž@˜Ž@„Ž@tŽ@`Ž@XŽ@PŽ@HŽ@@Ž@8Ž@0Ž@(Ž@ Ž@Ž@Ž@Ž@Ž@ð@܍@Ѝ@č@8Ž@¸@¬@œ@ˆ@x@d@P@H@@@,@@ðŒ@œº@œº@œº@œº@œº@½@’@ –@ ˜@ º@¼@Èm@Èm@Èm@Èm@Èm@Èm@Èm@Èm@Èm@Èm@..½@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@½@(Ê@(Ê@(Ê@(Ê@(Ê@(Ê@(Ê@½@’@”@ “”@þÿÿÿ.
process_handle: 0x000003c0
base_address: 0x0040b000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer: €0€ HXàZä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
process_handle: 0x000003c0
base_address: 0x0040e000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer: Ì0000&060Û0æ0÷01)161B1N1T1f1n1y1À1Å1Ï1 22222–2œ2¢2¨2®2µ2¼2Ã2Ê2Ñ2Ø2ß2ç2ï2÷23 333!3*353A3F3V3[3a3g3}3„3‹3‘3«3º3Ç3Ó3ã3ê3ù34464H4V4k4u4›4Î4Ý4æ4 595{5596A6V6a6I7á7ÿ7%8…8”8¯8ý;í<8>{>§>È> ¸¨0É2Í2Ñ2Õ2Ù2Ý2á2å2ò23ä3î3û394@4M4S44¬4Ï4â45.5‚5\6d6|6—6î6B7H7U7[7d7k778 88(8-8?8I8N8j8t8Š8•8¯8º8Â8Ò8Ø8é8"9,9R9Y9s9z9¥9G:Z:l:³:Ë:Õ:ð:ø:þ: ;@;M;b;“;°;ü;*<”=£=Û=å=&>1>;>L>W>0\0(00060;0A0­0³0Ï0÷0C1O1i11•1¿12 2 2g2q2œ2´2Ò2ö2&383f3‰33£3¨3É3Î3ï3ö34444#4)424>4D4L4R4^4d4q4{44‹4­4Â4è4(5.5X5^5d5z5’5¸526U6_6—6Ÿ6è6î67 7777$7+71797@7E7M7V7b7g7l7r7v7|77‡7Œ7›7±7·7¿7Ä7Ì7Ñ7Ù7Þ7å7ô7ù7ÿ78(8.8F8j8v8†8©8¶8Â8Ê8Ò8Þ8999:9C9O9†99›9Ô9Ý9é9::):<:]:f::š:Ÿ:­:ˆ;«;¶;Ù;(<o<v<€<’<©<·<½<à<ç<===#=6=Z=š=î=>7>Z>ó>0?G?@”·0È0111'101:1n1y1ƒ1œ1¦1¹1Ý12I2\2Ì2é223¡3À354A4T4f44‰4‘4¨4Á4Ý4æ4ì4õ4ú4 505Y5j5~5Ê56a6µ6x7¦7888I8‚8²9¹9: :&:Õ;ó;P=Å=Ñ=Ü>¨?­?¿?Ý?ñ?÷?P¸_0–0œ0¡0¯0´0¹0¾0Î0ý01 1R1W1‘1–11¢1©1®1¼12&2,2´2Ã2Ò2ß2å2 333‰3Ž3—3¦3É3Î3Ó3ê3C4f4q4w4‡4Œ44¥4«4µ4»4Å4Ë4Õ4Þ4é4î4÷45 5G5a5{5}7„7Š78°8¶8Å8B9H9R9À9Æ9Ò9 :!:¢:$;ƒ;&<F<6=_=¸=&?`x0Ð011X1w12F2n2è2323h3r3ç304É4™5666Ï6º:Ì:Þ:ð:;(;:;L;^;p;‚;”;¦;¸;Ê;Ü;î;<T<a<z<˜<Ô<ü<†=>”>¬>??•?¯?¸?ê?p¨:0l0„0‹0“0˜0œ0 0É0ï0 1111 1$1(1,101z1€1„1ˆ1Œ1ò1ý122$2(2,2M2w2©2°2´2¸2¼2À2Ä2È2Ì233 3$3(3˜3ž3»3ø344C4u44=5J5i566î67797Œ7´7Í7é78C8N8|8Š8Î9Ô9Ù9ß9ð9Æ;€H111 1$10141l1p1œ:¤:¬:´:¼:Ä:Ì:Ô:Ü:ä:ì:ô:ü:; ;;;$;,;4;<;D;D::È:ä:è:;(;4;P;\;x;˜;¤;À;à;< <<<@<\<`<€< <À<à<= =@=`=°002”2 9 :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;X;\;`;d;h;l;p;t;x;|;€;„;ˆ;Œ;;”;˜;œ; ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<`<p<€<< <Ä<Ð<Ô<Ø<Ü<à<ä<è<ì<ð<ô<ø<ü<===== =$=(=,=0=4=8=<=H=L=P=T=X=\=`=d=h=l=p= =
process_handle: 0x000003c0
base_address: 0x0040f000
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619345045.77885
WriteProcessMemory
process_identifier: 2824
buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $ÂN ²†/dá†/dá†/dáéYÏá‘/dáéYúáˆ/dáéYÎáÒ/dáW÷áƒ/dá†/eáÍ/dáéYËá‡/dáéYùá‡/dáRich†/dáPELu iWà  l@z€@Bá@d<à´ðìPؙ@ D€.textpl `.rdata0€$p@@.data0°”@À.rsrcà¢@@.relocœ ð ¤@B+ž$X MY+}J¹Y8USER32.dllKERNEL32.dllNTDLL.DLL
process_handle: 0x000003c0
base_address: 0x00400000
success 1 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619345040.62285
RegSetValueExA
key_handle: 0x000003a4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619345040.62285
RegSetValueExA
key_handle: 0x000003a4
value: ÍúŽÉ9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619345040.62285
RegSetValueExA
key_handle: 0x000003a4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619345040.62285
RegSetValueExW
key_handle: 0x000003a4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619345040.62285
RegSetValueExA
key_handle: 0x000003c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619345040.62285
RegSetValueExA
key_handle: 0x000003c0
value: ÍúŽÉ9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619345040.62285
RegSetValueExA
key_handle: 0x000003c0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619345040.65385
RegSetValueExW
key_handle: 0x000003a0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process 3984fc6f08dc5b53f6b564e6c2fdbf16.exe useragent
process 3984fc6f08dc5b53f6b564e6c2fdbf16.exe useragent Internal
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)
Process injection Process 324 called NtSetContextThread to modify thread in remote process 0
Process injection Process 324 called NtSetContextThread to modify thread in remote process 2824
Time & API Arguments Status Return Repeated
1619345049.87285
NtSetContextThread
thread_handle: 0x00000000
registers.eip: 2010382788
registers.esp: 2686960
registers.edi: 0
registers.eax: 4199034
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 0
failed 3221225480 0
1619345051.88885
NtSetContextThread
thread_handle: 0x000003a4
registers.eip: 2010382788
registers.esp: 2686960
registers.edi: 0
registers.eax: 4199034
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2824
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 324 resumed a thread in remote process 2824
Time & API Arguments Status Return Repeated
1619345056.15385
NtResumeThread
thread_handle: 0x000003a4
suspend_count: 1
process_identifier: 2824
success 0 0
Executed a process and injected code into it, probably while unpacking (16 个事件)
Time & API Arguments Status Return Repeated
1619345043.73285
CreateProcessInternalW
thread_identifier: 1704
thread_handle: 0x000003a4
process_identifier: 2824
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3984fc6f08dc5b53f6b564e6c2fdbf16.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003c0
inherit_handles: 0
success 1 0
1619345045.77885
NtUnmapViewOfSection
process_identifier: 2824
region_size: 4096
process_handle: 0x000003c0
base_address: 0x00400000
success 0 0
1619345045.77885
NtAllocateVirtualMemory
process_identifier: 2824
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345045.77885
WriteProcessMemory
process_identifier: 2824
buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $ÂN ²†/dá†/dá†/dáéYÏá‘/dáéYúáˆ/dáéYÎáÒ/dáW÷áƒ/dá†/eáÍ/dáéYËá‡/dáéYùá‡/dáRich†/dáPELu iWà  l@z€@Bá@d<à´ðìPؙ@ D€.textpl `.rdata0€$p@@.data0°”@À.rsrcà¢@@.relocœ ð ¤@B+ž$X MY+}J¹Y8USER32.dllKERNEL32.dllNTDLL.DLL
process_handle: 0x000003c0
base_address: 0x00400000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer:
process_handle: 0x000003c0
base_address: 0x00401000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer:
process_handle: 0x000003c0
base_address: 0x00408000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer: Næ@»±¿D`Ë@`Ë@„@t@        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×  ÿÿÿÿ€ ÿÿÿÿÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZxµ@¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þþÿÿÿC<@8@4@0@,@(@$@@@ @@ô@ì@à@܏@؏@ԏ@Џ@̏@ȏ@ď@À@¼@¸@´@°@¨@œ@”@Œ@̏@„@|@t@h@`@T@H@D@@@4@ @@  @@üŽ@ôŽ@ìŽ@äŽ@܎@̎@¼Ž@¬Ž@˜Ž@„Ž@tŽ@`Ž@XŽ@PŽ@HŽ@@Ž@8Ž@0Ž@(Ž@ Ž@Ž@Ž@Ž@Ž@ð@܍@Ѝ@č@8Ž@¸@¬@œ@ˆ@x@d@P@H@@@,@@ðŒ@œº@œº@œº@œº@œº@½@’@ –@ ˜@ º@¼@Èm@Èm@Èm@Èm@Èm@Èm@Èm@Èm@Èm@Èm@..½@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@$Ê@½@(Ê@(Ê@(Ê@(Ê@(Ê@(Ê@(Ê@½@’@”@ “”@þÿÿÿ.
process_handle: 0x000003c0
base_address: 0x0040b000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer: €0€ HXàZä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
process_handle: 0x000003c0
base_address: 0x0040e000
success 1 0
1619345047.77885
WriteProcessMemory
process_identifier: 2824
buffer: Ì0000&060Û0æ0÷01)161B1N1T1f1n1y1À1Å1Ï1 22222–2œ2¢2¨2®2µ2¼2Ã2Ê2Ñ2Ø2ß2ç2ï2÷23 333!3*353A3F3V3[3a3g3}3„3‹3‘3«3º3Ç3Ó3ã3ê3ù34464H4V4k4u4›4Î4Ý4æ4 595{5596A6V6a6I7á7ÿ7%8…8”8¯8ý;í<8>{>§>È> ¸¨0É2Í2Ñ2Õ2Ù2Ý2á2å2ò23ä3î3û394@4M4S44¬4Ï4â45.5‚5\6d6|6—6î6B7H7U7[7d7k778 88(8-8?8I8N8j8t8Š8•8¯8º8Â8Ò8Ø8é8"9,9R9Y9s9z9¥9G:Z:l:³:Ë:Õ:ð:ø:þ: ;@;M;b;“;°;ü;*<”=£=Û=å=&>1>;>L>W>0\0(00060;0A0­0³0Ï0÷0C1O1i11•1¿12 2 2g2q2œ2´2Ò2ö2&383f3‰33£3¨3É3Î3ï3ö34444#4)424>4D4L4R4^4d4q4{44‹4­4Â4è4(5.5X5^5d5z5’5¸526U6_6—6Ÿ6è6î67 7777$7+71797@7E7M7V7b7g7l7r7v7|77‡7Œ7›7±7·7¿7Ä7Ì7Ñ7Ù7Þ7å7ô7ù7ÿ78(8.8F8j8v8†8©8¶8Â8Ê8Ò8Þ8999:9C9O9†99›9Ô9Ý9é9::):<:]:f::š:Ÿ:­:ˆ;«;¶;Ù;(<o<v<€<’<©<·<½<à<ç<===#=6=Z=š=î=>7>Z>ó>0?G?@”·0È0111'101:1n1y1ƒ1œ1¦1¹1Ý12I2\2Ì2é223¡3À354A4T4f44‰4‘4¨4Á4Ý4æ4ì4õ4ú4 505Y5j5~5Ê56a6µ6x7¦7888I8‚8²9¹9: :&:Õ;ó;P=Å=Ñ=Ü>¨?­?¿?Ý?ñ?÷?P¸_0–0œ0¡0¯0´0¹0¾0Î0ý01 1R1W1‘1–11¢1©1®1¼12&2,2´2Ã2Ò2ß2å2 333‰3Ž3—3¦3É3Î3Ó3ê3C4f4q4w4‡4Œ44¥4«4µ4»4Å4Ë4Õ4Þ4é4î4÷45 5G5a5{5}7„7Š78°8¶8Å8B9H9R9À9Æ9Ò9 :!:¢:$;ƒ;&<F<6=_=¸=&?`x0Ð011X1w12F2n2è2323h3r3ç304É4™5666Ï6º:Ì:Þ:ð:;(;:;L;^;p;‚;”;¦;¸;Ê;Ü;î;<T<a<z<˜<Ô<ü<†=>”>¬>??•?¯?¸?ê?p¨:0l0„0‹0“0˜0œ0 0É0ï0 1111 1$1(1,101z1€1„1ˆ1Œ1ò1ý122$2(2,2M2w2©2°2´2¸2¼2À2Ä2È2Ì233 3$3(3˜3ž3»3ø344C4u44=5J5i566î67797Œ7´7Í7é78C8N8|8Š8Î9Ô9Ù9ß9ð9Æ;€H111 1$10141l1p1œ:¤:¬:´:¼:Ä:Ì:Ô:Ü:ä:ì:ô:ü:; ;;;$;,;4;<;D;D::È:ä:è:;(;4;P;\;x;˜;¤;À;à;< <<<@<\<`<€< <À<à<= =@=`=°002”2 9 :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;X;\;`;d;h;l;p;t;x;|;€;„;ˆ;Œ;;”;˜;œ; ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<`<p<€<< <Ä<Ð<Ô<Ø<Ü<à<ä<è<ì<ð<ô<ø<ü<===== =$=(=,=0=4=8=<=H=L=P=T=X=\=`=d=h=l=p= =
process_handle: 0x000003c0
base_address: 0x0040f000
success 1 0
1619345049.77885
NtGetContextThread
thread_handle: 0x000003a4
success 0 0
1619345049.87285
NtSetContextThread
thread_handle: 0x00000000
registers.eip: 2010382788
registers.esp: 2686960
registers.edi: 0
registers.eax: 4199034
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 0
failed 3221225480 0
1619345051.88885
WriteProcessMemory
process_identifier: 0
buffer:
process_handle: 0x00000000
base_address: 0x00400000
failed 0 0
1619345051.88885
NtUnmapViewOfSection
process_identifier: 0
region_size: 0
process_handle: 0x00000000
base_address: 0x00400000
failed 3221225480 0
1619345051.88885
NtAllocateVirtualMemory
process_identifier: 0
region_size: 65537
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225480 0
1619345051.88885
NtSetContextThread
thread_handle: 0x000003a4
registers.eip: 2010382788
registers.esp: 2686960
registers.edi: 0
registers.eax: 4199034
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2824
success 0 0
1619345056.15385
NtResumeThread
thread_handle: 0x000003a4
suspend_count: 1
process_identifier: 2824
success 0 0
File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43703591
FireEye Generic.mg.3984fc6f08dc5b53
McAfee GenericRXLV-VX!3984FC6F08DC
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056a4101 )
Alibaba Trojan:Win32/DangerousSig.e7377b66
K7GW Trojan ( 0056d1081 )
Arcabit Trojan.Generic.D29ADD27
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:DangerousSig [Trj]
Kaspersky Trojan.Win32.Inject.angmy
BitDefender Trojan.GenericKD.43703591
NANO-Antivirus Trojan.Win32.Inject.hswvni
Paloalto generic.ml
AegisLab Trojan.Win32.Inject.4!c
Tencent Malware.Win32.Gencirc.11af4b9a
Ad-Aware Trojan.GenericKD.43703591
Comodo Malware@#1r08hu4djkp4h
DrWeb BackDoor.Spy.3756
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/BadCert-Gen
McAfee-GW-Edition GenericRXLV-VX!3984FC6F08DC
Sophos Mal/BadCert-Gen
Avira TR/ATRAPS.Gen
MAX malware (ai score=80)
Microsoft Trojan:Win32/CryptInject!ml
ZoneAlarm Trojan.Win32.Inject.angmy
GData Trojan.GenericKD.43703591
VBA32 Backdoor.Spy
ALYac Trojan.GenericKD.43703591
ESET-NOD32 a variant of Win32/Agent.ACCG.gen
Rising Trojan.MalCert!1.C7FD (CLASSIC)
Ikarus Trojan.Dropper
Fortinet W32/Agent.ACCG!tr
AVG Win32:DangerousSig [Trj]
Cybereason malicious.060aa9
Panda Trj/CI.A
Qihoo-360 Generic/Trojan.8dd
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-21 17:56:42

Imports

Library ADVAPI32.DLL:
0x4fd2b8 RegCreateKeyExA
0x4fd2bc RegSetValueExA
Library KERNEL32.dll:
0x4fd2c4 CloseHandle
0x4fd2c8 CreateDirectoryA
0x4fd2cc CreateSemaphoreW
0x4fd2d8 ExitProcess
0x4fd2dc FindClose
0x4fd2e0 FindFirstFileA
0x4fd2e4 FindNextFileA
0x4fd2e8 FindResourceA
0x4fd2ec FormatMessageA
0x4fd2f0 FreeLibrary
0x4fd2f4 GetCPInfo
0x4fd2f8 GetCommandLineA
0x4fd2fc GetCurrentProcess
0x4fd300 GetCurrentThreadId
0x4fd304 GetFileSize
0x4fd308 GetLastError
0x4fd30c GetModuleFileNameA
0x4fd310 GetModuleHandleA
0x4fd314 GetProcAddress
0x4fd318 GetSystemDirectoryA
0x4fd324 InterlockedExchange
0x4fd330 LoadLibraryA
0x4fd334 LoadLibraryW
0x4fd338 LoadResource
0x4fd33c LocalFree
0x4fd340 LockResource
0x4fd344 MultiByteToWideChar
0x4fd348 OpenProcess
0x4fd34c Process32First
0x4fd350 Process32Next
0x4fd354 ReleaseSemaphore
0x4fd358 SetLastError
0x4fd360 SizeofResource
0x4fd364 Sleep
0x4fd368 TlsAlloc
0x4fd36c TlsFree
0x4fd370 TlsGetValue
0x4fd374 TlsSetValue
0x4fd378 VirtualProtect
0x4fd37c VirtualQuery
0x4fd380 WaitForSingleObject
0x4fd384 WideCharToMultiByte
0x4fd388 lstrcatA
0x4fd38c lstrcmpA
0x4fd390 lstrcpyA
0x4fd394 lstrlenA
Library msvcrt.dll:
0x4fd39c _fdopen
0x4fd3a0 _fstat
0x4fd3a4 _lseek
0x4fd3a8 _read
0x4fd3ac _strdup
0x4fd3b0 _stricoll
0x4fd3b4 _write
Library msvcrt.dll:
0x4fd3bc __getmainargs
0x4fd3c0 __mb_cur_max
0x4fd3c4 __p__environ
0x4fd3c8 __p__fmode
0x4fd3cc __set_app_type
0x4fd3d0 _cexit
0x4fd3d4 _errno
0x4fd3d8 _filbuf
0x4fd3dc _flsbuf
0x4fd3e0 _fpreset
0x4fd3e4 _fullpath
0x4fd3e8 _iob
0x4fd3ec _isctype
0x4fd3f0 _onexit
0x4fd3f4 _pctype
0x4fd3f8 _setmode
0x4fd3fc _wfopen
0x4fd400 abort
0x4fd404 atexit
0x4fd408 atoi
0x4fd40c btowc
0x4fd410 calloc
0x4fd414 fclose
0x4fd418 fflush
0x4fd41c fopen
0x4fd420 fputc
0x4fd424 fputs
0x4fd428 fread
0x4fd42c free
0x4fd430 fseek
0x4fd434 ftell
0x4fd438 fwrite
0x4fd43c getenv
0x4fd440 getwc
0x4fd444 iswctype
0x4fd448 localeconv
0x4fd44c malloc
0x4fd450 mbrtowc
0x4fd454 mbstowcs
0x4fd458 memchr
0x4fd45c memcmp
0x4fd460 memcpy
0x4fd464 memmove
0x4fd468 memset
0x4fd46c putwc
0x4fd470 realloc
0x4fd474 setlocale
0x4fd478 setvbuf
0x4fd47c signal
0x4fd480 sprintf
0x4fd484 strchr
0x4fd488 strcmp
0x4fd48c strcoll
0x4fd490 strerror
0x4fd494 strftime
0x4fd498 strlen
0x4fd49c strncmp
0x4fd4a0 strstr
0x4fd4a4 strtod
0x4fd4a8 strtoul
0x4fd4ac strxfrm
0x4fd4b0 tolower
0x4fd4b4 towlower
0x4fd4b8 towupper
0x4fd4bc ungetc
0x4fd4c0 ungetwc
0x4fd4c4 vfprintf
0x4fd4c8 wcscoll
0x4fd4cc wcsftime
0x4fd4d0 wcslen
0x4fd4d4 wcstombs
0x4fd4d8 wcsxfrm
0x4fd4dc wctob
Library WININET.DLL:
0x4fd4e8 InternetCloseHandle
0x4fd4ec InternetOpenA
0x4fd4f0 InternetOpenUrlA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 51381 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.