2.8
中危
52 个模型检测该样本为恶意!
重新分析
更多

23cba12e54801ae7ac42c0ac1265e00b1fdf475ea316af361b647d1f7d35ad19

404307d1837f73b3d6d6f32a496c3789.exe

分析耗时

74s

最近分析

文件大小

815.0KB
静态报毒 动态报毒 100% AGENSLA AI SCORE=87 AIDETECTVM ATTRIBUTE BAUE BTFI4Z CLASSIC CLDS CONFIDENCE DLQZ FAREIT GENCIRC GENERICRXKL HACKTOOL HIGH CONFIDENCE HIGHCONFIDENCE HJXZHJ IGENT JMKM MALICIOUS PE MALWARE1 MALWARE@#3DH3Z7O6DG9L6 OCCAMY R066C0PIK20 R336699 S + TROJ SCORE STATIC AI SYMMI TROJANPSW WACATAC YM3@AWI5@AAI ZEVBAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanPSW:MSIL/Agensla.035947e2 20190527 0.3.0.5
Avast Win32:Trojan-gen 20201228 21.1.5827.0
Baidu 20190318 1.0.0.2
McAfee GenericRXKL-QO!404307D1837F 20201228 6.0.6.653
Tencent Malware.Win32.Gencirc.11650640 20201228 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620726217.628081
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636116
registers.edi: 6190744
registers.eax: 1636116
registers.ebp: 1636196
registers.edx: 0
registers.ebx: 6190744
registers.esi: 6190744
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620726216.644081
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x003d0000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.314215050244024 section {'size_of_data': '0x0007c000', 'virtual_address': '0x00001000', 'entropy': 7.314215050244024, 'name': '.text', 'virtual_size': '0x0007b8fc'} description A section with a high entropy has been found
entropy 0.9465648854961832 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Symmi.58752
FireEye Generic.mg.404307d1837f73b3
ALYac Gen:Variant.Symmi.58752
Malwarebytes Trojan.Injector
Zillya Trojan.Injector.Win32.803427
K7AntiVirus Trojan ( 00506a131 )
Alibaba TrojanPSW:MSIL/Agensla.035947e2
K7GW Trojan ( 00506a131 )
Cybereason malicious.1837f7
Arcabit Trojan.Symmi.DE580
BitDefenderTheta Gen:NN.ZevbaF.34700.Ym3@aWi5@Aai
Cyren W32/Trojan.JMKM-2978
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.DLQZ
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky Trojan-PSW.MSIL.Agensla.qhg
BitDefender Gen:Variant.Symmi.58752
NANO-Antivirus Trojan.Win32.Mlw.hjxzhj
Rising HackTool.VBInject!1.6481 (CLASSIC)
Ad-Aware Gen:Variant.Symmi.58752
Emsisoft Gen:Variant.Symmi.58752 (B)
Comodo Malware@#3dh3z7o6dg9l6
F-Secure Trojan.TR/Dropper.Gen
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R066C0PIK20
McAfee-GW-Edition GenericRXKL-QO!404307D1837F
Sophos Mal/Generic-S + Troj/Inject-FWI
Paloalto generic.ml
Jiangmin Trojan.PSW.MSIL.baue
Webroot W32.Malware.Gen
Avira TR/Dropper.Gen
MAX malware (ai score=87)
Antiy-AVL Trojan/Win32.Wacatac
Microsoft Trojan:Win32/Occamy.C23
ZoneAlarm Trojan-PSW.MSIL.Agensla.qhg
GData Gen:Variant.Symmi.58752
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Fareit.R336699
McAfee GenericRXKL-QO!404307D1837F
VBA32 Malware-Cryptor.VB.gen.1
TrendMicro-HouseCall TROJ_GEN.R066C0PIK20
Tencent Malware.Win32.Gencirc.11650640
Yandex Trojan.Igent.bTFI4Z.9
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.CLDS!tr
AVG Win32:Trojan-gen
Panda Trj/CI.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-04 14:44:55

Imports

Library MSVBVM60.DLL:
0x401000 __vbaStrI2
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaStrI4
0x401010 __vbaVarMove
0x401014 __vbaAryMove
0x401018 __vbaFreeVar
0x40101c __vbaLenBstr
0x401020 __vbaStrVarMove
0x401024 __vbaLateIdCall
0x401028 __vbaEnd
0x40102c __vbaFreeVarList
0x401030 _adj_fdiv_m64
0x401034 __vbaFreeObjList
0x401038
0x40103c _adj_fprem1
0x401040 __vbaRecAnsiToUni
0x401044 __vbaVarCmpNe
0x401048 __vbaStrCat
0x40104c __vbaLsetFixstr
0x401050 __vbaSetSystemError
0x401054 __vbaNameFile
0x40105c __vbaLenVar
0x401060 _adj_fdiv_m32
0x401064
0x401068
0x40106c __vbaAryDestruct
0x401070 __vbaVarPow
0x401074 __vbaVarForInit
0x401078 __vbaExitProc
0x40107c
0x401080 __vbaOnError
0x401084 __vbaObjSet
0x401088 _adj_fdiv_m16i
0x40108c __vbaObjSetAddref
0x401090 _adj_fdivr_m16i
0x401094
0x401098
0x40109c __vbaBoolVar
0x4010a0
0x4010a4 __vbaBoolVarNull
0x4010a8 _CIsin
0x4010ac
0x4010b0
0x4010b4
0x4010b8 __vbaChkstk
0x4010bc __vbaFileClose
0x4010c0 EVENT_SINK_AddRef
0x4010c8 __vbaGet3
0x4010cc __vbaStrCmp
0x4010d0 __vbaAryConstruct2
0x4010d4 __vbaVarTstEq
0x4010d8 __vbaObjVar
0x4010dc __vbaI2I4
0x4010e0 DllFunctionCall
0x4010e4 __vbaVarLateMemSt
0x4010e8 __vbaRedimPreserve
0x4010ec __vbaLbound
0x4010f0 _adj_fpatan
0x4010f4 __vbaLateIdCallLd
0x4010f8 __vbaRedim
0x4010fc __vbaRecUniToAnsi
0x401100 EVENT_SINK_Release
0x401104 __vbaNew
0x401108 __vbaUI1I2
0x40110c _CIsqrt
0x401110
0x401114 __vbaVarAnd
0x401118 __vbaLateIdCallSt
0x401120 __vbaVarMul
0x401124 __vbaExceptHandler
0x401128
0x40112c __vbaStrToUnicode
0x401130
0x401134
0x401138 _adj_fprem
0x40113c _adj_fdivr_m64
0x401140 __vbaI2Str
0x401144
0x401148
0x40114c
0x401150 __vbaFPException
0x401154
0x401158 __vbaUbound
0x40115c __vbaStrVarVal
0x401160 __vbaVarCat
0x401164 __vbaI2Var
0x401168
0x40116c
0x401170 _CIlog
0x401174 __vbaErrorOverflow
0x401178 __vbaFileOpen
0x40117c __vbaR8Str
0x401180 __vbaVar2Vec
0x401184 __vbaInStr
0x401188 __vbaNew2
0x40118c _adj_fdiv_m32i
0x401190 _adj_fdivr_m32i
0x401194 __vbaVarSetObj
0x401198 __vbaStrCopy
0x40119c
0x4011a0 __vbaI4Str
0x4011a4 __vbaVarNot
0x4011a8 __vbaFreeStrList
0x4011ac
0x4011b0 _adj_fdivr_m32
0x4011b4 _adj_fdiv_r
0x4011b8
0x4011bc
0x4011c0 __vbaVarTstNe
0x4011c4 __vbaVarSetVar
0x4011c8 __vbaI4Var
0x4011cc __vbaVarCmpEq
0x4011d0 __vbaLateMemCall
0x4011d4 __vbaAryLock
0x4011d8 __vbaVarAdd
0x4011dc __vbaStrToAnsi
0x4011e0 __vbaVarDup
0x4011e4 __vbaFpI4
0x4011e8
0x4011ec __vbaVarCopy
0x4011f0 __vbaLateMemCallLd
0x4011f4
0x4011f8 _CIatan
0x4011fc __vbaCastObj
0x401200 __vbaStrMove
0x401204 _allmul
0x401208 __vbaLateIdSt
0x40120c _CItan
0x401210 __vbaAryUnlock
0x401214 __vbaVarForNext
0x401218 _CIexp
0x40121c __vbaFreeStr
0x401220 __vbaFreeObj
0x401224

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702
192.168.56.101 65005 239.255.255.250 3702
192.168.56.101 65007 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.