4.8
中危
59 个模型检测该样本为恶意!
重新分析
更多

3d0f043627dea5de72eae3fd54dd228dcc4320e8802200dbf21bcbe1cce0bf4a

49df3279ba75201fd07b6f3b72eda8c4.exe

分析耗时

87s

最近分析

文件大小

308.2KB
静态报毒 动态报毒 AGEN AI SCORE=84 AIDETECTVM BSCOPE CLASSIC CONFIDENCE CRIDEX CRYPTERX DOPPLEPAYMER DRIDEX DRIXED ELDORADO ENCPK FALSESIGN GDSDA HEIW HGHDYS HIGH CONFIDENCE HLUX INVALIDSIG KRYPTIK MALICIOUS PE MALWARE2 MALWARE@#396QR1PTSV0V2 MINT PGDR QAKBOT R + MAL R331466 REGOTET SCORE SMTHA STATIC AI SUSGEN UNSAFE ZENPAK 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
Alibaba Backdoor:Win32/Dridex.3a42c8ae 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20201228 21.1.5827.0
Kingsoft 20201228 2017.9.26.565
McAfee Drixed-FJD!49DF3279BA75 20201228 6.0.6.653
Tencent Win32.Trojan.Falsesign.Pgdr 20201228 1.0.0.1
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1619467796.608626
NtAllocateVirtualMemory
process_identifier: 1056
region_size: 217088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00720000
success 0 0
1619467796.608626
NtAllocateVirtualMemory
process_identifier: 1056
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00760000
success 0 0
1619467796.608626
NtProtectVirtualMemory
process_identifier: 1056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 212992
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619467796.780626
NtAllocateVirtualMemory
process_identifier: 1056
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02130000
success 0 0
Foreign language identified in PE resource (24 个事件)
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name PNG language LANG_CHINESE offset 0x00047a6c filetype PNG image data, 76 x 50, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000c77
name RT_ICON language LANG_CHINESE offset 0x0004bd34 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0004bd34 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0004bd34 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_DIALOG language LANG_CHINESE offset 0x0004c3fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_DIALOG language LANG_CHINESE offset 0x0004c3fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_DIALOG language LANG_CHINESE offset 0x0004c3fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_STRING language LANG_CHINESE offset 0x0004c448 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000250
name RT_ACCELERATOR language LANG_CHINESE offset 0x0004c698 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_GROUP_ICON language LANG_CHINESE offset 0x0004ca04 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000030
name RT_VERSION language LANG_CHINESE offset 0x0004ca34 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002e8
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.542165122601102 section {'size_of_data': '0x0003ae00', 'virtual_address': '0x00001000', 'entropy': 7.542165122601102, 'name': '.text', 'virtual_size': '0x0003af60'} description A section with a high entropy has been found
entropy 7.0879132595930825 section {'size_of_data': '0x0000ae00', 'virtual_address': '0x00042000', 'entropy': 7.0879132595930825, 'name': '.rsrc', 'virtual_size': '0x0000ad1c'} description A section with a high entropy has been found
entropy 0.9223140495867769 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Heur.Mint.Regotet.1
FireEye Generic.mg.49df3279ba75201f
ALYac Spyware.Banker.Dridex
Cylance Unsafe
Sangfor Malware
CrowdStrike win/malicious_confidence_80% (W)
Alibaba Backdoor:Win32/Dridex.3a42c8ae
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Mint.Regotet.1
BitDefenderTheta AI:Packer.0007417620
Cyren W32/Kryptik.BVL.gen!Eldorado
Symantec Packed.Generic.459
APEX Malicious
Avast Win32:CrypterX-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.Win32.Cridex.a.pef
BitDefender Gen:Heur.Mint.Regotet.1
NANO-Antivirus Trojan.Win32.Zenpak.hghdys
Paloalto generic.ml
Rising Trojan.Kryptik!1.C778 (CLASSIC)
Ad-Aware Gen:Heur.Mint.Regotet.1
Sophos Mal/Generic-R + Mal/EncPk-APV
Comodo Malware@#396qr1ptsv0v2
F-Secure Heuristic.HEUR/AGEN.1133455
DrWeb Trojan.Dridex.647
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.QAKBOT.SMTHA.hp
McAfee-GW-Edition Drixed-FJD!49DF3279BA75
Emsisoft Gen:Heur.Mint.Regotet.1 (B)
Ikarus Trojan-Banker.Dridex
Jiangmin Trojan.Zenpak.bjf
eGambit PE.Heur.InvalidSig
Avira HEUR/AGEN.1133455
Antiy-AVL Trojan/Win32.Zenpak
Gridinsoft Trojan.Win32.Downloader.ba
Microsoft Ransom:Win32/Dopplepaymer.KM!MTB
AegisLab Trojan.Win32.Zenpak.4!c
ZoneAlarm HEUR:Trojan-Downloader.Win32.Cridex.a.pef
GData Gen:Heur.Mint.Regotet.1
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Kryptik.R331466
Acronis suspicious
McAfee Drixed-FJD!49DF3279BA75
MAX malware (ai score=84)
VBA32 BScope.Malware-Cryptor.Hlux
Malwarebytes Trojan.Downloader
ESET-NOD32 Win32/Dridex.CW
TrendMicro-HouseCall TrojanSpy.Win32.QAKBOT.SMTHA.hp
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2002-01-16 17:49:49

Imports

Library KERNEL32.dll:
0x44138c WriteFile
0x441390 WideCharToMultiByte
0x441394 LocalFree
0x441398 GetStdHandle
0x44139c FormatMessageW
0x4413a0 GetModuleHandleA
0x4413a4 GetVersionExA
0x4413a8 HeapFree
0x4413ac HeapAlloc
0x4413b0 ExitProcess
0x4413b4 GetProcAddress
0x4413b8 GetModuleFileNameA
0x4413c0 GetModuleFileNameW
0x4413c8 MultiByteToWideChar
0x4413d4 GetLastError
0x4413dc GetCommandLineA
0x4413e0 GetCommandLineW
0x4413e4 SetHandleCount
0x4413e8 GetFileType
0x4413ec GetStartupInfoA
0x4413f4 TlsFree
0x4413f8 SetLastError
0x4413fc GetCurrentThreadId
0x441400 TlsSetValue
0x441404 TlsGetValue
0x441408 TlsAlloc
0x44140c HeapDestroy
0x441410 HeapCreate
0x441414 VirtualFree
0x441420 VirtualAlloc
0x441424 HeapReAlloc
0x441428 LoadLibraryA
0x441430 GetACP
0x441434 GetOEMCP
0x441438 GetCPInfo
0x44143c GetLocaleInfoA
0x441440 GetStringTypeA
0x441444 GetStringTypeW
0x441448 LCMapStringA
0x44144c LCMapStringW
0x441450 RtlUnwind
0x441454 VirtualProtect
0x441458 GetSystemInfo
0x44145c VirtualQuery
0x441460 HeapUnlock
0x441464 InterlockedExchange
0x44146c Thread32Next
0x441470 GetTempFileNameW
0x441474 VirtualAllocEx
0x441478 GetModuleHandleW
Library USER32.dll:
0x441480 CascadeWindows
0x441484 DrawTextW
0x441488 GetSystemMenu
0x44148c UnhookWinEvent
0x441498 CreateMenu
0x44149c DdeReconnect
0x4414a0 EnableWindow
0x4414a4 IsCharAlphaNumericW
0x4414a8 GetKeyState
0x4414ac LoadKeyboardLayoutW
0x4414b0 EnumPropsExW
0x4414b8 SendMessageA
0x4414bc CharNextA
0x4414c0 DragDetect
0x4414c4 ReleaseCapture
0x4414c8 DdeInitializeW
0x4414cc SetMenuItemBitmaps
0x4414d0 DefDlgProcW
0x4414d4 CharPrevExA
0x4414d8 DdeCreateDataHandle
0x4414dc SetShellWindow
0x4414e0 CharUpperW
0x4414e4 wsprintfW
0x4414f0 SetMessageQueue
0x4414f4 ToAsciiEx
0x4414f8 WindowFromPoint
0x4414fc LoadCursorW
0x441500 LoadIconA
Library GDI32.dll:
0x441508 GetBrushOrgEx
0x44150c GetMetaFileA
0x441510 EngCreateBitmap
0x441514 EngTransparentBlt
0x441518 GetTextExtentPointW
0x441520 GetColorAdjustment
0x441524 Pie
0x441528 GdiQueryFonts
0x44152c SetStretchBltMode
0x441530 FONTOBJ_pifi
0x441534 AddFontResourceExA
0x441538 FONTOBJ_cGetGlyphs
0x44153c SetLayoutWidth
0x441544 LineTo
0x441548 GetWindowOrgEx
0x44154c Polyline
0x441550 GetCharWidthA
0x441554 GetStockObject
Library ADVAPI32.dll:
0x44155c RegOpenKeyA
0x441560 RegQueryValueExA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.