13.8
0-day
46 个模型检测该样本为恶意!
重新分析
更多

d854093bb129d4e7d2a68f443f0c3145f470cf3138bb145724aed4cafbe9a6f7

4b0616bc844e9bcd73b953668d7254e3.exe

分析耗时

89s

最近分析

文件大小

423.5KB
静态报毒 动态报毒 AGENSLA AI SCORE=88 AM0@A011YMG ATTRIBUTE CLOUD CONFIDENCE ELDORADO FAREIT GENERICKD GENOME GPDPC@0 HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK LOKIBOT MALICIOUS PE MALWAREX MASSLOGGER NANOCORE PBZA PUTTY PWSTEAL R02DC0PH820 R347027 SCORE UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXH!4B0616BC844E 20200817 6.0.6.653
Alibaba Trojan:Win32/Pwsteal.119e24a1 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20200817 18.4.3895.0
Tencent Msil.Trojan.Crypt.Pbza 20200817 1.0.0.1
Kingsoft 20200817 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619522807.156625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1619522757.468625
IsDebuggerPresent
failed 0 0
1619522757.468625
IsDebuggerPresent
failed 0 0
1619522802.437625
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619522757.484625
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 101 个事件)
Time & API Arguments Status Return Repeated
1619522756.703625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00710000
success 0 0
1619522756.703625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c0000
success 0 0
1619522757.296625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02030000
success 0 0
1619522757.296625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020f0000
success 0 0
1619522757.406625
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619522757.468625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02130000
success 0 0
1619522757.468625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c0000
success 0 0
1619522757.468625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0051a000
success 0 0
1619522757.468625
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619522757.468625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00512000
success 0 0
1619522757.687625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619522757.750625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00565000
success 0 0
1619522757.750625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056b000
success 0 0
1619522757.750625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619522757.859625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00533000
success 0 0
1619522757.906625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619522757.953625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b20000
success 0 0
1619522758.468625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00534000
success 0 0
1619522758.468625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619522758.578625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00537000
success 0 0
1619522758.578625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00538000
success 0 0
1619522758.593625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b21000
success 0 0
1619522758.625625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619522758.625625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619522758.687625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00556000
success 0 0
1619522758.718625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b22000
success 0 0
1619522758.953625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619522759.078625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00539000
success 0 0
1619522759.156625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02050000
success 0 0
1619522759.234625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b27000
success 0 0
1619522759.437625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b2a000
success 0 0
1619522759.562625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02051000
success 0 0
1619522759.593625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02052000
success 0 0
1619522759.593625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b2b000
success 0 0
1619522759.640625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02053000
success 0 0
1619522759.640625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b2c000
success 0 0
1619522759.656625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b2f000
success 0 0
1619522759.656625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053d000
success 0 0
1619522800.671625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02054000
success 0 0
1619522800.671625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04520000
success 0 0
1619522800.671625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020f1000
success 0 0
1619522800.828625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04521000
success 0 0
1619522800.953625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0051c000
success 0 0
1619522800.968625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04522000
success 0 0
1619522801.031625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04523000
success 0 0
1619522801.062625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02055000
success 0 0
1619522801.078625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04524000
success 0 0
1619522801.250625
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 141824
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05170400
failed 3221225550 0
1619522802.156625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04525000
success 0 0
1619522802.156625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02056000
success 0 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.393231348297951 section {'size_of_data': '0x00069200', 'virtual_address': '0x00002000', 'entropy': 7.393231348297951, 'name': '.text', 'virtual_size': '0x00069064'} description A section with a high entropy has been found
entropy 0.9940898345153665 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619522801.250625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619522802.734625
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2308
process_handle: 0x00010e6c
failed 0 0
1619522802.734625
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2308
process_handle: 0x00010e6c
success 0 0
1619522802.781625
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2712
process_handle: 0x00010e74
failed 0 0
1619522802.781625
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2712
process_handle: 0x00010e74
success 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 79.124.8.8
Allocates execute permission to another process indicative of possible code injection (3 个事件)
Time & API Arguments Status Return Repeated
1619522802.609625
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010e68
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619522802.750625
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f798
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619522802.796625
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000069b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Manipulates memory of a non-child process indicative of process injection (4 个事件)
Process injection Process 1804 manipulating memory of non-child process 2308
Process injection Process 1804 manipulating memory of non-child process 2712
Time & API Arguments Status Return Repeated
1619522802.609625
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010e68
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619522802.750625
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f798
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x000069b8
base_address: 0x00400000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x000069b8
base_address: 0x0041a000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: @
process_handle: 0x000069b8
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x000069b8
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1804 called NtSetContextThread to modify thread in remote process 2860
Time & API Arguments Status Return Repeated
1619522802.796625
NtSetContextThread
thread_handle: 0x00010e74
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2860
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1804 resumed a thread in remote process 2860
Time & API Arguments Status Return Repeated
1619522802.812625
NtResumeThread
thread_handle: 0x00010e74
suspend_count: 1
process_identifier: 2860
success 0 0
Executed a process and injected code into it, probably while unpacking (28 个事件)
Time & API Arguments Status Return Repeated
1619522757.468625
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1804
success 0 0
1619522757.468625
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1804
success 0 0
1619522757.484625
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 1804
success 0 0
1619522759.468625
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619522759.468625
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619522759.468625
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1804
success 0 0
1619522802.171625
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619522802.171625
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1804
success 0 0
1619522802.421625
NtResumeThread
thread_handle: 0x00002544
suspend_count: 1
process_identifier: 1804
success 0 0
1619522802.437625
NtResumeThread
thread_handle: 0x00010e60
suspend_count: 1
process_identifier: 1804
success 0 0
1619522802.609625
CreateProcessInternalW
thread_identifier: 2412
thread_handle: 0x00010e64
process_identifier: 2308
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b0616bc844e9bcd73b953668d7254e3.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b0616bc844e9bcd73b953668d7254e3.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00010e68
inherit_handles: 0
success 1 0
1619522802.609625
NtGetContextThread
thread_handle: 0x00010e64
success 0 0
1619522802.609625
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010e68
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619522802.750625
CreateProcessInternalW
thread_identifier: 420
thread_handle: 0x00010e6c
process_identifier: 2712
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b0616bc844e9bcd73b953668d7254e3.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b0616bc844e9bcd73b953668d7254e3.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000f798
inherit_handles: 0
success 1 0
1619522802.750625
NtGetContextThread
thread_handle: 0x00010e6c
success 0 0
1619522802.750625
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f798
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619522802.796625
CreateProcessInternalW
thread_identifier: 1832
thread_handle: 0x00010e74
process_identifier: 2860
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b0616bc844e9bcd73b953668d7254e3.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b0616bc844e9bcd73b953668d7254e3.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000069b8
inherit_handles: 0
success 1 0
1619522802.796625
NtGetContextThread
thread_handle: 0x00010e74
success 0 0
1619522802.796625
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000069b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x000069b8
base_address: 0x00400000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer:
process_handle: 0x000069b8
base_address: 0x00401000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer:
process_handle: 0x000069b8
base_address: 0x00415000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x000069b8
base_address: 0x0041a000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer:
process_handle: 0x000069b8
base_address: 0x004a0000
success 1 0
1619522802.796625
WriteProcessMemory
process_identifier: 2860
buffer: @
process_handle: 0x000069b8
base_address: 0x7efde008
success 1 0
1619522802.796625
NtSetContextThread
thread_handle: 0x00010e74
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2860
success 0 0
1619522802.812625
NtResumeThread
thread_handle: 0x00010e74
suspend_count: 1
process_identifier: 2860
success 0 0
1619522805.359625
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2860
success 0 0
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43605510
FireEye Generic.mg.4b0616bc844e9bcd
CAT-QuickHeal Trojan.MSIL
McAfee Fareit-FXH!4B0616BC844E
Alibaba Trojan:Win32/Pwsteal.119e24a1
K7GW Trojan ( 0056c20e1 )
CrowdStrike win/malicious_confidence_90% (W)
TrendMicro TROJ_GEN.R02DC0PH820
BitDefenderTheta Gen:NN.ZemsilF.34152.Am0@a011Ymg
F-Prot W32/MSIL_Kryptik.BIL.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.XGH
TrendMicro-HouseCall TROJ_GEN.R02DC0PH820
Avast Win32:MalwareX-gen [Trj]
ClamAV Win.Dropper.Nanocore-9248945-0
GData Trojan.GenericKD.43605510
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.43605510
ViRobot Trojan.Win32.Z.Masslogger.433664.A
APEX Malicious
Tencent Msil.Trojan.Crypt.Pbza
Ad-Aware Trojan.GenericKD.43605510
Comodo TrojWare.Win32.Genome.gpdpc@0
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Sophos Mal/Generic-S
Ikarus Trojan-Spy.MassLogger
Cyren W32/MSIL_Kryptik.BIL.gen!Eldorado
eGambit Unsafe.AI_Score_96%
Arcabit Trojan.Generic.D2995E06
AegisLab Trojan.MSIL.Crypt.4!c
AhnLab-V3 Trojan/Win32.Agensla.R347027
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
Microsoft Trojan:Win32/Pwsteal.Q!bit
VBA32 CIL.HeapOverride.Heur
ALYac Spyware.LokiBot
MAX malware (ai score=88)
Malwarebytes Trojan.MalPack
Rising Trojan.Kryptik!8.8 (CLOUD)
SentinelOne DFI - Malicious PE
Fortinet MSIL/Kryptik.XFP!tr
AVG Win32:MalwareX-gen [Trj]
Cybereason malicious.76df45
Panda Trj/CI.A
Qihoo-360 Generic/Trojan.21a
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 79.124.8.8:80
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-06 11:31:15

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.