6.0
高危
58 个模型检测该样本为恶意!
重新分析
更多

554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880

4b12529ef46127502423771c5b2a32a5.exe

分析耗时

88s

最近分析

文件大小

784.5KB
静态报毒 动态报毒 AI SCORE=82 AIDETECTVM ALI2000015 ANDROM ATTRIBUTE AWYR BT8UQV CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS DKMX EMOY EMSE FAREIT HIGH CONFIDENCE HIGHCONFIDENCE HODPU HOLXES HPLOKI IGENT KCLOUD MALWARE1 MALWARE@#2B1JD268350BP NANOCORE PASSWORDSTEALER SCORE SIGGEN2 SMBD STATIC AI SUSPICIOUS PE TSCOPE TSPY UNSAFE X2094 XGW@A8KIQFEI ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201210 21.1.5827.0
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Kingsoft Win32.Hack.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FVZ!4B12529EF461 20201211 6.0.6.653
Tencent 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1619464082.734625
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619464082.968625
NtProtectVirtualMemory
process_identifier: 1316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00488000
success 0 0
1619464082.968625
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1619520487.066375
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619520482.316375
NtProtectVirtualMemory
process_identifier: 1688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00350000
success 0 0
网络通信
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1316 called NtSetContextThread to modify thread in remote process 1688
Time & API Arguments Status Return Repeated
1619464083.093625
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199900
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1688
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1316 resumed a thread in remote process 1688
Time & API Arguments Status Return Repeated
1619464083.171625
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1688
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1619464083.093625
CreateProcessInternalW
thread_identifier: 2008
thread_handle: 0x000000fc
process_identifier: 1688
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b12529ef46127502423771c5b2a32a5.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619464083.093625
NtUnmapViewOfSection
process_identifier: 1688
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619464083.093625
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 1688
commit_size: 57344
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 57344
base_address: 0x00400000
success 0 0
1619464083.093625
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619464083.093625
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199900
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1688
success 0 0
1619464083.171625
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1688
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
FireEye Generic.mg.4b12529ef4612750
ALYac Trojan.Delf.FareIt.Gen.7
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056aeff1 )
BitDefender Trojan.Delf.FareIt.Gen.7
K7GW Trojan ( 0056aeff1 )
Cybereason malicious.c756ee
Cyren W32/Injector.DKMX-0814
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Dropper.Nanocore-9075385-0
Kaspersky HEUR:Backdoor.Win32.Androm.gen
Alibaba Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus Trojan.Win32.Androm.holxes
AegisLab Trojan.Win32.Androm.m!c
Rising Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware Trojan.Delf.FareIt.Gen.7
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
Comodo Malware@#2b1jd268350bp
F-Secure Trojan.TR/Injector.hodpu
DrWeb Trojan.PWS.Siggen2.52313
Zillya Trojan.Androm.Win32.1171
TrendMicro TSPY_HPLOKI.SMBD
McAfee-GW-Edition Fareit-FVZ!4B12529EF461
Sophos Mal/Generic-S
Ikarus Trojan-Spy.Fareit
Jiangmin Backdoor.Androm.awyr
Avira TR/Injector.hodpu
MAX malware (ai score=82)
Antiy-AVL Trojan[Backdoor]/Win32.Androm
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft PWS:Win32/Fareit.AQ!MTB
Arcabit Trojan.Delf.FareIt.Gen.7
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Trojan.Delf.FareIt.Gen.7
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
McAfee Fareit-FVZ!4B12529EF461
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.PasswordStealer
Panda Trj/CI.A
Zoner Trojan.Win32.94646
ESET-NOD32 a variant of Win32/Injector.EMSE
TrendMicro-HouseCall TSPY_HPLOKI.SMBD
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x495164 VirtualFree
0x495168 VirtualAlloc
0x49516c LocalFree
0x495170 LocalAlloc
0x495174 GetVersion
0x495178 GetCurrentThreadId
0x495184 VirtualQuery
0x495188 WideCharToMultiByte
0x495190 MultiByteToWideChar
0x495194 lstrlenA
0x495198 lstrcpynA
0x49519c LoadLibraryExA
0x4951a0 GetThreadLocale
0x4951a4 GetStartupInfoA
0x4951a8 GetProcAddress
0x4951ac GetModuleHandleA
0x4951b0 GetModuleFileNameA
0x4951b4 GetLocaleInfoA
0x4951b8 GetLastError
0x4951c0 GetCommandLineA
0x4951c4 FreeLibrary
0x4951c8 FindFirstFileA
0x4951cc FindClose
0x4951d0 ExitProcess
0x4951d4 WriteFile
0x4951dc RtlUnwind
0x4951e0 RaiseException
0x4951e4 GetStdHandle
Library user32.dll:
0x4951ec GetKeyboardType
0x4951f0 LoadStringA
0x4951f4 MessageBoxA
0x4951f8 CharNextA
Library advapi32.dll:
0x495200 RegQueryValueExA
0x495204 RegOpenKeyExA
0x495208 RegCloseKey
Library oleaut32.dll:
0x495210 SysFreeString
0x495214 SysReAllocStringLen
0x495218 SysAllocStringLen
Library kernel32.dll:
0x495220 TlsSetValue
0x495224 TlsGetValue
0x495228 LocalAlloc
0x49522c GetModuleHandleA
Library advapi32.dll:
0x495234 RegQueryValueExA
0x495238 RegOpenKeyExA
0x49523c RegCloseKey
Library kernel32.dll:
0x495244 lstrcpyA
0x495248 WriteFile
0x49524c WaitForSingleObject
0x495250 VirtualQuery
0x495254 VirtualProtect
0x495258 VirtualAlloc
0x49525c Sleep
0x495260 SizeofResource
0x495264 SetThreadLocale
0x495268 SetFilePointer
0x49526c SetEvent
0x495270 SetErrorMode
0x495274 SetEndOfFile
0x495278 ResetEvent
0x49527c ReadFile
0x495280 MultiByteToWideChar
0x495284 MulDiv
0x495288 LockResource
0x49528c LoadResource
0x495290 LoadLibraryA
0x49529c GlobalUnlock
0x4952a0 GlobalSize
0x4952a4 GlobalReAlloc
0x4952a8 GlobalHandle
0x4952ac GlobalLock
0x4952b0 GlobalFree
0x4952b4 GlobalFindAtomA
0x4952b8 GlobalDeleteAtom
0x4952bc GlobalAlloc
0x4952c0 GlobalAddAtomA
0x4952c4 GetVersionExA
0x4952c8 GetVersion
0x4952cc GetUserDefaultLCID
0x4952d0 GetTickCount
0x4952d4 GetThreadLocale
0x4952d8 GetSystemInfo
0x4952dc GetStringTypeExA
0x4952e0 GetStdHandle
0x4952e4 GetProcAddress
0x4952e8 GetModuleHandleA
0x4952ec GetModuleFileNameA
0x4952f0 GetLocaleInfoA
0x4952f4 GetLocalTime
0x4952f8 GetLastError
0x4952fc GetFullPathNameA
0x495300 GetFileAttributesA
0x495304 GetDiskFreeSpaceA
0x495308 GetDateFormatA
0x49530c GetCurrentThreadId
0x495310 GetCurrentProcessId
0x495314 GetComputerNameA
0x495318 GetCPInfo
0x49531c GetACP
0x495320 FreeResource
0x495328 InterlockedExchange
0x495330 FreeLibrary
0x495334 FormatMessageA
0x495338 FindResourceA
0x49533c FindNextFileA
0x495340 FindFirstFileA
0x495344 FindClose
0x495350 EnumCalendarInfoA
0x49535c CreateThread
0x495360 CreateFileA
0x495364 CreateEventA
0x495368 CompareStringA
0x49536c CloseHandle
Library version.dll:
0x495374 VerQueryValueA
0x49537c GetFileVersionInfoA
Library gdi32.dll:
0x495384 UnrealizeObject
0x495388 StretchBlt
0x49538c SetWindowOrgEx
0x495390 SetWinMetaFileBits
0x495394 SetViewportOrgEx
0x495398 SetTextColor
0x49539c SetStretchBltMode
0x4953a0 SetROP2
0x4953a4 SetPixel
0x4953a8 SetMapMode
0x4953ac SetEnhMetaFileBits
0x4953b0 SetDIBColorTable
0x4953b4 SetBrushOrgEx
0x4953b8 SetBkMode
0x4953bc SetBkColor
0x4953c0 SetArcDirection
0x4953c4 SelectPalette
0x4953c8 SelectObject
0x4953cc SelectClipRgn
0x4953d0 SaveDC
0x4953d4 RestoreDC
0x4953d8 Rectangle
0x4953dc RectVisible
0x4953e0 RealizePalette
0x4953e4 Polyline
0x4953e8 PlayEnhMetaFile
0x4953ec PatBlt
0x4953f0 MoveToEx
0x4953f4 MaskBlt
0x4953f8 LineTo
0x4953fc LPtoDP
0x495400 IntersectClipRect
0x495404 GetWindowOrgEx
0x495408 GetWinMetaFileBits
0x49540c GetTextMetricsA
0x495418 GetStockObject
0x49541c GetPixel
0x495420 GetPaletteEntries
0x495424 GetObjectA
0x495434 GetEnhMetaFileBits
0x495438 GetDeviceCaps
0x49543c GetDIBits
0x495440 GetDIBColorTable
0x495444 GetDCOrgEx
0x49544c GetClipBox
0x495450 GetBrushOrgEx
0x495454 GetBitmapBits
0x495458 ExtTextOutA
0x49545c ExcludeClipRect
0x495460 DeleteObject
0x495464 DeleteEnhMetaFile
0x495468 DeleteDC
0x49546c CreateSolidBrush
0x495470 CreatePenIndirect
0x495474 CreatePalette
0x49547c CreateFontIndirectA
0x495480 CreateEnhMetaFileA
0x495484 CreateDIBitmap
0x495488 CreateDIBSection
0x49548c CreateCompatibleDC
0x495494 CreateBrushIndirect
0x495498 CreateBitmap
0x49549c CopyEnhMetaFileA
0x4954a0 CloseEnhMetaFile
0x4954a4 BitBlt
Library user32.dll:
0x4954ac CreateWindowExA
0x4954b0 WindowFromPoint
0x4954b4 WinHelpA
0x4954b8 WaitMessage
0x4954bc UpdateWindow
0x4954c0 UnregisterClassA
0x4954c4 UnhookWindowsHookEx
0x4954c8 TranslateMessage
0x4954d0 TrackPopupMenu
0x4954d8 ShowWindow
0x4954dc ShowScrollBar
0x4954e0 ShowOwnedPopups
0x4954e4 ShowCursor
0x4954e8 SetWindowsHookExA
0x4954ec SetWindowTextA
0x4954f0 SetWindowPos
0x4954f4 SetWindowPlacement
0x4954f8 SetWindowLongA
0x4954fc SetTimer
0x495500 SetScrollRange
0x495504 SetScrollPos
0x495508 SetScrollInfo
0x49550c SetRect
0x495510 SetPropA
0x495514 SetParent
0x495518 SetMenuItemInfoA
0x49551c SetMenu
0x495520 SetForegroundWindow
0x495524 SetFocus
0x495528 SetCursor
0x49552c SetClassLongA
0x495530 SetCapture
0x495534 SetActiveWindow
0x495538 SendMessageA
0x49553c ScrollWindow
0x495540 ScreenToClient
0x495544 RemovePropA
0x495548 RemoveMenu
0x49554c ReleaseDC
0x495550 ReleaseCapture
0x49555c RegisterClassA
0x495560 RedrawWindow
0x495564 PtInRect
0x495568 PostQuitMessage
0x49556c PostMessageA
0x495570 PeekMessageA
0x495574 OffsetRect
0x495578 OemToCharA
0x49557c MessageBoxA
0x495580 MapWindowPoints
0x495584 MapVirtualKeyA
0x495588 LoadStringA
0x49558c LoadKeyboardLayoutA
0x495590 LoadIconA
0x495594 LoadCursorA
0x495598 LoadBitmapA
0x49559c KillTimer
0x4955a0 IsZoomed
0x4955a4 IsWindowVisible
0x4955a8 IsWindowEnabled
0x4955ac IsWindow
0x4955b0 IsRectEmpty
0x4955b4 IsIconic
0x4955b8 IsDialogMessageA
0x4955bc IsChild
0x4955c0 InvalidateRect
0x4955c4 IntersectRect
0x4955c8 InsertMenuItemA
0x4955cc InsertMenuA
0x4955d0 InflateRect
0x4955d8 GetWindowTextA
0x4955dc GetWindowRect
0x4955e0 GetWindowPlacement
0x4955e4 GetWindowLongA
0x4955e8 GetWindowDC
0x4955ec GetTopWindow
0x4955f0 GetSystemMetrics
0x4955f4 GetSystemMenu
0x4955f8 GetSysColorBrush
0x4955fc GetSysColor
0x495600 GetSubMenu
0x495604 GetScrollRange
0x495608 GetScrollPos
0x49560c GetScrollInfo
0x495610 GetPropA
0x495614 GetParent
0x495618 GetWindow
0x49561c GetMessageTime
0x495620 GetMenuStringA
0x495624 GetMenuState
0x495628 GetMenuItemInfoA
0x49562c GetMenuItemID
0x495630 GetMenuItemCount
0x495634 GetMenu
0x495638 GetLastActivePopup
0x49563c GetKeyboardState
0x495644 GetKeyboardLayout
0x495648 GetKeyState
0x49564c GetKeyNameTextA
0x495650 GetIconInfo
0x495654 GetForegroundWindow
0x495658 GetFocus
0x49565c GetDlgItem
0x495660 GetDesktopWindow
0x495664 GetDCEx
0x495668 GetDC
0x49566c GetCursorPos
0x495670 GetCursor
0x495674 GetClipboardData
0x495678 GetClientRect
0x49567c GetClassNameA
0x495680 GetClassInfoA
0x495684 GetCapture
0x495688 GetActiveWindow
0x49568c FrameRect
0x495690 FindWindowA
0x495694 FillRect
0x495698 EqualRect
0x49569c EnumWindows
0x4956a0 EnumThreadWindows
0x4956a4 EndPaint
0x4956a8 EnableWindow
0x4956ac EnableScrollBar
0x4956b0 EnableMenuItem
0x4956b4 DrawTextA
0x4956b8 DrawMenuBar
0x4956bc DrawIconEx
0x4956c0 DrawIcon
0x4956c4 DrawFrameControl
0x4956c8 DrawFocusRect
0x4956cc DrawEdge
0x4956d0 DispatchMessageA
0x4956d4 DestroyWindow
0x4956d8 DestroyMenu
0x4956dc DestroyIcon
0x4956e0 DestroyCursor
0x4956e4 DeleteMenu
0x4956e8 DefWindowProcA
0x4956ec DefMDIChildProcA
0x4956f0 DefFrameProcA
0x4956f4 CreatePopupMenu
0x4956f8 CreateMenu
0x4956fc CreateIcon
0x495700 ClientToScreen
0x495704 CheckMenuItem
0x495708 CallWindowProcA
0x49570c CallNextHookEx
0x495710 BeginPaint
0x495714 CharNextA
0x495718 CharLowerBuffA
0x49571c CharLowerA
0x495720 CharUpperBuffA
0x495724 CharToOemA
0x495728 AdjustWindowRectEx
Library kernel32.dll:
0x495734 Sleep
Library oleaut32.dll:
0x49573c SafeArrayPtrOfIndex
0x495740 SafeArrayPutElement
0x495744 SafeArrayGetElement
0x49574c SafeArrayAccessData
0x495750 SafeArrayGetUBound
0x495754 SafeArrayGetLBound
0x495758 SafeArrayCreate
0x49575c VariantChangeType
0x495760 VariantCopyInd
0x495764 VariantCopy
0x495768 VariantClear
0x49576c VariantInit
Library ole32.dll:
0x495778 IsAccelerator
0x49577c OleDraw
0x495784 CoTaskMemFree
0x495788 ProgIDFromCLSID
0x49578c StringFromCLSID
0x495790 CoCreateInstance
0x495794 CoGetClassObject
0x495798 CoUninitialize
0x49579c CoInitialize
0x4957a0 IsEqualGUID
Library oleaut32.dll:
0x4957a8 CreateErrorInfo
0x4957ac GetErrorInfo
0x4957b0 SetErrorInfo
0x4957b4 GetActiveObject
0x4957b8 SysFreeString
Library comctl32.dll:
0x4957c8 ImageList_Write
0x4957cc ImageList_Read
0x4957dc ImageList_DragMove
0x4957e0 ImageList_DragLeave
0x4957e4 ImageList_DragEnter
0x4957e8 ImageList_EndDrag
0x4957ec ImageList_BeginDrag
0x4957f0 ImageList_Remove
0x4957f4 ImageList_DrawEx
0x4957f8 ImageList_Replace
0x4957fc ImageList_Draw
0x49580c ImageList_Add
0x495814 ImageList_Destroy
0x495818 ImageList_Create
0x49581c InitCommonControls
Library comdlg32.dll:
0x495824 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.