7.6
高危
53 个模型检测该样本为恶意!
重新分析
更多

f39700e8f01e50fa8a48e8d31ea487e9003b4b58fe0f40a37c9b455e37a7d55b

4b86ba8062ee8b1c3107981fdc4cac43.exe

分析耗时

89s

最近分析

文件大小

652.0KB
静态报毒 动态报毒 AI SCORE=83 ATTRIBUTE COINMINERX CONFIDENCE DOWNLOAD4 GDSDA GENERICRXAA HIGHCONFIDENCE HSMQPS INDILOADZ JQFS KHOHN MALICIOUS MALWARE@#2Y7LHL0VKVNZ5 MYTXCG QQEC6ZP7IVT R054C0WHJ20 R348820 RAZY SCORE SUSPICIOUS PE TSCOPE UNSAFE W3SMSNQ3M 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXAA-AA!4B86BA8062EE 20201031 6.0.6.653
Alibaba Backdoor:Win32/Indiloadz.f17245db 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CoinminerX-gen [Trj] 20201031 20.10.5736.0
Kingsoft 20201031 2013.8.14.323
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620726218.876355
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (7 个事件)
Time & API Arguments Status Return Repeated
1620726237.016355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636180
registers.edi: 1636368
registers.eax: 1636180
registers.ebp: 1636260
registers.edx: 0
registers.ebx: 2851176
registers.esi: 1636368
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620726255.095355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1635964
registers.edi: 1636152
registers.eax: 1635964
registers.ebp: 1636044
registers.edx: 0
registers.ebx: 2851176
registers.esi: 1636152
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620726255.516355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636772
registers.edi: 2851176
registers.eax: 1636772
registers.ebp: 1636852
registers.edx: 0
registers.ebx: 2851176
registers.esi: 2851176
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620726257.313355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1633588
registers.edi: 2851176
registers.eax: 1633588
registers.ebp: 1633668
registers.edx: 0
registers.ebx: 2851176
registers.esi: 2851176
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620726257.313355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1633584
registers.edi: 2851176
registers.eax: 1633584
registers.ebp: 1633664
registers.edx: 0
registers.ebx: 2851176
registers.esi: 2851176
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620726260.063355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1633032
registers.edi: 1633220
registers.eax: 1633032
registers.ebp: 1633112
registers.edx: 0
registers.ebx: 2851176
registers.esi: 1633220
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620726264.688355
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1633584
registers.edi: 2851176
registers.eax: 1633584
registers.ebp: 1633664
registers.edx: 0
registers.ebx: 2851176
registers.esi: 2851176
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (3 个事件)
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET https://d19k2w78yakd9g.cloudfront.net/vpn.exe
Allocates read-write-execute memory (usually to unpack itself) (29 个事件)
Time & API Arguments Status Return Repeated
1620726217.829355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75101000
success 0 0
1620726217.985355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75bb1000
success 0 0
1620726218.735355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746a1000
success 0 0
1620726219.266355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74f81000
success 0 0
1620726220.157355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74641000
success 0 0
1620726220.157355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1620726221.485355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620726221.485355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620726221.501355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74541000
success 0 0
1620726221.516355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75091000
success 0 0
1620726221.516355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74521000
success 0 0
1620726221.548355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a01000
success 0 0
1620726233.235355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73921000
success 0 0
1620726233.235355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73901000
success 0 0
1620726233.298355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x738f1000
success 0 0
1620726233.563355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x738e1000
success 0 0
1620726233.626355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x738d1000
success 0 0
1620726233.766355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x738c1000
success 0 0
1620726233.860355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x738a1000
success 0 0
1620726233.907355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73891000
success 0 0
1620726234.516355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73781000
success 0 0
1620726238.110355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73651000
success 0 0
1620726239.079355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73641000
success 0 0
1620726239.110355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73601000
success 0 0
1620726239.110355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72401000
success 0 0
1620726239.126355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x723c1000
success 0 0
1620726239.376355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72381000
success 0 0
1620726245.501355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72361000
success 0 0
1620726245.516355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x735f1000
success 0 0
Looks up the external IP address (1 个事件)
domain ip-api.com
Creates a suspicious process (1 个事件)
cmdline cmd.exe /c C:\Users\ADMINI~1.OSK\AppData\Local\Temp\xtex.exe /7-487
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620726217.782355
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00920000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620726234.548355
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.768478141924172 section {'size_of_data': '0x000a0000', 'virtual_address': '0x00001000', 'entropy': 7.768478141924172, 'name': '.text', 'virtual_size': '0x0009f970'} description A section with a high entropy has been found
entropy 0.9876543209876543 description Overall entropy of this PE file is high
Queries for potentially installed applications (3 个事件)
Time & API Arguments Status Return Repeated
1620726255.095355
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kobo
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kobo
options: 0
failed 2 0
1620726255.188355
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e9805f43-2282-473d-970e-173093e53002}
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e9805f43-2282-473d-970e-173093e53002}
options: 0
failed 2 0
1620726255.188355
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Bubble 3.10
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Bubble 3.10
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1620726233.626355
RegSetValueExA
key_handle: 0x00000424
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620726237.141355
RegSetValueExA
key_handle: 0x000004f8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620726237.141355
RegSetValueExA
key_handle: 0x000004f8
value: 0N¥-]F×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620726237.141355
RegSetValueExA
key_handle: 0x000004f8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620726237.141355
RegSetValueExW
key_handle: 0x000004f8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620726237.141355
RegSetValueExA
key_handle: 0x00000538
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620726237.141355
RegSetValueExA
key_handle: 0x00000538
value: 0N¥-]F×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620726237.157355
RegSetValueExA
key_handle: 0x00000538
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620726237.235355
RegSetValueExW
key_handle: 0x00000378
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
MicroWorld-eScan Gen:Variant.Razy.734749
FireEye Generic.mg.4b86ba8062ee8b1c
CAT-QuickHeal Trojan.Multi
McAfee GenericRXAA-AA!4B86BA8062EE
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056bd121 )
Alibaba Backdoor:Win32/Indiloadz.f17245db
K7GW Trojan ( 0056bd121 )
Arcabit Trojan.Razy.DB361D
Invincea Mal/Generic-S
Cyren W32/Trojan.JQFS-1775
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:CoinminerX-gen [Trj]
Kaspersky Backdoor.Win32.Agent.mytxcg
BitDefender Gen:Variant.Razy.734749
NANO-Antivirus Trojan.Win32.DownLoad4.hsmqps
Paloalto generic.ml
AegisLab Trojan.Win32.Agent.m!c
Ad-Aware Gen:Variant.Razy.734749
Emsisoft Gen:Variant.Razy.734749 (B)
Comodo Malware@#2y7lhl0vkvnz5
F-Secure Trojan.TR/Indiloadz.khohn
DrWeb Trojan.DownLoad4.14035
Zillya Trojan.Indiloadz.Win32.2042
TrendMicro TROJ_GEN.R054C0WHJ20
McAfee-GW-Edition BehavesLike.Win32.Trojan.jc
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Indiloadz
Jiangmin Backdoor.Agent.icz
Webroot W32.Adware.Gen
Avira TR/Indiloadz.khohn
MAX malware (ai score=83)
Antiy-AVL Trojan/Win32.Indiloadz
Microsoft Trojan:Win32/Indiloadz
ZoneAlarm Backdoor.Win32.Agent.mytxcg
GData Gen:Variant.Razy.734749
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Razy.R348820
VBA32 TScope.Trojan.VB
Malwarebytes Adware.IndiLoadz
ESET-NOD32 a variant of Win32/Indiloadz.CA
TrendMicro-HouseCall TROJ_GEN.R054C0WHJ20
Rising Trojan.Indiloadz!8.E2E0 (TFE:5:QqEc6zp7iVT)
Yandex Trojan.Indiloadz!w3smSnq3m/M
SentinelOne DFI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/Indiloadz.CA!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-18 21:36:33

Imports

Library MSVBVM60.DLL:
0x401000 __vbaStrI2
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010 __vbaVarVargNofree
0x401014 __vbaAryMove
0x401018 __vbaFreeVar
0x40101c __vbaLenBstr
0x401020 __vbaLateIdCall
0x401024 __vbaStrVarMove
0x401028 __vbaPut3
0x40102c __vbaFreeVarList
0x401030 __vbaEnd
0x401034 _adj_fdiv_m64
0x401038 __vbaFreeObjList
0x40103c
0x401040
0x401044 _adj_fprem1
0x401048 __vbaStrCat
0x40104c __vbaSetSystemError
0x401054 _adj_fdiv_m32
0x401058
0x40105c __vbaAryVar
0x401060
0x401064 __vbaAryDestruct
0x401068 __vbaExitProc
0x40106c
0x401070
0x401074 __vbaOnError
0x401078 __vbaObjSet
0x40107c _adj_fdiv_m16i
0x401080 __vbaObjSetAddref
0x401084 _adj_fdivr_m16i
0x401088
0x40108c __vbaFpR4
0x401090 __vbaBoolVar
0x401094 __vbaBoolVarNull
0x401098 _CIsin
0x40109c
0x4010a0
0x4010a4
0x4010a8
0x4010ac __vbaChkstk
0x4010b0 __vbaFileClose
0x4010b4 EVENT_SINK_AddRef
0x4010b8 __vbaStrCmp
0x4010bc __vbaI2I4
0x4010c0 __vbaObjVar
0x4010c4 DllFunctionCall
0x4010c8 __vbaVarOr
0x4010cc __vbaCastObjVar
0x4010d0 _adj_fpatan
0x4010d4 __vbaLateIdCallLd
0x4010d8 __vbaRedim
0x4010dc EVENT_SINK_Release
0x4010e0 __vbaNew
0x4010e4
0x4010e8 _CIsqrt
0x4010f0 __vbaStr2Vec
0x4010f4
0x4010f8 __vbaExceptHandler
0x4010fc
0x401100 __vbaStrToUnicode
0x401104
0x401108 __vbaPrintFile
0x40110c _adj_fprem
0x401110 _adj_fdivr_m64
0x401114
0x401118
0x40111c __vbaFPException
0x401120
0x401124
0x401128 __vbaUbound
0x40112c __vbaStrVarVal
0x401130 __vbaVarCat
0x401134
0x401138 __vbaI2Var
0x40113c
0x401140
0x401144 _CIlog
0x401148 __vbaErrorOverflow
0x40114c __vbaFileOpen
0x401150 __vbaR8Str
0x401154 __vbaNew2
0x401158 __vbaInStr
0x40115c
0x401160 _adj_fdiv_m32i
0x401164 _adj_fdivr_m32i
0x401168 __vbaStrCopy
0x40116c __vbaI4Str
0x401170 __vbaFreeStrList
0x401174 __vbaDerefAry1
0x401178 _adj_fdivr_m32
0x40117c _adj_fdiv_r
0x401180
0x401184
0x401188 __vbaI4Var
0x40118c __vbaLateMemCall
0x401190
0x401194 __vbaStrToAnsi
0x401198 __vbaVarDup
0x40119c
0x4011a0
0x4011a4 __vbaFpI4
0x4011a8 __vbaLateMemCallLd
0x4011ac _CIatan
0x4011b0 __vbaAryCopy
0x4011b4 __vbaCastObj
0x4011b8 __vbaStrMove
0x4011bc _allmul
0x4011c0 __vbaLateIdSt
0x4011c4 _CItan
0x4011c8 __vbaFPInt
0x4011cc _CIexp
0x4011d0 __vbaFreeObj
0x4011d4 __vbaFreeStr

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49182 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49179 192.35.177.64 apps.identrust.com 80
192.168.56.101 49193 216.58.200.78 clients2.google.com 443
192.168.56.101 49178 46.101.248.169 geolocation-db.com 443
192.168.56.101 49190 52.85.56.38 d19k2w78yakd9g.cloudfront.net 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56743 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57367 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://apps.identrust.com/roots/dstrootcax3.p7c 
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT
If-None-Match: "80f8835935d71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.