3.4
中危
58 个模型检测该样本为恶意!
重新分析
更多

06859856004ea11da1cec9e5c43126db08b797ac703d67b30608449b14fbd079

4e23c3068ea7c9047be5616b20b3eed6.exe

分析耗时

36s

最近分析

文件大小

680.5KB
静态报毒 动态报毒 100% 1GN9WDBK AI SCORE=100 AIDETECTVM ARTEMIS BADUR CONFIDENCE ENHE FORMBO GENCIRC HIGH CONFIDENCE HUTPPX INJECTORX KCLOUD MALICIOUS PE MALWARE1 MALWARE@#33U8AA4NDYZQ6 NOON PUPXDB QUZ@ACXEA3BI S + TROJ SCORE SIGGEN10 STATIC AI SWOTTER TDLGJ UHBAZCLMM UNSAFE UZER XT68LE0LB1T YMACCO ZEXAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!4E23C3068EA7 20210127 6.0.6.653
Alibaba TrojanSpy:Win32/Ymacco.27614963 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:InjectorX-gen [Trj] 20210127 21.1.5827.0
Tencent Malware.Win32.Gencirc.11aea026 20210127 1.0.0.1
Kingsoft Win32.Troj.Noon.ba.(kcloud) 20210127 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20210106 1.0
静态指标
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620974760.756876
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620974760.756876
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0028b000
success 0 0
1620974770.320124
NtAllocateVirtualMemory
process_identifier: 3056
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00a00000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.001822692655744 section {'size_of_data': '0x00002800', 'virtual_address': '0x0007b000', 'entropy': 7.001822692655744, 'name': '.data', 'virtual_size': '0x00003560'} description A section with a high entropy has been found
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2860 called NtSetContextThread to modify thread in remote process 3056
Time & API Arguments Status Return Repeated
1620974769.881876
NtSetContextThread
thread_handle: 0x00000094
registers.eip: 2010382788
registers.esp: 1571172
registers.edi: 0
registers.eax: 4319808
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3056
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.313134
FireEye Generic.mg.4e23c3068ea7c904
McAfee Artemis!4E23C3068EA7
Cylance Unsafe
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba TrojanSpy:Win32/Ymacco.27614963
K7GW Riskware ( 0040eff71 )
Cybereason malicious.68ea7c
Arcabit Trojan.Zusy.D4C72E
Cyren W32/Trojan.UZER-1248
Symantec Trojan Horse
APEX Malicious
Avast Win32:InjectorX-gen [Trj]
Kaspersky HEUR:Trojan-Spy.Win32.Noon.vho
BitDefender Gen:Variant.Zusy.313134
NANO-Antivirus Trojan.Win32.Noon.hutppx
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Tencent Malware.Win32.Gencirc.11aea026
Ad-Aware Gen:Variant.Zusy.313134
Emsisoft Gen:Variant.Zusy.313134 (B)
Comodo Malware@#33u8aa4ndyzq6
F-Secure Trojan.TR/AD.Swotter.tdlgj
DrWeb Trojan.Siggen10.17409
VIPRE VirTool.Win32.Obfuscator.da!k (v)
TrendMicro TrojanSpy.Win32.NOON.UHBAZCLMM
McAfee-GW-Edition BehavesLike.Win32.PUPXDB.jh
Sophos Mal/Generic-S + Troj/Formbo-LK
SentinelOne Static AI - Malicious PE
Jiangmin TrojanSpy.Noon.qen
Avira TR/AD.Swotter.tdlgj
MAX malware (ai score=100)
Antiy-AVL Trojan[Spy]/Win32.Noon
Kingsoft Win32.Troj.Noon.ba.(kcloud)
Gridinsoft Trojan.Win32.Agent.oa
Microsoft Trojan:Win32/Ymacco.AA06
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.vho
GData Gen:Variant.Zusy.313134
Cynet Malicious (score: 100)
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.34780.QuZ@aCxeA3bi
VBA32 TrojanSpy.Noon
Malwarebytes Trojan.Injector
Zoner Trojan.Win32.93811
ESET-NOD32 a variant of Win32/Injector.ENHE
TrendMicro-HouseCall TrojanSpy.Win32.NOON.UHBAZCLMM
Rising Trojan.Injector!8.C4 (TFE:5:Xt68LE0lb1T)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-11 08:49:39

Imports

Library KERNEL32.dll:
0x478008 CreateFileW
0x47800c EnumDateFormatsExW
0x478010 PeekConsoleInputA
0x478018 MoveFileW
0x47801c lstrcatA
0x478020 GetStringTypeW
0x478024 MultiByteToWideChar
0x478028 UpdateResourceW
0x47802c HeapReAlloc
0x478030 HeapAlloc
0x478034 HeapSize
0x478038 RtlUnwind
0x47803c IsValidCodePage
0x478040 GetOEMCP
0x478044 GetACP
0x478048 GetCPInfo
0x47804c Sleep
0x478050 HeapFree
0x478054 LCMapStringW
0x478058 GetProcAddress
0x47805c GetCommandLineA
0x478060 HeapSetInformation
0x478068 GetModuleHandleW
0x47806c ExitProcess
0x478070 DecodePointer
0x478074 WriteFile
0x478078 GetStdHandle
0x47807c GetModuleFileNameW
0x478080 GetModuleFileNameA
0x478088 WideCharToMultiByte
0x478090 SetHandleCount
0x478098 GetFileType
0x47809c GetStartupInfoW
0x4780a0 EncodePointer
0x4780a4 TlsAlloc
0x4780a8 TlsGetValue
0x4780ac TlsSetValue
0x4780b0 TlsFree
0x4780b8 SetLastError
0x4780bc GetCurrentThreadId
0x4780c0 GetLastError
0x4780c8 HeapCreate
0x4780d0 GetTickCount
0x4780d4 GetCurrentProcessId
0x4780e4 LoadLibraryW
0x4780ec IsDebuggerPresent
0x4780f0 TerminateProcess
0x4780f4 GetCurrentProcess
Library WINSPOOL.DRV:
0x478124 DeviceCapabilitiesW
0x47812c EnumJobsA
Library USER32.dll:
0x478100 mouse_event
0x478108 EnableMenuItem
0x47810c SetWindowLongW
0x478110 CreateMenu
0x478114 DlgDirListW
0x478118 IsWindow
0x47811c AnyPopup
Library GDI32.dll:
0x478000 SetPaletteEntries

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49240 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 58368 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.