4.4
中危
55 个模型检测该样本为恶意!
重新分析
更多

1b43ddc3b6fb5bd72254e49ad43690747206ce54561b05857dc82283f5793c7b

537adbb472a16cd2ee35f4e5c0b5f51f.exe

分析耗时

74s

最近分析

文件大小

571.5KB
静态报毒 动态报毒 A + MAL AGENTB AI SCORE=88 AIDETECTVM BANKERX BFSCZ BSCOPE BUNITU CLASSIC COBRA CONFIDENCE ELDORADO ELJF ENCPK GA@8SFC92 GENCIRC GENERICKDZ GENETIC GENKRYPTIK HDJM HIGH CONFIDENCE HKPGOG INJECT3 JM0@ASZCWYHI JXZT KRYPTIK MALICIOUS PE MALWARE1 PROXY QAKBOT QBOT R336864 S13419017 SCORE UNSAFE WACATAC WACATACPMF ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Agentb.787f6934 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20200921 18.4.3895.0
Kingsoft 20200921 2013.8.14.323
McAfee 20200920 6.0.6.653
Tencent Malware.Win32.Gencirc.10cdcae2 20200921 1.0.0.1
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619426985.015524
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619452115.697001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619452116.353001
__exception__
stacktrace: 
537adbb472a16cd2ee35f4e5c0b5f51f+0x3f07 @ 0x403f07
537adbb472a16cd2ee35f4e5c0b5f51f+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6569352
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 537adbb472a16cd2ee35f4e5c0b5f51f+0x3449
exception.instruction: in eax, dx
exception.module: 537adbb472a16cd2ee35f4e5c0b5f51f.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619452116.353001
__exception__
stacktrace: 
537adbb472a16cd2ee35f4e5c0b5f51f+0x3f10 @ 0x403f10
537adbb472a16cd2ee35f4e5c0b5f51f+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6569352
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: 537adbb472a16cd2ee35f4e5c0b5f51f+0x34e2
exception.instruction: in eax, dx
exception.module: 537adbb472a16cd2ee35f4e5c0b5f51f.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619426984.827524
NtAllocateVirtualMemory
process_identifier: 3068
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
1619426984.827524
NtAllocateVirtualMemory
process_identifier: 3068
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619426984.827524
NtProtectVirtualMemory
process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619452115.634001
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619452115.650001
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e40000
success 0 0
1619452115.650001
NtProtectVirtualMemory
process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619426985.733524
CreateProcessInternalW
thread_identifier: 520
thread_handle: 0x0000014c
process_identifier: 2228
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\537adbb472a16cd2ee35f4e5c0b5f51f.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 6.922404964217177 section {'size_of_data': '0x00017c00', 'virtual_address': '0x00079000', 'entropy': 6.922404964217177, 'name': '.rsrc', 'virtual_size': '0x00017bdc'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619452116.353001
__exception__
stacktrace: 
537adbb472a16cd2ee35f4e5c0b5f51f+0x3f07 @ 0x403f07
537adbb472a16cd2ee35f4e5c0b5f51f+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6569352
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 537adbb472a16cd2ee35f4e5c0b5f51f+0x3449
exception.instruction: in eax, dx
exception.module: 537adbb472a16cd2ee35f4e5c0b5f51f.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.67171
CAT-QuickHeal Trojan.WacatacPMF.S13419017
ALYac Trojan.Agent.QakBot
Cylance Unsafe
Zillya Trojan.Qbot.Win32.8206
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Agentb.787f6934
K7GW Riskware ( 0040eff71 )
Cybereason malicious.065e57
Arcabit Trojan.Generic.D10663
TrendMicro Backdoor.Win32.QAKBOT.SME
Cyren W32/Kryptik.BMW.gen!Eldorado
Symantec W32.Qakbot
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.Agentb.jxzt
BitDefender Trojan.GenericKDZ.67171
NANO-Antivirus Trojan.Win32.Inject3.hkpgog
Avast Win32:BankerX-gen [Trj]
Rising Trojan.Kryptik!1.C745 (CLASSIC)
Ad-Aware Trojan.GenericKDZ.67171
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/AD.Qbot.bfscz
DrWeb Trojan.Inject3.40031
VIPRE Trojan.Win32.Generic.pak!cobra
Invincea ML/PE-A + Mal/EncPk-APV
FireEye Generic.mg.537adbb472a16cd2
Sophos Mal/EncPk-APV
Ikarus Backdoor.QBot
Jiangmin Trojan.Zenpak.bss
Webroot Trojan.Proxy.Bunitu
Avira TR/AD.Qbot.bfscz
Antiy-AVL Trojan/Win32.Wacatac
Microsoft Trojan:Win32/Qakbot.AR!MTB
ZoneAlarm Trojan.Win32.Agentb.jxzt
GData Trojan.GenericKDZ.67171
AhnLab-V3 Backdoor/Win32.Qakbot.R336864
Acronis suspicious
MAX malware (ai score=88)
VBA32 BScope.Trojan.Inject
Malwarebytes Backdoor.Qbot
ESET-NOD32 a variant of Win32/Kryptik.HDJM
TrendMicro-HouseCall Backdoor.Win32.QAKBOT.SME
Tencent Malware.Win32.Gencirc.10cdcae2
SentinelOne DFI - Malicious PE
Fortinet W32/GenKryptik.ELJF!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-15 16:27:31

Imports

Library KERNEL32.dll:
0x47804c HeapFree
0x478050 GetProcessHeap
0x478054 GetModuleHandleW
0x478058 GetModuleHandleA
0x47805c LoadLibraryW
0x478060 GetProcAddress
0x478064 FreeLibrary
0x478068 OutputDebugStringW
0x47806c GetLocalTime
0x478070 WriteFile
0x478074 SetFilePointer
0x478080 HeapAlloc
0x478084 CreateFileW
0x478088 DeviceIoControl
0x47808c CreateThread
0x478090 WaitForSingleObject
0x478094 GetCurrentProcess
0x478098 GetLastError
0x47809c CloseHandle
0x4780a0 ExitThread
0x4780a4 SetLastError
0x4780a8 lstrlenW
0x4780ac GlobalReAlloc
0x4780b0 GlobalLock
0x4780b4 lstrcatW
0x4780b8 GlobalUnlock
0x4780bc lstrcpyW
0x4780c0 AddAtomW
0x4780c4 IsValidLocale
0x4780c8 GlobalFree
0x4780cc DeleteAtom
0x4780d0 lstrcmpW
0x4780d4 LocalAlloc
0x4780d8 lstrcpynW
0x4780dc GetLocaleInfoW
0x4780e0 GlobalGetAtomNameW
0x4780e4 LocalFree
0x4780e8 WinExec
0x4780ec GetStartupInfoW
0x4780f0 GetAtomNameW
0x4780f4 ExitProcess
0x4780f8 GlobalAlloc
0x4780fc lstrcmpiW
0x478100 VirtualAlloc
Library USER32.dll:
0x478108 LoadIconA
0x47810c AnyPopup
0x478110 CloseWindow
0x478114 GetListBoxInfo
0x478118 InSendMessage
0x47811c GetKeyboardType
0x478120 GetSystemMetrics
0x478124 GetMenu
0x478128 IsIconic
0x47812c GetParent
0x478130 GetTopWindow
0x478134 DestroyCursor
0x478138 CloseClipboard
0x478140 IsCharAlphaNumericW
0x478144 GetActiveWindow
0x478148 IsCharUpperW
0x47814c CopyIcon
0x478150 GetKeyboardLayout
0x478154 GetDoubleClickTime
Library GDI32.dll:
0x47815c GetEnhMetaFileW
0x478160 CreatePatternBrush
0x478164 GetROP2
0x478168 DeleteEnhMetaFile
0x47816c CloseFigure
0x478170 GetTextAlign
0x478178 SetMetaRgn
0x47817c DeleteColorSpace
0x478180 GetStockObject
0x478184 GetObjectType
0x478188 UnrealizeObject
Library ADVAPI32.dll:
0x478190 RegOpenKeyA
0x478194 RegQueryValueExA
Library SHELL32.dll:
0x47819c ShellExecuteW
0x4781a8 SHChangeNotify
0x4781ac SHBrowseForFolderW
0x4781b0

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49714 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.