4.2
中危
49 个模型检测该样本为恶意!
重新分析
更多

0e661b488a5571afb39ddf31bda089f7c032ed0a077501c3b7c8a31a0a6442d6

54ca5b11ab0e2ed5d71bdaee8459d2c7.exe

分析耗时

79s

最近分析

文件大小

311.8KB
静态报毒 动态报毒 100% ADWAREADLOAD AI SCORE=99 ATTRIBUTE AUTO BLADABINDI BYHXQ CLASSIC CONFIDENCE FORMBOOK GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE MALWARE@#27FVS0RBSJJBZ MULTIPLE DETECTIONS NSIS POWRFW R345325 SCORE STEAL SWOTTER UNSAFE VCCI 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.grp 20201031 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Backdoor:Win32/Bladabindi.464a03ed 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201031 20.10.5736.0
Tencent Win32.Trojan.Inject.Auto 20201031 1.0.0.1
Kingsoft 20201031 2013.8.14.323
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619457645.298
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619426985.564036
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619457645.344
__exception__
stacktrace: 
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x77d602ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x77d601c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x752dd359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x778f11c4
SE_ProcessDying+0xce ApphelpCheckExe-0x5d02 apphelp+0x1008b @ 0x751d008b
SE_ProcessDying+0x64 ApphelpCheckExe-0x5d6c apphelp+0x10021 @ 0x751d0021
hook+0x173 hook_get_mem-0x33a @ 0x752c4e8e
monitor_hook+0x5d monitor_unhook-0x1c @ 0x752c162d
hook_library+0x1a unhook_library-0x3 @ 0x752cc6b9
New_ntdll_LdrLoadDll@16+0x112 New_ntdll_LdrUnloadDll@4-0x20 @ 0x752dd566
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x778f1d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x76354a08
winhttp+0x22df @ 0x747622df

registers.esp: 3010376
registers.edi: 1033164613
registers.eax: 0
registers.ebp: 3010500
registers.edx: 2001928192
registers.ebx: 1036180037
registers.esi: 2001933840
registers.ecx: 3010598
exception.instruction_r: 8b 0c 87 03 ca 8b 55 e0 89 55 0c 8b 55 0c 8a 12
exception.symbol: LdrGetDllHandleEx+0x3c2 LdrGetProcedureAddress-0xd0 ntdll+0x300da
exception.instruction: mov ecx, dword ptr [edi + eax*4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 196826
exception.address: 0x77d600da
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (12 个事件)
Time & API Arguments Status Return Repeated
1619457645.282
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10002000
success 0 0
1619457645.298
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75250000
success 0 0
1619457645.298
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x750a1000
success 0 0
1619457645.298
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00320000
success 0 0
1619457645.298
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00330000
success 0 0
1619457645.313
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619457645.313
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619457645.329
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74761000
success 0 0
1619457645.329
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74711000
success 0 0
1619457645.329
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74760000
success 0 0
1619457645.329
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
1619457645.329
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00570000
success 0 0
Creates executable files on the filesystem (9 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\msats10ui.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\cl.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\sbsmicrosoftjscript.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\ProjWizUI.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Cholecystostomy.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\34.opends60.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\mscorsecr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\CrystalKeyCodeLib.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\fusion.dll
Drops an executable to the user AppData folder (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\mscorsecr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\fusion.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\msats10ui.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\sbsmicrosoftjscript.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Cholecystostomy.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\ProjWizUI.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\m6\screenshot\blocks\CrystalKeyCodeLib.dll
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34006462
FireEye Generic.mg.54ca5b11ab0e2ed5
CAT-QuickHeal Backdoor.Bladabindi
McAfee RDN/Generic.grp
Cylance Unsafe
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:Win32/Bladabindi.464a03ed
K7GW Trojan ( 001df37b1 )
K7AntiVirus Trojan ( 001df37b1 )
Arcabit Trojan.Generic.D206E5BE
Invincea Mal/Generic-R
Cyren W32/Trojan.VCCI-5895
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.Bladabindi.gen
BitDefender Trojan.GenericKD.34006462
Avast Win32:Trojan-gen
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.34006462
Emsisoft Trojan.GenericKD.34006462 (B)
Comodo Malware@#27fvs0rbsjjbz
F-Secure Trojan.TR/AD.Swotter.byhxq
DrWeb Trojan.PWS.Stealer.28609
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.Win32.BLADABINDI.POWRFW
McAfee-GW-Edition BehavesLike.Win32.AdwareAdload.fc
Sophos Troj/Steal-UZ
Webroot W32.Trojan.Gen
Avira TR/AD.Swotter.byhxq
Gridinsoft Trojan.Win32.Agent.ba
Microsoft Trojan:Win32/Bladabindi.BA!MTB
ZoneAlarm HEUR:Backdoor.Win32.Bladabindi.gen
GData Trojan.GenericKD.34006462
Cynet Malicious (score: 90)
AhnLab-V3 Malware/Win32.RL_Generic.R345325
MAX malware (ai score=99)
VBA32 Backdoor.Bladabindi
Malwarebytes Trojan.MalPack.NSIS
ESET-NOD32 multiple detections
TrendMicro-HouseCall Backdoor.Win32.BLADABINDI.POWRFW
Rising Trojan.Injector/NSIS!1.CA4F (CLASSIC)
Ikarus Trojan-Spy.FormBook
AVG Win32:Trojan-gen
Cybereason malicious.d93e3c
Panda Trj/CI.A
Qihoo-360 Win32/Backdoor.4b9
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-12-16 08:51:03

Imports

Library KERNEL32.dll:
0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
Library USER32.dll:
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
Library SHELL32.dll:
0x40816c ShellExecuteExA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
Library ADVAPI32.dll:
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040
0x408044 ImageList_Destroy
Library ole32.dll:
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.