5.2
中危
66 个模型检测该样本为恶意!
重新分析
更多

7371e1b74410000cb35049d74ba9f63da63cabfc28f9aae86769136d7e435ad7

550f509d09da444d4641276c01db032b.exe

分析耗时

22s

最近分析

文件大小

92.0KB
静态报毒 动态报毒 100% A@70V67G AGEN AI SCORE=100 AKNB BGMWV BPLGF4SQQWM BSCOPE CLOUD CONFIDENCE DOWNLOADER25 ERFEYU FAMVT FOFQ FQW@AKPKUUCI GENCIRC GENETIC HIGH CONFIDENCE KCLOUD MALICIOUS PE MAUVAISE R + TROJ R198292 REMCOS REMCOSRAT RESCOMS REVETAF SAVE SCORE STATIC AI UNSAFE USMANEAGHC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Trojan-FOFQ!550F509D09DA 20210301 6.0.6.653
Alibaba Backdoor:Win32/Rescoms.32f 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Avast Win32:RemcosRAT-A [Trj] 20210301 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b097e0 20210301 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20210301 2017.9.26.565
静态指标
Command line console output was observed (22 个事件)
Time & API Arguments Status Return Repeated
1619426979.529841
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619426979.545841
WriteConsoleW
buffer: PING
console_handle: 0x00000007
success 1 0
1619426979.545841
WriteConsoleW
buffer: 127.0.0.1 -n 2
console_handle: 0x00000007
success 1 0
1619426981.951841
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619426981.951841
WriteConsoleW
buffer: start
console_handle: 0x00000007
success 1 0
1619426981.951841
WriteConsoleW
buffer: "" "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
console_handle: 0x00000007
success 1 0
1619426985.279841
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619426985.279841
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619426985.279841
WriteConsoleW
buffer: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.bat"
console_handle: 0x00000007
success 1 0
1619426985.326841
WriteConsoleW
buffer: 找不到批处理文件。
console_handle: 0x0000000b
success 1 0
1619429977.357375
WriteConsoleA
buffer: ÕýÔÚ Ping 127.0.0.1
console_handle: 0x00000007
success 1 0
1619429977.373375
WriteConsoleA
buffer: ¾ßÓÐ 32 ×Ö½ÚµÄÊý¾Ý:
console_handle: 0x00000007
success 1 0
1619429977.451375
WriteConsoleA
buffer: À´×Ô 127.0.0.1 µÄ»Ø¸´:
console_handle: 0x00000007
success 1 0
1619429977.451375
WriteConsoleA
buffer: ×Ö½Ú=32
console_handle: 0x00000007
success 1 0
1619429977.451375
WriteConsoleA
buffer: ʱ¼ä<1ms
console_handle: 0x00000007
success 1 0
1619429977.451375
WriteConsoleA
buffer: TTL=128
console_handle: 0x00000007
success 1 0
1619429978.451375
WriteConsoleA
buffer: À´×Ô 127.0.0.1 µÄ»Ø¸´:
console_handle: 0x00000007
success 1 0
1619429978.451375
WriteConsoleA
buffer: ×Ö½Ú=32
console_handle: 0x00000007
success 1 0
1619429978.451375
WriteConsoleA
buffer: ʱ¼ä<1ms
console_handle: 0x00000007
success 1 0
1619429978.451375
WriteConsoleA
buffer: TTL=128
console_handle: 0x00000007
success 1 0
1619429978.467375
WriteConsoleA
buffer: 127.0.0.1 µÄ Ping ͳ¼ÆÐÅÏ¢: Êý¾Ý°ü: ÒÑ·¢ËÍ = 2£¬ÒѽÓÊÕ = 2£¬¶ªÊ§ = 0 (0% ¶ªÊ§)£¬
console_handle: 0x00000007
success 1 0
1619429978.482375
WriteConsoleA
buffer: Íù·µÐг̵ĹÀ¼Æʱ¼ä(ÒÔºÁÃëΪµ¥Î»): ×î¶Ì = 0ms£¬× = 0ms£¬Æ½¾ù = 0ms
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619429977.326375
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.bat
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.bat
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619426979.20896
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.bat
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.bat
show_type: 0
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline PING 127.0.0.1 -n 2
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2452 resumed a thread in remote process 3132
Time & API Arguments Status Return Repeated
1619426985.279841
NtResumeThread
thread_handle: 0x00000080
suspend_count: 0
process_identifier: 3132
success 0 0
File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 个事件)
Bkav W32.FamVT.RevetAF.Trojan
Elastic malicious (high confidence)
ClamAV Win.Malware.Rescoms-6598304-0
CAT-QuickHeal Trojan.Mauvaise.SL1
McAfee Trojan-FOFQ!550F509D09DA
Cylance Unsafe
Zillya Trojan.Agent.Win32.742092
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 004f67651 )
Alibaba Backdoor:Win32/Rescoms.32f
K7GW Trojan ( 004f67651 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Injector.AKNB-1880
Symantec Infostealer!im
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Trojan.Inject.BDT
NANO-Antivirus Trojan.Win32.AD.erfeyu
ViRobot Trojan.Win32.Agent.94208.EA
SUPERAntiSpyware Backdoor.Remcos/Variant
MicroWorld-eScan Trojan.Inject.BDT
Avast Win32:RemcosRAT-A [Trj]
Tencent Malware.Win32.Gencirc.10b097e0
Ad-Aware Trojan.Inject.BDT
Emsisoft Trojan.Agent (A)
Comodo TrojWare.Win32.Rescoms.A@70v67g
F-Secure Heuristic.HEUR/AGEN.1115265
DrWeb Trojan.DownLoader25.11684
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.Win32.REMCOS.USMANEAGHC
McAfee-GW-Edition BehavesLike.Win32.Dropper.nh
FireEye Generic.mg.550f509d09da444d
Sophos Mal/Generic-R + Troj/Remcos-DI
SentinelOne Static AI - Malicious PE
GData Win32.Backdoor.Remcos.B
Jiangmin Trojan.Generic.bgmwv
Webroot W32.Malware.Gen
Avira HEUR/AGEN.1115265
eGambit Unsafe.AI_Score_100%
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Agent.ba
Arcabit Trojan.Inject.BDT
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Generic
Microsoft Backdoor:Win32/Rescoms
TACHYON Backdoor/W32.Agent.94208.GG
AhnLab-V3 Backdoor/Win32.Rescoms.R198292
Acronis suspicious
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-01-06 03:50:13

Imports

Library KERNEL32.dll:
0x41006c GetModuleFileNameA
0x410070 GetLongPathNameA
0x410074 CreateMutexA
0x410078 OpenMutexA
0x41007c Process32Next
0x410080 Process32First
0x410088 SizeofResource
0x41008c LockResource
0x410090 LoadResource
0x410094 FindResourceA
0x410098 GetLocaleInfoA
0x41009c Process32NextW
0x4100a0 Process32FirstW
0x4100a4 lstrlenA
0x4100a8 GetDriveTypeA
0x4100ac CreateProcessA
0x4100b0 GetTickCount
0x4100b4 GlobalUnlock
0x4100b8 GlobalLock
0x4100bc GlobalAlloc
0x4100c0 WinExec
0x4100c4 GetCurrentProcessId
0x4100c8 CreateDirectoryW
0x4100cc CopyFileA
0x4100d0 GetFileAttributesW
0x4100d8 GetCurrentProcess
0x4100dc ResumeThread
0x4100e0 SetThreadContext
0x4100e4 WriteProcessMemory
0x4100e8 VirtualAllocEx
0x4100ec ReadProcessMemory
0x4100f0 GetThreadContext
0x4100f4 VirtualAlloc
0x4100f8 GlobalFree
0x4100fc LocalAlloc
0x410100 TerminateProcess
0x410104 ReadFile
0x410108 PeekNamedPipe
0x41010c GetStdHandle
0x410110 CreatePipe
0x410114 OpenProcess
0x410118 DuplicateHandle
0x41011c GetCurrentThread
0x410120 lstrcpynA
0x410124 ExitProcess
0x410128 AllocConsole
0x41012c GetStartupInfoA
0x410134 FindFirstFileA
0x410138 FindNextFileA
0x41013c GetLastError
0x410140 LoadLibraryA
0x410144 GetProcAddress
0x410148 CreateFileMappingA
0x41014c MapViewOfFileEx
0x410150 DeleteFileA
0x410154 RemoveDirectoryA
0x410158 CloseHandle
0x41015c GetFileAttributesA
0x410160 SetFileAttributesA
0x410164 SetEvent
0x410168 TerminateThread
0x41016c FindFirstFileW
0x410170 FindNextFileW
0x410174 FindClose
0x410178 GetLocalTime
0x41017c CreateEventA
0x410180 WaitForSingleObject
0x410184 CreateDirectoryA
0x410188 ExitThread
0x41018c Sleep
0x410190 GetModuleHandleA
0x410194 DeleteFileW
0x410198 CreateThread
Library USER32.dll:
0x4103e0 GetForegroundWindow
0x4103e4 UnhookWindowsHookEx
0x4103e8 CloseClipboard
0x4103ec GetClipboardData
0x4103f0 OpenClipboard
0x4103f4 SetClipboardData
0x4103f8 EmptyClipboard
0x4103fc ExitWindowsEx
0x410400 MessageBoxA
0x41040c ShowWindow
0x410410 CloseWindow
0x410414 GetWindowTextA
0x410418 GetWindowTextW
0x41041c EnumWindows
0x410420 SendInput
0x410424 CreateWindowExA
0x410428 RegisterClassExA
0x41042c AppendMenuA
0x410430 CreatePopupMenu
0x410434 TrackPopupMenu
0x410438 SetForegroundWindow
0x41043c GetCursorPos
0x410440 DefWindowProcA
0x410444 GetKeyState
0x410448 CallNextHookEx
0x41044c SetWindowsHookExA
0x410450 GetMessageA
0x410454 TranslateMessage
0x410458 GetKeyboardLayout
0x41045c FindWindowA
0x410460 DispatchMessageA
0x410464 IsWindowVisible
Library GDI32.dll:
0x410040 CreateDCA
0x410044 CreateCompatibleDC
0x410048 GetDeviceCaps
0x410050 SelectObject
0x410054 StretchBlt
0x410058 GetObjectA
0x41005c GetDIBits
0x410060 DeleteObject
0x410064 DeleteDC
Library ADVAPI32.dll:
0x410000 OpenProcessToken
0x41000c RegCreateKeyExA
0x410010 RegQueryInfoKeyA
0x410014 RegEnumKeyExA
0x410018 RegEnumValueA
0x41001c RegDeleteValueA
0x410020 RegCreateKeyA
0x410024 RegSetValueExA
0x410028 RegOpenKeyExA
0x41002c RegDeleteKeyA
0x410030 RegCloseKey
0x410034 RegQueryValueExA
0x410038 GetUserNameW
Library SHELL32.dll:
0x4103bc ShellExecuteA
0x4103c0 ExtractIconA
0x4103c4 Shell_NotifyIconA
0x4103c8 ShellExecuteExA
0x4103cc ShellExecuteW
Library MSVCP60.dll:
Library MSVCRT.dll:
0x410308 _wrename
0x41030c _controlfp
0x410310 __set_app_type
0x410314 __p__fmode
0x410318 __p__commode
0x41031c _adjust_fdiv
0x410320 __setusermatherr
0x410324 _initterm
0x410328 __getmainargs
0x41032c _acmdln
0x410330 _XcptFilter
0x410334 _exit
0x410338 _onexit
0x41033c __dllonexit
0x410344 _iob
0x410348 freopen
0x41034c srand
0x410350 rand
0x410354 mbstowcs
0x410358 realloc
0x41035c _itoa
0x410360 sprintf
0x410364 getenv
0x410368 toupper
0x41036c tolower
0x410370 wcscmp
0x410374 printf
0x410378 strncmp
0x41037c malloc
0x410380 free
0x410384 _EH_prolog
0x410388 __CxxFrameHandler
0x41038c time
0x410390 localtime
0x410394 strftime
0x410398 puts
0x41039c atoi
0x4103a0 _ftol
0x4103a4 ??2@YAPAXI@Z
0x4103a8 _except_handler3
0x4103ac exit
0x4103b4 _CxxThrowException
Library WINMM.dll:
0x410480 waveInOpen
0x410484 waveInStop
0x410488 waveInClose
0x41048c waveInAddBuffer
0x410490 waveInPrepareHeader
0x410498 waveInStart
Library SHLWAPI.dll:
0x4103d4 PathFileExistsA
Library WS2_32.dll:
0x4104a0 htons
0x4104a4 gethostbyname
0x4104a8 closesocket
0x4104ac socket
0x4104b0 send
0x4104b4 WSAGetLastError
0x4104b8 connect
0x4104bc recv
0x4104c0 WSAStartup
Library urlmon.dll:
0x4104f8 URLDownloadToFileA
Library gdiplus.dll:
0x4104cc GdipDisposeImage
0x4104d0 GdipCloneImage
0x4104d4 GdipAlloc
0x4104dc GdipSaveImageToFile
0x4104e4 GdiplusStartup
0x4104ec GdipFree
Library WININET.dll:
0x41046c InternetCloseHandle
0x410470 InternetOpenUrlA
0x410474 InternetOpenA
0x410478 InternetReadFile

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.