6.0
高危
52 个模型检测该样本为恶意!
重新分析
更多

73fb3ecdd43c0cb0bb8324ea3657c71126b3289024a5b618a45d378ac1014066

57e682c0e254a8f2ee9cbf1e1b8788b6.exe

分析耗时

74s

最近分析

文件大小

906.6KB
静态报毒 动态报毒 100% 4G1@AS@LLGDI AI SCORE=85 BSCOPE CLASSIC CONFIDENCE DANGEROUSSIG DEYMA ECRSI EHLS ELDORADO ENCPK GDSDA GENCIRC GENERICKD GRAYWARE HFJQ HIDC HIGH CONFIDENCE HQPRRO KCLOUD KRYPT KRYPTIK MALWARE@#2H297X8VU8LX6 QAKBOT R + MAL R347002 RACEALER SCORE SIGGEN2 THIBCBO TROJDOWNLOADER UNSAFE WACATAC YMACCO ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Packed-GBS!57E682C0E254 20201211 6.0.6.653
Baidu 20190318 1.0.0.2
Avast Win32:DangerousSig [Trj] 20201210 21.1.5827.0
Alibaba TrojanDownloader:Win32/Deyma.6ce206f3 20190527 0.3.0.5
Tencent Malware.Win32.Gencirc.11acd8b5 20201211 1.0.0.1
Kingsoft Win32.TrojDownloader.Deyma.b.(kcloud) 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619426984.067755
NtAllocateVirtualMemory
process_identifier: 784
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619426985.926755
NtAllocateVirtualMemory
process_identifier: 784
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e60000
success 0 0
1619426985.926755
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619450591.313124
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01cf0000
success 0 0
1619450592.954124
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01db0000
success 0 0
1619450592.954124
NtProtectVirtualMemory
process_identifier: 2128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Creates executable files on the filesystem (2 个事件)
file c:\programdata\1321ba6d1f\bdif.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cred.dll
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619426986.457755
CreateProcessInternalW
thread_identifier: 732
thread_handle: 0x0000008c
process_identifier: 2128
current_directory:
filepath:
track: 1
command_line: c:\programdata\1321ba6d1f\bdif.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000088
inherit_handles: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619450593.720124
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 217.8.117.52
Attempts to identify installed AV products by installation directory (7 个事件)
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619450596.282124
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619450596.282124
RegSetValueExA
key_handle: 0x000003c4
value:  y%‹:×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619450596.282124
RegSetValueExA
key_handle: 0x000003c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619450596.282124
RegSetValueExW
key_handle: 0x000003c4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619450596.282124
RegSetValueExA
key_handle: 0x000003d8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619450596.282124
RegSetValueExA
key_handle: 0x000003d8
value:  y%‹:×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619450596.282124
RegSetValueExA
key_handle: 0x000003d8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619450596.313124
RegSetValueExW
key_handle: 0x000003c0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 217.8.117.52:80
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34292241
McAfee Packed-GBS!57E682C0E254
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005652be1 )
BitDefender Trojan.GenericKD.34292241
K7GW Trojan ( 005652be1 )
Cybereason malicious.0e254a
BitDefenderTheta Gen:NN.ZexaF.34670.4G1@aS@lLgdi
Cyren W32/Kryptik.BSQ.gen!Eldorado
Symantec Packed.Generic.459
APEX Malicious
Avast Win32:DangerousSig [Trj]
Kaspersky Trojan-Downloader.Win32.Deyma.bra
Alibaba TrojanDownloader:Win32/Deyma.6ce206f3
NANO-Antivirus Trojan.Win32.Deyma.hqprro
Tencent Malware.Win32.Gencirc.11acd8b5
Ad-Aware Trojan.GenericKD.34292241
Emsisoft Trojan.GenericKD.34292241 (B)
Comodo Malware@#2h297x8vu8lx6
F-Secure Trojan.TR/Kryptik.ecrsi
DrWeb Trojan.PWS.Siggen2.51569
Zillya Downloader.Deyma.Win32.180
TrendMicro Trojan.Win32.WACATAC.THIBCBO
McAfee-GW-Edition Packed-GBS!57E682C0E254
Sophos Mal/Generic-R + Mal/EncPk-APV
Ikarus Trojan.Win32.Krypt
Jiangmin Trojan.PSW.Racealer.bfw
Avira TR/Kryptik.ecrsi
Antiy-AVL GrayWare/Win32.Kryptik.ehls
Kingsoft Win32.TrojDownloader.Deyma.b.(kcloud)
Microsoft Trojan:Win32/Ymacco.AA73
Gridinsoft Trojan.Win32.Packed.oa
Arcabit Trojan.Generic.D20B4211
ZoneAlarm Trojan-Downloader.Win32.Deyma.bra
GData Trojan.GenericKD.34292241
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Kryptik.R347002
VBA32 BScope.Trojan.Wacatac
ALYac Trojan.GenericKD.34292241
MAX malware (ai score=85)
Malwarebytes Trojan.MalPack
Panda Trj/GdSda.A
ESET-NOD32 a variant of Win32/Kryptik.HFJQ
TrendMicro-HouseCall Backdoor.Win32.QAKBOT.SMF
Rising Trojan.Kryptik!1.C9B6 (CLASSIC)
Fortinet W32/Kryptik.HIDC!tr
AVG Win32:DangerousSig [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-05 03:28:14

Imports

Library KERNEL32.dll:
0x4d9120 GetModuleHandleA
0x4d9124 GetLastError
0x4d9128 LoadLibraryA
0x4d912c GetProcAddress
0x4d9134 GetTickCount
0x4d913c IsDebuggerPresent
0x4d9148 GetCurrentProcess
0x4d914c TerminateProcess
0x4d9154 Sleep
0x4d9158 InterlockedExchange
0x4d915c GetStartupInfoW
0x4d9160 GetCommandLineW
0x4d9164 GetModuleFileNameW
0x4d9168 CreateProcessW
0x4d916c WaitForSingleObject
0x4d9170 CloseHandle
0x4d9174 FormatMessageW
0x4d9178 LocalFree
0x4d917c GetCurrentProcessId
0x4d9180 GetCurrentThreadId
0x4d9184 WaitNamedPipeA
0x4d9188 HeapReAlloc
0x4d918c GlobalFree
0x4d9190 _lwrite
0x4d9198 GetCommConfig
0x4d919c IsBadHugeWritePtr
0x4d91a0 GetConsoleAliasA
0x4d91a4 ResetEvent
0x4d91a8 ReplaceFileA
0x4d91ac DeviceIoControl
0x4d91b0 CreateEventA
0x4d91b4 lstrlenA
0x4d91b8 FormatMessageA
0x4d91bc GetOverlappedResult
0x4d91c0 DuplicateHandle
0x4d91c4 OpenProcess
0x4d91c8 ExitProcess
0x4d91cc GetCommandLineA
0x4d91d0 lstrcpyA
Library USER32.dll:
0x4d91dc IsCharAlphaW
0x4d91e0 CloseClipboard
0x4d91e4 GetWindowDC
0x4d91e8 IsCharAlphaNumericA
0x4d91ec DestroyIcon
0x4d91f4 DestroyMenu
0x4d91f8 DestroyWindow
0x4d91fc IsWindowVisible
0x4d9200 PaintDesktop
0x4d9204 IsGUIThread
0x4d9208 DrawMenuBar
0x4d920c CharNextA
0x4d9210 VkKeyScanA
0x4d9214 GetKeyboardLayout
0x4d9218 GetAsyncKeyState
0x4d921c AnyPopup
0x4d9220 LoadIconW
0x4d9224 MessageBoxW
0x4d9228 DialogBoxParamW
0x4d922c DlgDirListW
0x4d9230 DdeDisconnectList
0x4d9234 EnableMenuItem
0x4d9238 GetUpdateRect
0x4d923c SetScrollRange
Library GDI32.dll:
0x4d9244 GetStockObject
0x4d9248 GdiGetBatchLimit
0x4d924c GetObjectType
0x4d9250 UnrealizeObject
0x4d9254 GetROP2
0x4d9258 CloseMetaFile
0x4d925c BeginPath
0x4d9260 GetTextColor
0x4d9268 GetMapMode
0x4d926c AbortPath
0x4d9270 GetLayout
0x4d9274 GetTextAlign
0x4d9278 GetEnhMetaFileW
0x4d927c GetEnhMetaFileA
0x4d9280 StrokePath
0x4d9284 GetPixelFormat
0x4d9288 GetStretchBltMode
0x4d928c WidenPath
0x4d9290 RealizePalette
0x4d9294 GetTextCharset
0x4d9298 SaveDC
0x4d929c SetMetaRgn
0x4d92a0 SwapBuffers
0x4d92a4 UpdateColors
0x4d92a8 PathToRegion
0x4d92ac GetFontLanguageInfo
0x4d92b0 GetGraphicsMode
0x4d92b4 GetDCPenColor
0x4d92b8 GetSystemPaletteUse
0x4d92bc GetPolyFillMode
0x4d92c4 GdiEntry5
0x4d92c8 CreateBrushIndirect
0x4d92cc XLATEOBJ_piVector
0x4d92d0 GetGlyphOutlineWow
0x4d92d4 GdiConsoleTextOut
0x4d92d8 GdiEntry14
0x4d92dc ExtEscape
0x4d92e4 GetPath
0x4d92e8 EudcLoadLinkW
0x4d92f0 UpdateICMRegKeyW
0x4d92f4 GdiPlayScript
0x4d92f8 SetTextAlign
0x4d9300 LPtoDP
0x4d9304 GetRasterizerCaps
0x4d9308 EngQueryEMFInfo
0x4d930c GdiAddGlsRecord
0x4d9310 EngAlphaBlend
0x4d9314 MoveToEx
0x4d9318 RestoreDC
0x4d931c GetNearestColor
0x4d9320 GdiFlush
0x4d9324 ScaleWindowExtEx
0x4d9328 CLIPOBJ_bEnum
0x4d932c GdiEntry15
0x4d9330 GdiSwapBuffers
0x4d9334 GdiIsMetaPrintDC
0x4d9338 EngCreateBitmap
0x4d933c GetCharWidthFloatA
0x4d9344 SelectPalette
0x4d934c EndPage
0x4d9350 StretchBlt
0x4d9354 SetWindowOrgEx
0x4d9358 SetViewportOrgEx
0x4d935c SetTextColor
0x4d9360 SetStretchBltMode
0x4d9364 SetROP2
0x4d9368 SetPixel
0x4d936c SetDIBColorTable
0x4d9370 SetBrushOrgEx
0x4d9374 SetBkMode
0x4d9378 SetBkColor
0x4d937c SelectObject
0x4d9380 RoundRect
0x4d9384 RemoveFontResourceW
0x4d9388 Rectangle
0x4d938c RectVisible
0x4d9390 Polyline
0x4d9394 Pie
0x4d9398 PatBlt
0x4d939c MaskBlt
0x4d93a0 LineTo
0x4d93a4 LineDDA
0x4d93a8 IntersectClipRect
0x4d93ac GetWindowOrgEx
0x4d93b0 GetTextMetricsW
0x4d93b4 GetTextExtentPointW
0x4d93c0 GetRgnBox
0x4d93c4 GetPixel
0x4d93c8 GetPaletteEntries
0x4d93cc GetObjectW
0x4d93d0 GetDeviceCaps
0x4d93d4 GetDIBits
0x4d93d8 GetDIBColorTable
0x4d93dc GetDCOrgEx
0x4d93e4 GetClipBox
0x4d93e8 GetBrushOrgEx
0x4d93ec GetBitmapBits
0x4d93f0 FrameRgn
0x4d93f4 ExtTextOutW
0x4d93f8 ExtFloodFill
0x4d93fc ExcludeClipRect
0x4d9400 EnumFontsW
0x4d9404 Ellipse
0x4d9408 DeleteObject
0x4d940c DeleteDC
0x4d9410 CreateSolidBrush
0x4d9414 CreateRectRgn
0x4d9418 CreatePenIndirect
0x4d941c CreatePalette
0x4d9424 CreateFontIndirectW
0x4d9428 CreateDIBitmap
0x4d942c CreateDIBSection
0x4d9430 CreateCompatibleDC
0x4d9438 CreateBitmap
0x4d943c Chord
0x4d9440 BitBlt
0x4d9444 Arc
0x4d9448 AddFontResourceW
Library ADVAPI32.dll:
0x4d9450 RegOpenKeyW
0x4d9454 RegQueryValueExA
Library SHELL32.dll:
0x4d945c CommandLineToArgvW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.