8.2
高危
69 个模型检测该样本为恶意!
重新分析
更多

b0f0758152599d38ebd0f485f435536f73819ae3fcdddbef8a182b8e06eaa01d

5bb029f985146a1804b9934817588449.exe

分析耗时

33s

最近分析

文件大小

90.5KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM ATGAL BLOOP BSCOPE CLASSIC CONFIDENCE EAKHNFFKSI8 ELDORADO EVGEYH FAREIT FMW@A4WCZRB GENASA GS@5T8ZIB HIGH CONFIDENCE ILOEN KCLOUD LKMI MALICIOUS PE MALWARE1 PONIK PONY PSWTROJ PSYFFH PWSZBOT R + MAL R50650 RADAR01 SCORE SIGGEN SIGGEN2 STATIC AI SUSGEN TEPFER TROJANPSW TROJANPWS UNSAFE ZBOT ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee PWS-Zbot.gen.ate 20201229 6.0.6.653
Alibaba TrojanPSW:Win32/Tepfer.4fb83dc2 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu Win32.Trojan-PSW.Fareit.a 20190318 1.0.0.2
Avast Sf:Crypt-AS [Trj] 20201229 21.1.5827.0
Tencent Trojan.Win32.Tepfer.a 20201229 1.0.0.1
Kingsoft Win32.PSWTroj.Tepfer.g.(kcloud) 20201229 2017.9.26.565
静态指标
Command line console output was observed (50 out of 672 个事件)
Time & API Arguments Status Return Repeated
1619529151.778999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529151.778999
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619529151.778999
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529151.872999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
console_handle: 0x00000007
success 1 0
1619529151.918999
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619529151.950999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529151.950999
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619529151.950999
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529151.950999
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619529151.950999
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619529151.981999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529151.981999
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619529151.981999
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.028999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
console_handle: 0x00000007
success 1 0
1619529152.028999
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619529152.043999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.043999
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619529152.043999
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.059999
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619529152.059999
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619529152.075999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.075999
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619529152.075999
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.106999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
console_handle: 0x00000007
success 1 0
1619529152.122999
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619529152.137999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.137999
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619529152.137999
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.153999
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619529152.153999
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619529152.168999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.168999
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619529152.168999
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.200999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
console_handle: 0x00000007
success 1 0
1619529152.215999
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619529152.231999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.231999
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619529152.231999
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.231999
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619529152.247999
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619529152.278999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.278999
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619529152.278999
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.325999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
console_handle: 0x00000007
success 1 0
1619529152.325999
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619529152.340999
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619529152.340999
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619529152.340999
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
console_handle: 0x00000007
success 1 0
1619529152.356999
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619529152.356999
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
行为判定
动态指标
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain myp0nysite.ru description Russian Federation domain TLD
Steals private information from local Internet browsers (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
registry HKEY_CURRENT_USER\Software\Opera Software
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\18097218.bat
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\18097218.bat
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619513315.8338
ShellExecuteExW
parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\18097218.bat
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\18097218.bat
show_type: 0
success 1 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (20 个事件)
Time & API Arguments Status Return Repeated
1619513305.5058
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619513305.5058
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619513305.5058
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619513305.5058
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619513305.5058
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619513315.0838
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619513315.0838
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619513315.0838
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619513315.0838
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619513315.0838
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619513315.3648
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619513315.3648
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619513315.3648
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619513315.3648
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619513315.3648
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619513315.5998
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619513315.6148
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619513315.6148
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619513315.6148
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619513315.6148
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
Queries for potentially installed applications (36 个事件)
Time & API Arguments Status Return Repeated
1619513305.5218
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x00000134
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
success 0 0
1619513305.5218
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619513305.5218
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619513305.5218
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619513305.5218
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619513305.5218
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619513305.5368
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619513305.5528
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619513305.5528
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619513305.5528
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619513305.5528
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619513305.5528
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619513305.5528
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619513305.5678
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
1619513305.5838
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\18097218.bat "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bb029f985146a1804b9934817588449.exe
Harvests credentials from local FTP client softwares (50 out of 120 个事件)
file C:\Program Files (x86)\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\CuteFTP\sm.dat
file C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat
file C:\ProgramData\CuteFTP\sm.dat
file C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat
file C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\3\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\4\History.dat
file C:\ProgramData\FlashFXP\3\Sites.dat
file C:\ProgramData\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\4\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\Quick.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\Quick.dat
file C:\ProgramData\FlashFXP\3\Quick.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\History.dat
file C:\ProgramData\GHISLER\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Local\GHISLER\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite
file C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings.ccs
file C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite
file C:\ProgramData\CoffeeCup Software\SharedSettings.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings.sqlite
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite
Collects information about installed applications (1 个事件)
Time & API Arguments Status Return Repeated
1619513305.5528
RegQueryValueExA
key_handle: 0x00000138
value: Google Chrome
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
success 0 0
Harvests credentials from local email clients (7 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Salt
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry HKEY_LOCAL_MACHINE\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Poco Systems Inc
File has been identified by 69 AntiVirus engines on VirusTotal as malicious (50 out of 69 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.PWS.ZIY
FireEye Generic.mg.5bb029f985146a18
CAT-QuickHeal Trojanpws.Tepfer.20303
McAfee PWS-Zbot.gen.ate
Cylance Unsafe
Zillya Trojan.Tepfer.Win32.85789
SUPERAntiSpyware Trojan.Agent/Gen-Malagent
Sangfor Malware
K7AntiVirus Password-Stealer ( 0040f4f51 )
Alibaba TrojanPSW:Win32/Tepfer.4fb83dc2
K7GW Password-Stealer ( 004b89e61 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.PWS.ZIY
Baidu Win32.Trojan-PSW.Fareit.a
Cyren W32/Bloop.A.gen!Eldorado
Symantec Infostealer!im
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Fareit-403
Kaspersky Trojan-PSW.Win32.Tepfer.psyffh
BitDefender Trojan.PWS.ZIY
NANO-Antivirus Trojan.Win32.Siggen.evgeyh
ViRobot Trojan.Win32.PSW-Tepfer.92672
Avast Sf:Crypt-AS [Trj]
Tencent Trojan.Win32.Tepfer.a
Ad-Aware Trojan.PWS.ZIY
TACHYON Trojan-PWS/W32.Fareit.92672.F
Sophos Mal/Generic-R + Mal/Pony-A
Comodo TrojWare.Win32.PWS.Fareit.GS@5t8zib
F-Secure Trojan.TR/PSW.Fareit.iloen
DrWeb Trojan.PWS.Siggen2.6307
VIPRE Trojan.Win32.Generic!BT
TrendMicro BKDR_PONY.SM
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.nh
Emsisoft Trojan.PWS.ZIY (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan/Generic.atgal
eGambit Unsafe.AI_Score_100%
Avira TR/PSW.Fareit.iloen
Antiy-AVL Trojan[PSW]/Win32.Tepfer
Kingsoft Win32.PSWTroj.Tepfer.g.(kcloud)
Gridinsoft Malware.Win32.Gen.cc!s1
Microsoft PWS:Win32/Fareit
AegisLab Trojan.Win32.Generic.lKmI
ZoneAlarm Trojan-PSW.Win32.Tepfer.psyffh
GData Win32.Trojan-Stealer.Zbot.AB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Tepfer.R50650
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-09-19 15:59:54

Imports

Library KERNEL32.DLL:
0x418148 CreateFileA
0x41814c ReadFile
0x418150 CloseHandle
0x418154 WriteFile
0x418158 lstrlenA
0x41815c GlobalLock
0x418160 GlobalUnlock
0x418164 LocalFree
0x418168 LocalAlloc
0x41816c GetTickCount
0x418170 lstrcpyA
0x418174 lstrcatA
0x418178 GetFileAttributesA
0x418180 GetFileSize
0x418184 CreateFileMappingA
0x418188 MapViewOfFile
0x41818c UnmapViewOfFile
0x418190 LoadLibraryA
0x418194 GetProcAddress
0x418198 GetTempPathA
0x41819c CreateDirectoryA
0x4181a0 DeleteFileA
0x4181a4 GetCurrentProcess
0x4181a8 WideCharToMultiByte
0x4181ac GetLastError
0x4181b0 lstrcmpA
0x4181b8 Process32First
0x4181bc OpenProcess
0x4181c0 Process32Next
0x4181c4 FindFirstFileA
0x4181c8 lstrcmpiA
0x4181cc FindNextFileA
0x4181d0 FindClose
0x4181d4 GetModuleHandleA
0x4181d8 GetVersionExA
0x4181dc GetLocaleInfoA
0x4181e0 GetSystemInfo
0x4181fc lstrlenW
0x418200 MultiByteToWideChar
0x418204 Sleep
0x418208 GetModuleFileNameA
0x41820c LCMapStringA
0x418210 ExitProcess
Library advapi32.dll:
0x418240 RegOpenKeyExA
0x418244 RegQueryValueExA
0x418248 RegCloseKey
0x41824c RegOpenKeyA
0x418250 RegEnumKeyExA
0x418254 RegCreateKeyA
0x418258 RegSetValueExA
0x41825c IsTextUnicode
0x418260 RegOpenCurrentUser
0x418264 RegEnumValueA
0x418268 GetUserNameA
Library ole32.dll:
0x418224 CoCreateGuid
0x418228 CoTaskMemFree
0x41822c CoCreateInstance
0x418230 OleInitialize
Library shell32.dll:
0x418270 ShellExecuteA
Library shlwapi.dll:
0x418284 StrStrIA
0x418288 StrRChrIA
0x41828c StrToIntA
0x418290 StrStrA
0x418294 StrCmpNIA
0x418298 StrStrIW
Library user32.dll:
0x418238 wsprintfA
Library userenv.dll:
0x4182cc LoadUserProfileA
0x4182d0 UnloadUserProfile
Library wininet.dll:
0x418278 InternetCrackUrlA
0x41827c InternetCreateUrlA
Library wsock32.dll:
0x4182a0 inet_addr
0x4182a4 gethostbyname
0x4182a8 socket
0x4182ac connect
0x4182b0 closesocket
0x4182b4 send
0x4182b8 select
0x4182bc recv
0x4182c0 setsockopt
0x4182c4 WSAStartup

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.