4.6
中危
62 个模型检测该样本为恶意!
重新分析
更多

1ce0940dff44d3c1e7da126b22788f303059331966933631257dc4d049f5f9bc

5ee23cb6c48f3978b15fe15c32f1b29a.exe

分析耗时

81s

最近分析

文件大小

37.0KB
静态报毒 动态报毒 100% AE@4PFB41 AI SCORE=84 ATTRIBUTE CLASSIC CM0@AWZHGJJ CONFIDENCE DHBNSN ELDORADO GDSDA HIGH CONFIDENCE HIGHCONFIDENCE KCLOUD KRYPTIK MALICIOUS PE NXOS ORSAM PATUN PETUN QVM03 R + MAL SCORE SIGGEN3 SMHA STATIC AI STUPIDPINVOKER SUSGEN TBIW TRJGEN TROJANPSW TSPY UNSAFE ZBOT ZEMSILF ZKJFBX+FWOO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee PWS-Zbot.gen.yg 20210106 6.0.6.653
Alibaba TrojanPSW:MSIL/Petun.cb61c5ad 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast MSIL:KeyLogger-AB [Spy] 20210105 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20210106 2017.9.26.565
Tencent Win32.Trojan.Spy.Tbiw 20210106 1.0.0.1
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619513305.600793
IsDebuggerPresent
failed 0 0
1619524201.175249
IsDebuggerPresent
failed 0 0
Uses Windows APIs to generate a cryptographic key (40 个事件)
Time & API Arguments Status Return Repeated
1619513309.256793
CryptExportKey
crypto_handle: 0x000000001aecf610
crypto_export_handle: 0x000000001aecf680
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.256793
CryptExportKey
crypto_handle: 0x000000001aecf610
crypto_export_handle: 0x000000001aecf680
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼AŸÊp5A¤øž[¶o!Ÿ™Ù«”œ)1B¡3ŒžÇÚv'æE¡·c/AŠ)}
blob_type: 1
flags: 0
success 1 0
1619513309.303793
CryptExportKey
crypto_handle: 0x0000000000209ca0
crypto_export_handle: 0x0000000000209d10
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.303793
CryptExportKey
crypto_handle: 0x0000000000209ca0
crypto_export_handle: 0x0000000000209d10
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆ·³Ä :>QªÓ°vƒìoüzí ñ`u°…~B8¤M°u¸Vep›&¼Ò˜GRás
blob_type: 1
flags: 0
success 1 0
1619513309.334793
CryptExportKey
crypto_handle: 0x0000000000209d80
crypto_export_handle: 0x0000000000209df0
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.350793
CryptExportKey
crypto_handle: 0x0000000000209d80
crypto_export_handle: 0x0000000000209df0
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼A„F{¡+C­>5e¨ˆº¿+ÎkÉ7á=ê(%2٦ʞ¶—þu¹÷Îë-
blob_type: 1
flags: 0
success 1 0
1619513309.381793
CryptExportKey
crypto_handle: 0x0000000000209e60
crypto_export_handle: 0x0000000000209ed0
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.381793
CryptExportKey
crypto_handle: 0x0000000000209e60
crypto_export_handle: 0x0000000000209ed0
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆâp×ߘb Q}wL†›Çë÷˜L³äU;vŠRÄIõ° [n­>ŠÝæd
blob_type: 1
flags: 0
success 1 0
1619513309.443793
CryptExportKey
crypto_handle: 0x0000000000209f40
crypto_export_handle: 0x0000000000209fb0
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.443793
CryptExportKey
crypto_handle: 0x0000000000209f40
crypto_export_handle: 0x0000000000209fb0
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼A¶Ñ¡êÔë¶s:` ½:’qŸс·4cÖ±H®h.՜Bw²JæÚCÿÚ
blob_type: 1
flags: 0
success 1 0
1619513309.490793
CryptExportKey
crypto_handle: 0x000000000020a020
crypto_export_handle: 0x000000000020a090
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.490793
CryptExportKey
crypto_handle: 0x000000000020a020
crypto_export_handle: 0x000000000020a090
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆF“›Y#ö㐸őVÚpÉ>¾ús³I(·3pv ‡üs¯m£ ŽÒۖY/
blob_type: 1
flags: 0
success 1 0
1619513309.522793
CryptExportKey
crypto_handle: 0x000000000020a100
crypto_export_handle: 0x000000000020a170
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.522793
CryptExportKey
crypto_handle: 0x000000000020a100
crypto_export_handle: 0x000000000020a170
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼AH—ýèÛdYÌA-–]Àdm¡BW©'1 ;’2¯j/”83½^+ߞB
blob_type: 1
flags: 0
success 1 0
1619513309.553793
CryptExportKey
crypto_handle: 0x000000000020a1e0
crypto_export_handle: 0x000000000020a250
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.553793
CryptExportKey
crypto_handle: 0x000000000020a1e0
crypto_export_handle: 0x000000000020a250
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆ}ÁJ͐¹¼a)esaZÒüpú®ý¥×Ûê"øé#œ]KÍŒöEß#ú7kÕ
blob_type: 1
flags: 0
success 1 0
1619513309.662793
CryptExportKey
crypto_handle: 0x000000000020a2c0
crypto_export_handle: 0x000000000020a330
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.662793
CryptExportKey
crypto_handle: 0x000000000020a2c0
crypto_export_handle: 0x000000000020a330
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼AOÆÌÍy×2v Ñâd—Î9†ç¼ p ûžÒpYPÁxÉÙWÅÚw3M
blob_type: 1
flags: 0
success 1 0
1619513309.725793
CryptExportKey
crypto_handle: 0x000000000020a3a0
crypto_export_handle: 0x000000000020a410
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619513309.725793
CryptExportKey
crypto_handle: 0x000000000020a3a0
crypto_export_handle: 0x000000000020a410
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆEYì᫔Ž`šÈ²WX7n{ftPß6pöBÕ ¼ 4„Ìn žîPxð
blob_type: 1
flags: 0
success 1 0
1619524211.222249
CryptExportKey
crypto_handle: 0x000000001af96110
crypto_export_handle: 0x000000001af96180
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524211.222249
CryptExportKey
crypto_handle: 0x000000001af96110
crypto_export_handle: 0x000000001af96180
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼Aê6ó®×/#p¾ÊQVUÁSàJ]Ò¦³—Õ˜.s7£ÕrE&‰pò¹Y§DË
blob_type: 1
flags: 0
success 1 0
1619524211.472249
CryptExportKey
crypto_handle: 0x000000001af961f0
crypto_export_handle: 0x000000001af96260
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524211.472249
CryptExportKey
crypto_handle: 0x000000001af961f0
crypto_export_handle: 0x000000001af96260
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆ^m§ja«EY£rØkÝÙP+a½Šmn÷}t!×_YÒ¸ ôü`Nðƒÿ}ÕÎÀ 
blob_type: 1
flags: 0
success 1 0
1619524211.816249
CryptExportKey
crypto_handle: 0x000000001af962d0
crypto_export_handle: 0x000000001af96340
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524211.832249
CryptExportKey
crypto_handle: 0x000000001af962d0
crypto_export_handle: 0x000000001af96340
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼Aº)'¾1‚’ª˜ü±Ô‰ÜÊ®5fs6;âŒÕê3Ú¶•:‡Wß½í2íê
blob_type: 1
flags: 0
success 1 0
1619524212.300249
CryptExportKey
crypto_handle: 0x000000001af963b0
crypto_export_handle: 0x000000001af96420
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524212.300249
CryptExportKey
crypto_handle: 0x000000001af963b0
crypto_export_handle: 0x000000001af96420
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆÿ.¸ÓþéÙ.V9‡1Gä‘Ïœþ¬£-ÿ%d⟚¡¬O`Àñv?½jÐج
blob_type: 1
flags: 0
success 1 0
1619524212.691249
CryptExportKey
crypto_handle: 0x000000001af96490
crypto_export_handle: 0x000000001af96500
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524212.691249
CryptExportKey
crypto_handle: 0x000000001af96490
crypto_export_handle: 0x000000001af96500
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼AÀ\ƒÉ~ražµn?Èë—e)ò¸D”v—¯§ùg"0÷é¾dAQ¶îø‚
blob_type: 1
flags: 0
success 1 0
1619524212.941249
CryptExportKey
crypto_handle: 0x000000001af96570
crypto_export_handle: 0x000000001af965e0
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524212.941249
CryptExportKey
crypto_handle: 0x000000001af96570
crypto_export_handle: 0x000000001af965e0
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆŸU…p‹rÙeÁœs„îêë´OQDÇb?÷)"ã Áw3ÉQe–^„ÁqùŒЧ÷
blob_type: 1
flags: 0
success 1 0
1619524213.160249
CryptExportKey
crypto_handle: 0x000000001af96650
crypto_export_handle: 0x000000001af966c0
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524213.175249
CryptExportKey
crypto_handle: 0x000000001af96650
crypto_export_handle: 0x000000001af966c0
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼A)ä‰ ½©îq­íè‡ËBO#óñ«µ¿Èj䝊¹Ú†kÿ•>ì]Ú¡¾ÅÌ
blob_type: 1
flags: 0
success 1 0
1619524213.425249
CryptExportKey
crypto_handle: 0x000000001af96730
crypto_export_handle: 0x000000001af967a0
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524213.425249
CryptExportKey
crypto_handle: 0x000000001af96730
crypto_export_handle: 0x000000001af967a0
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆD Õ"᳉! f¥wãT"BT4wK]o'š1¼‚¸!igÄï¬ _à$ú
blob_type: 1
flags: 0
success 1 0
1619524213.597249
CryptExportKey
crypto_handle: 0x000000001af96810
crypto_export_handle: 0x000000001af96880
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524213.597249
CryptExportKey
crypto_handle: 0x000000001af96810
crypto_export_handle: 0x000000001af96880
buffer: f¤k–Ôá Ô\`Ÿ `‹~¼AêµÆi²?w–ɽ‡5°Žhò+ !°ªÝÀ—/ö-W‘>jgT³y¸]%?#
blob_type: 1
flags: 0
success 1 0
1619524213.753249
CryptExportKey
crypto_handle: 0x000000001af968f0
crypto_export_handle: 0x000000001af96960
buffer: <INVALID POINTER>
blob_type: 1
flags: 0
success 1 0
1619524213.753249
CryptExportKey
crypto_handle: 0x000000001af968f0
crypto_export_handle: 0x000000001af96960
buffer: f¤ÇÊ?ï`ˆ`ÞØí´_ò=ŸÆÊâ%v‡5­¦ CTsìVPÝ9 )¨ÓƋbî¡U¾î|ëSòî„撂Œ
blob_type: 1
flags: 0
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619513305.834793
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 个事件)
Time & API Arguments Status Return Repeated
1619513303.662793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000870000
success 0 0
1619513303.662793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000960000
success 0 0
1619513305.022793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c11000
success 0 0
1619513305.490793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8e000
success 0 0
1619513305.490793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8e000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8f000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e90000
success 0 0
1619513305.615793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e90000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e90000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e90000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e90000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e91000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e91000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e91000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e91000
success 0 0
1619513305.631793
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1e8e000
success 0 0
1619513306.084793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00052000
success 0 0
1619513306.240793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff10000
success 0 0
1619513306.240793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1619513306.240793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1619513306.240793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1619513306.240793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619513306.240793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0010a000
success 0 0
1619513306.272793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00042000
success 0 0
1619513306.475793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00053000
success 0 0
1619513306.475793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0011a000
success 0 0
1619513306.475793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00142000
success 0 0
1619513306.475793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0011d000
success 0 0
1619513306.537793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0005c000
success 0 0
1619513306.725793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00054000
success 0 0
1619513306.740793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00190000
success 0 0
1619513307.459793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00055000
success 0 0
1619513307.459793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00057000
success 0 0
1619513308.037793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00191000
success 0 0
1619513308.131793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0010b000
success 0 0
1619513308.209793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00102000
success 0 0
1619513309.865793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00058000
success 0 0
1619513310.162793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0005a000
success 0 0
1619513314.600793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0006f000
success 0 0
1619513314.600793
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00043000
success 0 0
1619524199.941249
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000760000
success 0 0
1619524199.941249
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000780000
success 0 0
1619524200.425249
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1c11000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619524214.550249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default) reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Chrome.exe
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619524214.707249
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x0000000000781d2c
module_address: 0x0000000000820000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 1704351 0
File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Generic.Malware.GSD.6BE88A73
CAT-QuickHeal Trojan.Orsam.A3
McAfee PWS-Zbot.gen.yg
Cylance Unsafe
VIPRE Trojan-PWS.MSIL.Petun.a (v)
SUPERAntiSpyware Trojan.Agent/Gen-Petun
Sangfor Malware
K7AntiVirus Trojan ( 700000121 )
Alibaba TrojanPSW:MSIL/Petun.cb61c5ad
K7GW Trojan ( 700000121 )
Cybereason malicious.6c48f3
Arcabit Generic.Malware.GSD.6BE88A73
Cyren W32/MSIL_Troj.F.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TotalDefense Win32/Petun.B
APEX Malicious
Paloalto generic.ml
ClamAV Win.Packed.Zbot-8176461-0
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Generic.Malware.GSD.6BE88A73
NANO-Antivirus Trojan.Win32.TrjGen.dhbnsn
Avast MSIL:KeyLogger-AB [Spy]
Rising Trojan.MSIL.KeyLogger!1.647D (CLASSIC)
Ad-Aware Generic.Malware.GSD.6BE88A73
Sophos Mal/Generic-R + Mal/Agent-ASV
Comodo Worm.Win32.KeyLogger.AutoRun.AE@4pfb41
F-Secure Trojan.TR/Spy.Gen
DrWeb Trojan.Siggen3.14508
Zillya Trojan.Agent.Win32.1631747
TrendMicro TSPY_PATUN.SMHA
McAfee-GW-Edition PWS-Zbot.gen.yg
FireEye Generic.mg.5ee23cb6c48f3978
Emsisoft Generic.Malware.GSD.6BE88A73 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan/Generic.nxos
eGambit Unsafe.AI_Score_100%
Avira TR/Spy.Gen
MAX malware (ai score=84)
Antiy-AVL Trojan[PSW]/MSIL.Petun
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft PWS:MSIL/Petun.A
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Generic
GData MSIL.Trojan-Spy.Petun.B
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Petun.C124011
BitDefenderTheta Gen:NN.ZemsilF.34742.cm0@aWZhgjj
ALYac Generic.Malware.GSD.6BE88A73
VBA32 CIL.StupidPInvoker-1.Heur
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-07-30 15:47:34

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51964 239.255.255.250 3702
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 53660 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.