7.4
高危
61 个模型检测该样本为恶意!
重新分析
更多

6a798337275fb5b2d4a7f51f6b33c5f2ef49c28a49f8208c721ed1397d60732c

61ba7304959ad8eeda595e99dbb12efe.exe

分析耗时

80s

最近分析

文件大小

43.0KB
静态报毒 动态报毒 100% AI SCORE=100 ALI1001008 ARRKP BLADABI BLADABINDI CC@7EBFQA CLASSIC CMW@AGE@FSB CONFIDENCE DOWNLOADER23 ELDORADO FDPF GDSDA GEN7 HFJZRP HIGH CONFIDENCE MALICIOUS PE NJRAT NJRAT04 QVM03 R + TROJ RATENJAY SCORE SLCBG STARTER STATIC AI SUSGEN UNSAFE WOGG XEPJE4NCMO8 YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Starter.ali1001008 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Avast Win32:BackDoor-AFW [Trj] 20201229 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20201229 2017.9.26.565
McAfee BackDoor-FDPF!61BA7304959A 20201229 6.0.6.653
Tencent Win32.Trojan.Generic.Wogg 20201229 1.0.0.1
静态指标
Queries for the computername (31 个事件)
Time & API Arguments Status Return Repeated
1619530549.39825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530550.44525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530551.41425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530554.05425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530555.67925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530556.71025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530560.32025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530560.58525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530561.21025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530561.58525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530564.50725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530564.78925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530565.32025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530565.66425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530568.66425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530568.99225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530569.36725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530569.72625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530572.69525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530573.00725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530573.55425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530573.91425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530576.85125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530577.11725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530577.50725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530577.89825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530580.86725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530581.13225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530582.46025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530583.49225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619530537.08575
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619513305.430988
IsDebuggerPresent
failed 0 0
1619530528.94525
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619530538.07075
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Server"。
console_handle: 0x00000007
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619530550.33525
__exception__
stacktrace: 
0xaf5800
0xaf53b9
0xaf51e7
mscorlib+0x216e76 @ 0x720f6e76
mscorlib+0x2202ff @ 0x721002ff
mscorlib+0x216df4 @ 0x720f6df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73fd3191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73f8192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73f818cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73f817f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73f8197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73fd2f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73fd303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x7409805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 80474036
registers.edi: 38428688
registers.eax: 38080920
registers.ebp: 80474076
registers.edx: 38428688
registers.ebx: 38092788
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 39 09 e8 2a e9 56 71 8b c8 e8 e3 ed 4c 73 8b c8
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xaf5f13
success 0 0
行为判定
动态指标
Connects to a Dynamic DNS Domain (1 个事件)
domain panzehir42.duckdns.org
Allocates read-write-execute memory (usually to unpack itself) (50 out of 67 个事件)
Time & API Arguments Status Return Repeated
1619513304.571988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619513304.571988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
1619513305.243988
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619513305.430988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1619513305.430988
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619513305.430988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00542000
success 0 0
1619513305.618988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00552000
success 0 0
1619513305.696988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00553000
success 0 0
1619513305.696988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1619513305.696988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c7000
success 0 0
1619513305.711988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055c000
success 0 0
1619513305.758988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006a0000
success 0 0
1619513306.008988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619513306.024988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057a000
success 0 0
1619513306.055988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00572000
success 0 0
1619513306.086988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00554000
success 0 0
1619513306.305988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00555000
success 0 0
1619513306.336988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006a1000
success 0 0
1619513306.383988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006a4000
success 0 0
1619513312.618988
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054b000
success 0 0
1619530528.89825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00290000
success 0 0
1619530528.89825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c0000
success 0 0
1619530528.91425
NtProtectVirtualMemory
process_identifier: 340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619530528.94525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ba000
success 0 0
1619530528.94525
NtProtectVirtualMemory
process_identifier: 340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619530528.94525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b2000
success 0 0
1619530529.03925
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00592000
success 0 0
1619530529.08525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00593000
success 0 0
1619530529.08525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0065b000
success 0 0
1619530529.08525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00657000
success 0 0
1619530529.11725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059c000
success 0 0
1619530529.13225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af0000
success 0 0
1619530529.21025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059a000
success 0 0
1619530529.21025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ca000
success 0 0
1619530529.22625
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c2000
success 0 0
1619530529.22625
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00594000
success 0 0
1619530529.30425
NtAllocateVirtualMemory
process_identifier: 340
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00595000
success 0 0
1619530529.30425
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af1000
success 0 0
1619530529.32025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af2000
success 0 0
1619530535.71025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00655000
success 0 0
1619530535.89825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00597000
success 0 0
1619530535.99225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002bb000
success 0 0
1619530546.69525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619530546.69525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619530546.72625
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af5000
success 0 0
1619530546.75725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a6000
success 0 0
1619530547.00725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02010000
success 0 0
1619530549.38225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02011000
success 0 0
1619530549.53925
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b3000
success 0 0
1619530550.41425
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af6000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Server.exe
file C:\ProgramData\Dllhost.exe
Creates hidden or system file (1 个事件)
Time & API Arguments Status Return Repeated
1619530546.69525
SetFileAttributesW
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\ProgramData\Dllhost.exe
filepath: C:\ProgramData\Dllhost.exe
success 1 0
Creates a suspicious process (1 个事件)
cmdline schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Administrator.Oskar-PC\AppData\Local\Temp/Server.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Server.exe
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619530546.82025
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Administrator.Oskar-PC\AppData\Local\Temp/Server.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (50 out of 69 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value "C:\ProgramData\Dllhost.exe" ..
Executes one or more WMI queries (2 个事件)
wmi Select * From AntiVirusProduct
wmi select * from Win32_OperatingSystem
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader23.54793
MicroWorld-eScan Generic.Malware.SLcbg.6A92497E
FireEye Generic.mg.61ba7304959ad8ee
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Generic.Malware.SLcbg.6A92497E
Cylance Unsafe
Zillya Trojan.Bladabindi.Win32.86845
Sangfor Malware
K7AntiVirus Trojan ( 700000121 )
Alibaba Trojan:Win32/Starter.ali1001008
K7GW Trojan ( 700000121 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Generic.Malware.SLcbg.6A92497E
BitDefenderTheta Gen:NN.ZemsilF.34700.cmW@aGE@fSb
Cyren W32/MSIL_Bladabindi.A.gen!Eldorado
Symantec Backdoor.Ratenjay
ESET-NOD32 a variant of MSIL/Bladabindi.BB
APEX Malicious
Avast Win32:BackDoor-AFW [Trj]
ClamAV Win.Trojan.Generic-6417450-0
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Generic.Malware.SLcbg.6A92497E
NANO-Antivirus Trojan.Win32.Bladabindi.hfjzrp
Paloalto generic.ml
Rising Backdoor.Njrat!1.C5D1 (CLASSIC)
Ad-Aware Generic.Malware.SLcbg.6A92497E
Emsisoft Generic.Malware.SLcbg.6A92497E (B)
Comodo TrojWare.MSIL.Bladabindi.CC@7ebfqa
F-Secure Trojan.TR/Dropper.Gen7
VIPRE Trojan.Win32.Generic!BT
TrendMicro BKDR_BLADABI.SMC
McAfee-GW-Edition BehavesLike.Win32.Backdoor.pm
Sophos Mal/Generic-R + Troj/Bladabi-DR
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Generic.arrkp
eGambit Unsafe.AI_Score_100%
Avira TR/Dropper.Gen7
Antiy-AVL Trojan[Backdoor]/MSIL.Bladabindi
Gridinsoft Backdoor.Win32.Bladabindi.vl!ni
Microsoft Backdoor:MSIL/Bladabindi
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Generic.Malware.SLcbg.6A92497E
Cynet Malicious (score: 100)
AhnLab-V3 Win-Trojan/NjRAT04.Exp
Acronis suspicious
McAfee BackDoor-FDPF!61BA7304959A
MAX malware (ai score=100)
VBA32 Trojan.Downloader
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-12 21:41:46

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49183 192.169.69.25 panzehir42.duckdns.org 81
192.168.56.101 49184 192.169.69.25 panzehir42.duckdns.org 81
192.168.56.101 49185 192.169.69.25 panzehir42.duckdns.org 81
192.168.56.101 49186 192.169.69.25 panzehir42.duckdns.org 81
192.168.56.101 49187 192.169.69.25 panzehir42.duckdns.org 81
192.168.56.101 49188 192.169.69.25 panzehir42.duckdns.org 81
192.168.56.101 49189 192.169.69.25 panzehir42.duckdns.org 81

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.