5.2
中危
54 个模型检测该样本为恶意!
重新分析
更多

6ab25c408af8a0acaabcf06f3b5fbdb93327028bad187fd7061c1d75047c4bd6

63d9009581854df2bc8f97c4bb139222.exe

分析耗时

90s

最近分析

文件大小

257.4KB
静态报毒 动态报毒 0NA103FD20 100% AGTX AI SCORE=85 BJKBO0LKYQV BUNDLER COBALTSTRIKE CONFIDENCE EMOTET GENCIRC GENERICKD GENETIC HDXY HIGH CONFIDENCE HLUCDY HZZZ KRYPTIK LTGHQ MALWARE@#20V6617KBXT62 MANSABO QQ1@AKVJOGHI QVM41 R342207 S14127174 SCORE SUSGEN SUSPICIOUS PE SUSPIG TRICKBOT TRICKSTER UNSAFE ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FQV!63D900958185 20200904 6.0.6.653
Alibaba Backdoor:Win32/Trickbot.5f3fd135 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:CobaltStrike-D [Trj] 20200904 18.4.3895.0
Kingsoft 20200904 2013.8.14.323
Tencent Malware.Win32.Gencirc.10cdd500 20200904 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619634135.642626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Users\User\Desktop\Windows-classic-samples-master\Windows-classic-samples-master\Samples\Win7Samples\winbase\DeviceFoundation\FunctionDiscovery\Provider\Win32\Release\FDProviderSampleDevice.pdb
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619634136.955626
__exception__
stacktrace: 
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x748005bd
hook_in_monitor+0x45 lde-0x133 @ 0x747f42ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7480f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefdc54190
SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef9efeb99
SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef9efec23
WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef9ef3fe7

registers.r14: 19882843
registers.r9: 1955190784
registers.rcx: 0
registers.rsi: 3165216
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 0
registers.r8: 5
registers.rdx: 2
registers.rbp: 0
registers.r15: 2007313264
registers.r12: 2695904
registers.rsp: 1174560
registers.rax: 1
registers.r13: 449
exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77b69a5a
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.913507951615289 section {'size_of_data': '0x0003c800', 'virtual_address': '0x00006000', 'entropy': 7.913507951615289, 'name': '.rsrc', 'virtual_size': '0x0003c66e'} description A section with a high entropy has been found
entropy 0.9453125 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1619634127.299626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619634129.408626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619634132.502626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 121.100.19.18
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34004452
CAT-QuickHeal Bundler.Trickbot.S14127174
McAfee Emotet-FQV!63D900958185
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005687ec1 )
Alibaba Backdoor:Win32/Trickbot.5f3fd135
K7GW Trojan ( 005687ec1 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Trojan.HZZZ-3379
Symantec Packed.Generic.534
ESET-NOD32 Win32/TrickBot.DI
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Agent-9377576-0
Kaspersky Trojan.Win32.Zenpak.agtx
BitDefender Trojan.GenericKD.34004452
NANO-Antivirus Trojan.Win32.TrickBot.hlucdy
Avast Win32:CobaltStrike-D [Trj]
Rising Trojan.Kryptik!8.8 (TFE:5:bjKBo0lKyqV)
Ad-Aware Trojan.GenericKD.34004452
Comodo Malware@#20v6617kbxt62
F-Secure Trojan.TR/TrickBot.ltghq
DrWeb Trojan.Packed.140
Zillya Trojan.Zenpak.Win32.2145
TrendMicro TROJ_FRS.0NA103FD20
FireEye Generic.mg.63d9009581854df2
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Trickbot
GData Trojan.GenericKD.34004452
Jiangmin Trojan.Mansabo.bpd
Avira TR/TrickBot.ltghq
Antiy-AVL Trojan/Win32.Zenpak
Arcabit Trojan.Generic.D206DDE4
AegisLab Trojan.Win32.TrickBot.4!c
ZoneAlarm Trojan.Win32.Zenpak.agtx
Microsoft Trojan:Win32/Trickbot!MSR
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Suspig.R342207
ALYac Trojan.Trickster.Gen
MAX malware (ai score=85)
Malwarebytes Trojan.TrickBot
TrendMicro-HouseCall TROJ_FRS.0NA103FD20
Tencent Malware.Win32.Gencirc.10cdd500
SentinelOne DFI - Suspicious PE
MaxSecure Trojan.Malware.102148660.susgen
Fortinet W32/Kryptik.HDXY!tr
BitDefenderTheta Gen:NN.ZexaF.34216.qq1@aKVJOGhi
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 121.100.19.18:449
dead_host 192.168.56.101:49184
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-10 18:14:54

Imports

Library WS2_32.dll:
0x40311c WSACleanup
0x403120 closesocket
0x403124 FreeAddrInfoW
0x403128 bind
0x40312c socket
0x403130 GetAddrInfoW
0x403134 WSAStartup
0x403138 WSACloseEvent
0x40313c sendto
0x403140 recvfrom
0x403144 WSAResetEvent
0x403148 WSAEventSelect
0x40314c WSACreateEvent
0x403150 WSAIoctl
0x403154 WSAGetLastError
0x403158 setsockopt
Library RPCRT4.dll:
0x403114 UuidFromStringW
Library IPHLPAPI.DLL:
Library KERNEL32.dll:
0x403008 GetCurrentProcessId
0x40300c GetCurrentThreadId
0x403010 GetTickCount
0x403018 IsDebuggerPresent
0x403024 GetCurrentProcess
0x403030 InterlockedExchange
0x403034 CreateThread
0x403038 CreateEventW
0x40303c FreeConsole
0x403040 CloseHandle
0x403044 VirtualAllocExNuma
0x403048 TerminateProcess
0x40304c LoadLibraryExA
0x403054 Sleep
0x403058 SetEvent
0x40305c GetLastError
0x403060 WaitForSingleObject
0x403064 LoadLibraryExW
Library MSVCP90.dll:
Library MSVCR90.dll:
0x403078 _onexit
0x40307c _decode_pointer
0x403084 _invoke_watson
0x403088 _controlfp_s
0x40308c srand
0x403090 _lock
0x403094 printf
0x403098 _wcsicmp
0x40309c free
0x4030a0 malloc
0x4030a4 memcpy
0x4030a8 __CxxFrameHandler3
0x4030ac _time64
0x4030b0 memset
0x4030b4 wcscmp
0x4030b8 rand
0x4030bc _getwch
0x4030c0 _amsg_exit
0x4030c4 __wgetmainargs
0x4030c8 _cexit
0x4030cc _exit
0x4030d0 _XcptFilter
0x4030d4 exit
0x4030d8 __winitenv
0x4030dc _initterm
0x4030e0 _initterm_e
0x4030e4 _configthreadlocale
0x4030e8 __setusermatherr
0x4030ec _adjust_fdiv
0x4030f0 __p__commode
0x4030f4 __p__fmode
0x4030f8 _encode_pointer
0x4030fc __set_app_type
0x403100 _crt_debugger_hook
0x403104 ?terminate@@YAXXZ
0x403108 _unlock
0x40310c __dllonexit

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.