SmartHawk

14.2

0-day

50 个模型检测该样本为恶意！

重新分析

下载样本

46cf0b62ebb77f2dc8a77e9e6fee79f73cae9ecc58ec01098bedd6355f1a62e0

661dca5fd0bbf4a33a2bdde48793227b.exe

分析耗时

89s

最近分析

文件大小

500.5KB

静态报毒动态报毒 AGENSLA AGENTTESLA AI SCORE=89 ATTRIBUTE AVSARHER BUBVUR BVOFU CONFIDENCE ELDORADO FCSU FM0@A87FR0F GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MALICIOUS PE MALWARE@#2QXB71ZK2LI2L NANOCORE NEGASTEAL PWSX SCORE STATIC AI THKAOBO UNSAFE YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:MSIL/AgentTesla.155a5e47	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
McAfee	PWS-FCSU!661DCA5FD0BB	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619637785.781875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619637804.546375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619637805.624375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619637807.531375 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637779.15725 IsDebuggerPresent		failed	0	0
1619637790.687375 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637789.656875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\BzuJfkYNlS"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637779.81325 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637807.499375 __exception__	stacktrace: 0x107f57d 0x107e86e CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1961364 registers.edi: 42782112 registers.eax: 0 registers.ebp: 1961408 registers.edx: 158 registers.ebx: 1961596 registers.esi: 660817358 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 dc 69 c6 c9 dd bc d7 35 42 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x107f968	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619637807.499375
__exception__

stacktrace:

0x107f57d
0x107e86e
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1961364
registers.edi: 42782112
registers.eax: 0
registers.ebp: 1961408
registers.edx: 158
registers.ebx: 1961596
registers.esi: 660817358
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc 69 c6 c9 dd bc d7 35 42
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x107f968

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 120 个事件)

Time & API	Arguments	Status
1619637774.25025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00470000	success
1619637774.25025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00530000	success
1619637775.57925 NtProtectVirtualMemory	process_identifier: 1208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success
1619637779.23525 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002ea000	success
1619637779.23525 NtProtectVirtualMemory	process_identifier: 1208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success
1619637779.23525 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002e2000	success
1619637779.53225 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00302000	success
1619637779.62525 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00303000	success
1619637779.65725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0033b000	success
1619637779.65725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00337000	success
1619637779.70425 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0030c000	success
1619637779.75025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00860000	success
1619637779.78225 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00861000	success
1619637779.79725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00862000	success
1619637779.79725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00863000	success
1619637779.82925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00864000	success
1619637779.84425 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00304000	success
1619637780.21925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00305000	success
1619637780.23525 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00306000	success
1619637780.26625 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00307000	success
1619637780.39125 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0031a000	success
1619637780.39125 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00317000	success
1619637780.39125 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0032a000	success
1619637780.57925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002eb000	success
1619637780.61025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00308000	success
1619637780.61025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00309000	success
1619637780.61025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00865000	success
1619637780.65725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a0000	success
1619637780.71925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00867000	success
1619637780.71925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00316000	success
1619637781.31325 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00868000	success
1619637781.40725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00510000	success
1619637781.42225 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a1000	success
1619637781.43825 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0030d000	success
1619637781.43825 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00869000	success
1619637781.46925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a2000	success
1619637781.48525 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0086a000	success
1619637781.50025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0086b000	success
1619637781.50025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0086c000	success
1619637781.50025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0030a000	success
1619637781.51625 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0086d000	success
1619637781.57925 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00531000	success
1619637782.37525 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0086e000	success
1619637782.45425 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00322000	success
1619637782.51625 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00335000	success
1619637782.75025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0086f000	success
1619637783.00025 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a3000	success
1619637783.15725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d00000	success
1619637783.15725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x04eb0000	success
1619637783.15725 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04f70000	success

Steals private information from local Internet browsers (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\BzuJfkYNlS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB486.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BzuJfkYNlS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB486.tmp"

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637785.39125 ShellExecuteExW	parameters: /Create /TN "Updates\BzuJfkYNlS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB486.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0
1619637833.906375 CreateProcessInternalW	thread_identifier: 3644 thread_handle: 0x000003c4 process_identifier: 3640 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000003d0 inherit_handles: 1	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.755513845512609

section

{'size_of_data': '0x0007c600', 'virtual_address': '0x00002000', 'entropy': 7.755513845512609, 'name': '.text', 'virtual_size': '0x0007c534'}

description

A section with a high entropy has been found

entropy

0.995

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637790.953375 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637801.796375 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1208 process_handle: 0x00000220	failed	0	0
1619637801.796375 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1208 process_handle: 0x00000220	success	0	0

Uses Windows utilities for basic Windows functionality (3 个事件)

cmdline	schtasks.exe /Create /TN "Updates\BzuJfkYNlS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB486.tmp"
cmdline	"netsh" wlan show profile
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BzuJfkYNlS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB486.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637790.43825 NtAllocateVirtualMemory	process_identifier: 376 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637816.031375 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

661dca5fd0bbf4a33a2bdde48793227b.exe tried to sleep 2728229 seconds, actually delayed analysis time by 2728229 seconds

Harvests credentials from local FTP client softwares (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619637790.43825 WriteProcessMemory	process_identifier: 376 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELy^àN° À@ @°KÀàà H.textT `.rsrcàÀ@@.relocà@B process_handle: 0x000003b4 base_address: 0x00400000	success	1
1619637790.45425 WriteProcessMemory	process_identifier: 376 buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameYcXWZGHzgBDZdzcpffXTOS.exe(LegalCopyright `OriginalFilenameYcXWZGHzgBDZdzcpffXTOS.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000003b4 base_address: 0x0044c000	success	1
1619637790.45425 WriteProcessMemory	process_identifier: 376 buffer: °P0 process_handle: 0x000003b4 base_address: 0x0044e000	success	1
1619637790.45425 WriteProcessMemory	process_identifier: 376 buffer: @ process_handle: 0x000003b4 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619637790.43825 WriteProcessMemory	process_identifier: 376 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELy^àN° À@ @°KÀàà H.textT `.rsrcàÀ@@.relocà@B process_handle: 0x000003b4 base_address: 0x00400000	success	1	0

Harvests credentials from local email clients (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1208 called NtSetContextThread to modify thread in remote process 376
1619637790.45425 NtSetContextThread	thread_handle: 0x00000360 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4501582 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 376	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1208 resumed a thread in remote process 376
1619637790.51625 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 376	success	0	0

Executed a process and injected code into it, probably while unpacking (24 个事件)

Time & API	Arguments	Status	Return
1619637779.15725 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1208	success	0
1619637779.32925 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1208	success	0
1619637784.43825 NtResumeThread	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1208	success	0
1619637785.39125 CreateProcessInternalW	thread_identifier: 1068 thread_handle: 0x0000036c process_identifier: 2200 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BzuJfkYNlS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB486.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000003a4 inherit_handles: 0	success	1
1619637790.40725 CreateProcessInternalW	thread_identifier: 648 thread_handle: 0x00000360 process_identifier: 376 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\661dca5fd0bbf4a33a2bdde48793227b.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\661dca5fd0bbf4a33a2bdde48793227b.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003b4 inherit_handles: 0	success	1
1619637790.42225 NtGetContextThread	thread_handle: 0x00000360	success	0
1619637790.43825 NtAllocateVirtualMemory	process_identifier: 376 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619637790.43825 WriteProcessMemory	process_identifier: 376 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELy^àN° À@ @°KÀàà H.textT `.rsrcàÀ@@.relocà@B process_handle: 0x000003b4 base_address: 0x00400000	success	1
1619637790.43825 WriteProcessMemory	process_identifier: 376 buffer: process_handle: 0x000003b4 base_address: 0x00402000	success	1
1619637790.45425 WriteProcessMemory	process_identifier: 376 buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameYcXWZGHzgBDZdzcpffXTOS.exe(LegalCopyright `OriginalFilenameYcXWZGHzgBDZdzcpffXTOS.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000003b4 base_address: 0x0044c000	success	1
1619637790.45425 WriteProcessMemory	process_identifier: 376 buffer: °P0 process_handle: 0x000003b4 base_address: 0x0044e000	success	1
1619637790.45425 WriteProcessMemory	process_identifier: 376 buffer: @ process_handle: 0x000003b4 base_address: 0x7efde008	success	1
1619637790.45425 NtSetContextThread	thread_handle: 0x00000360 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4501582 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 376	success	0
1619637790.51625 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 376	success	0
1619637790.687375 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 376	success	0
1619637790.687375 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 376	success	0
1619637805.546375 NtResumeThread	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 376	success	0
1619637805.562375 NtResumeThread	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 376	success	0
1619637813.531375 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 376	success	0
1619637813.531375 NtResumeThread	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 376	success	0
1619637814.531375 NtResumeThread	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 376	success	0
1619637815.531375 NtResumeThread	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 376	success	0
1619637833.906375 CreateProcessInternalW	thread_identifier: 3644 thread_handle: 0x000003c4 process_identifier: 3640 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000003d0 inherit_handles: 1	success	1
1619637835.141 NtResumeThread	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 3640	success	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43224959
FireEye	Generic.mg.661dca5fd0bbf4a3
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Trojan.GenericKD.43224959
Cylance	Unsafe
Zillya	Trojan.Agensla.Win32.2413
K7AntiVirus	Trojan ( 005676f61 )
Alibaba	TrojanSpy:MSIL/AgentTesla.155a5e47
K7GW	Trojan ( 005676f61 )
Arcabit	Trojan.Generic.D2938F7F
Cyren	W32/MSIL_Kryptik.ATF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Nanocore-8176540-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.43224959
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.43224959
Emsisoft	Trojan.GenericKD.43224959 (B)
Comodo	Malware@#2qxb71zk2li2l
F-Secure	Trojan.TR/AD.AgentTesla.bvofu
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.THKAOBO
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/AD.AgentTesla.bvofu
Microsoft	TrojanSpy:MSIL/AgentTesla.RA!MTB
AegisLab	Trojan.Multi.Generic.4!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.43224959
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.AgentTesla.C4109791
McAfee	PWS-FCSU!661DCA5FD0BB
MAX	malware (ai score=89)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Spyware.AgentTesla
ESET-NOD32	a variant of MSIL/Kryptik.WBA
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.THKAOBO
Yandex	Trojan.AvsArher.bUbVUr
Ikarus	Trojan.Inject
Fortinet	MSIL/Kryptik.WBA!tr
BitDefenderTheta	Gen:NN.ZemsilF.34670.Fm0@a87fR0f
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Generic/Trojan.PSW.374

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-26 10:27:50

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.