SmartHawk

10.6

0-day

51 个模型检测该样本为恶意！

重新分析

下载样本

49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251

6776c53886645d953e106936ec046da1.exe

分析耗时

101s

最近分析

文件大小

1.2MB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=85 ATTRIBUTE AVSARHER BUBVUR CRYSAN ELDORADO FAREIT GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HSOXKA KRYPTIK MALICIOUS PE MALWARE@#3EQ6NCCB012Y2 PASSWORDSTEALER PN0@AC89DFM R03BC0WHK20 R348612 RATX SCORE SUSGEN UNSAFE WOZU ZEMSILF ZIGIK 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:MSIL/AgentTesla.a79f5cd3	20190527	0.3.0.5
CrowdStrike		20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:RATX-gen [Trj]	20200921	18.4.3895.0
Kingsoft		20200921	2013.8.14.323
McAfee	Fareit-FXY!6776C5388664	20200920	6.0.6.653
Tencent	Msil.Backdoor.Crysan.Wozu	20200921	1.0.0.1

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620766261.568249 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762726.1095 IsDebuggerPresent		failed	0	0
1620762726.1095 IsDebuggerPresent		failed	0	0
1620766259.646249 IsDebuggerPresent		failed	0	0
1620766259.646249 IsDebuggerPresent		failed	0	0

Uses Windows APIs to generate a cryptographic key (3 个事件)

Time & API	Arguments	Status	Return
1620766261.006249 CryptExportKey	crypto_handle: 0x00844498 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620766261.006249 CryptExportKey	crypto_handle: 0x00844498 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620766261.037249 CryptExportKey	crypto_handle: 0x00844798 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762726.1095 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 159 个事件)

Time & API	Arguments	Status
1620762723.9525 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008a0000	success
1620762723.9525 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1620762725.9065 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x003a0000	success
1620762725.9065 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success
1620762725.9685 NtProtectVirtualMemory	process_identifier: 1380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success
1620762726.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x023e0000	success
1620762726.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02540000	success
1620762726.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success
1620762726.1095 NtProtectVirtualMemory	process_identifier: 1380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success
1620762726.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00462000	success
1620762726.7655 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00472000	success
1620762726.8595 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00495000	success
1620762726.8595 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049b000	success
1620762726.8595 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success
1620762727.0155 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00473000	success
1620762727.0465 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047c000	success
1620762727.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00720000	success
1620762727.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00474000	success
1620762727.1095 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00721000	success
1620762727.1245 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00722000	success
1620762727.1245 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00723000	success
1620762727.1565 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00724000	success
1620762727.1565 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00725000	success
1620762727.2815 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00475000	success
1620762727.2815 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00476000	success
1620762727.7815 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success
1620762727.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00479000	success
1620762728.0155 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success
1620762728.0155 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success
1620762728.1715 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00680000	success
1620762728.1715 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00681000	success
1620762728.2655 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00726000	success
1620762728.2655 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success
1620762728.6875 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00682000	success
1620762728.7655 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00683000	success
1620762728.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef40000	success
1620762728.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1620762728.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1620762728.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef48000	success
1620762728.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef30000	success
1620762728.7965 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef30000	success
1620762728.8125 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00727000	success
1620762728.8125 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00728000	success
1620762729.0315 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a1000	success
1620762729.2345 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00684000	success
1620762729.2345 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047d000	success
1620762729.2345 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00729000	success
1620762729.4525 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00685000	success
1620762729.4995 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0072a000	success
1620762729.5935 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0072b000	success

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620766261.599249 GetDiskFreeSpaceExW	root_path: C:\ free_bytes_available: 19346739200 total_number_of_free_bytes: 19346739200 total_number_of_bytes: 34252779520	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.911421291428542

section

{'size_of_data': '0x00107400', 'virtual_address': '0x00002000', 'entropy': 7.911421291428542, 'name': '.text', 'virtual_size': '0x00107374'}

description

A section with a high entropy has been found

entropy

0.82426614481409

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620766261.240249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762789.8595 NtAllocateVirtualMemory	process_identifier: 1876 region_size: 753664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000224 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4Ûáÿà04 @@ @Ð3K@8` H.text$ `.rsrc8@@@.reloc`@B process_handle: 0x00000224 base_address: 0x00400000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: 8Ph @¬äLCêä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0"InternalName&LegalCopyrightLegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000224 base_address: 0x004b4000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: 0 4 process_handle: 0x00000224 base_address: 0x004b6000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: @ process_handle: 0x00000224 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4Ûáÿà04 @@ @Ð3K@8` H.text$ `.rsrc8@@@.reloc`@B process_handle: 0x00000224 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1380 called NtSetContextThread to modify thread in remote process 1876
1620762789.8595 NtSetContextThread	thread_handle: 0x00000220 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4928542 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1876	success	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620766262.271249 CryptHashData	buffer: 2AdministratorOSKAR-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 flags: 0 hash_handle: 0x008447d8	success	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1380 resumed a thread in remote process 1876
1620762790.1245 NtResumeThread	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 1876	success	0	0

Executed a process and injected code into it, probably while unpacking (17 个事件)

Time & API	Arguments	Status	Return
1620762726.1095 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1380	success	0
1620762726.1095 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 1380	success	0
1620762726.1095 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 1380	success	0
1620762789.8125 CreateProcessInternalW	thread_identifier: 1936 thread_handle: 0x00000220 process_identifier: 1876 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6776c53886645d953e106936ec046da1.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6776c53886645d953e106936ec046da1.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000224 inherit_handles: 0	success	1
1620762789.8595 NtGetContextThread	thread_handle: 0x00000220	success	0
1620762789.8595 NtAllocateVirtualMemory	process_identifier: 1876 region_size: 753664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000224 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4Ûáÿà04 @@ @Ð3K@8` H.text$ `.rsrc8@@@.reloc`@B process_handle: 0x00000224 base_address: 0x00400000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: process_handle: 0x00000224 base_address: 0x00402000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: 8Ph @¬äLCêä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0"InternalName&LegalCopyrightLegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000224 base_address: 0x004b4000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: 0 4 process_handle: 0x00000224 base_address: 0x004b6000	success	1
1620762789.8595 WriteProcessMemory	process_identifier: 1876 buffer: @ process_handle: 0x00000224 base_address: 0x7efde008	success	1
1620762789.8595 NtSetContextThread	thread_handle: 0x00000220 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4928542 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1876	success	0
1620762790.1245 NtResumeThread	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 1876	success	0
1620762790.1245 NtResumeThread	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1380	success	0
1620766259.646249 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1876	success	0
1620766259.662249 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 1876	success	0
1620766259.662249 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 1876	success	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34387980
CAT-QuickHeal	Trojan.Multi
ALYac	Trojan.GenericKD.34387980
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056cdd51 )
Alibaba	Backdoor:MSIL/AgentTesla.a79f5cd3
K7GW	Trojan ( 0056cdd51 )
Arcabit	Trojan.Generic.D20CB80C
Invincea	Mal/Generic-S
BitDefenderTheta	Gen:NN.ZemsilF.34254.pn0@aC89DFm
Cyren	W32/MSIL_Kryptik.BLC.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 85)
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	Trojan.GenericKD.34387980
NANO-Antivirus	Trojan.Win32.Crysan.hsoxka
AegisLab	Trojan.MSIL.Crysan.m!c
Avast	Win32:RATX-gen [Trj]
Ad-Aware	Trojan.GenericKD.34387980
Comodo	Malware@#3eq6nccb012y2
F-Secure	Trojan.TR/Kryptik.zigik
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R03BC0WHK20
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_100%
Avira	TR/Kryptik.zigik
MAX	malware (ai score=85)
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:MSIL/AgentTesla.JK!MTB
ViRobot	Trojan.Win32.Z.Kryptik.1308672.C
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	Trojan.GenericKD.34387980
AhnLab-V3	Trojan/Win32.Kryptik.R348612
McAfee	Fareit-FXY!6776C5388664
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Spyware.PasswordStealer.Generic
ESET-NOD32	a variant of MSIL/Kryptik.XJS
TrendMicro-HouseCall	TROJ_GEN.R03BC0WHK20
Tencent	Msil.Backdoor.Crysan.Wozu
Yandex	Trojan.AvsArher.bUbVUr
SentinelOne	DFI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.XJO!tr
AVG	Win32:RATX-gen [Trj]
Panda	Trj/CI.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2102-01-26 02:17:41

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	142.250.66.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com		113.108.239.162
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.