6.6
高危
49 个模型检测该样本为恶意!
重新分析
更多

6025171330d4428eb901141d16d5980aaa4408731444d9578b5d375a1e036328

68cc9b1696d669c7b35233e20b5f6f6e.exe

分析耗时

45s

最近分析

文件大小

3.3MB
静态报毒 动态报毒 AIDETECTVM BLACK CLOUD CONFIDENCE CSPNI FIEMKJ GEN2 GEN38 HIGH CONFIDENCE MALICIOUS PE MALWARE1 QVM19 R244063 SCORE SJW@AQZFFLJI SUSGEN TIGGRE UNSAFE VMPBAD VMPROTECT ZEXAF ZKVJ4AP6QDC ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Packed:Win32/VMProtect.c899b9d4 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200822 18.4.3895.0
Tencent 20200822 1.0.0.1
Kingsoft 20200822 2013.8.14.323
McAfee Packed-GV!68CC9B1696D6 20200822 6.0.6.653
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (8 个事件)
Time & API Arguments Status Return Repeated
1620782493.223374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782493.223374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782494.332374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782494.332374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782494.332374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782494.332374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782494.348374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620782494.348374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620782494.348374
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section _RDATA
section .vmp0
section .vmp1
行为判定
动态指标
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain samoware.tmweb.ru description Russian Federation domain TLD
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620782492.785374
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1916928
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0122c000
success 0 0
1620782492.785374
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 450560
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00ec1000
success 0 0
1620782493.223374
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00270000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620782494.098374
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.994174112689231 section {'size_of_data': '0x0032e400', 'virtual_address': '0x00540000', 'entropy': 7.994174112689231, 'name': '.vmp1', 'virtual_size': '0x0032e3e0'} description A section with a high entropy has been found
entropy 0.9674736373087777 description Overall entropy of this PE file is high
The executable is likely packed with VMProtect (2 个事件)
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 151.139.128.14
host 172.217.24.14
Network activity contains more than one unique useragent (2 个事件)
process 68cc9b1696d669c7b35233e20b5f6f6e.exe useragent
process 68cc9b1696d669c7b35233e20b5f6f6e.exe useragent Internal
Expresses interest in specific running processes (1 个事件)
process: potential process injection target csrss.exe
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.293434
ALYac Gen:Variant.Zusy.293434
Cylance Unsafe
Zillya Trojan.Generic.Win32.204678
Sangfor Malware
K7AntiVirus Trojan ( 00563cb01 )
Alibaba Packed:Win32/VMProtect.c899b9d4
K7GW Trojan ( 00563cb01 )
Cybereason malicious.696d66
Arcabit Trojan.Zusy.D47A3A
BitDefenderTheta Gen:NN.ZexaF.34186.sJW@aqZfFLji
Symantec Packed.Vmpbad!gen38
Paloalto generic.ml
ClamAV Win.Packed.Vmprotect-6762068-1
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Zusy.293434
NANO-Antivirus Trojan.Win32.Black.fiemkj
AegisLab Trojan.Win32.Generic.4!c
Avast Win32:Malware-gen
Ad-Aware Gen:Variant.Zusy.293434
F-Secure Trojan.TR/Black.Gen2
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
FireEye Generic.mg.68cc9b1696d669c7
Sophos Mal/Generic-S
APEX Malicious
Jiangmin Trojan.Generic.cspni
MaxSecure Trojan.Malware.300983.susgen
Avira TR/Black.Gen2
Microsoft Trojan:Win32/Tiggre!rfn
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Gen:Variant.Zusy.293434
Cynet Malicious (score: 100)
AhnLab-V3 Malware/RL.Generic.R244063
Acronis suspicious
McAfee Packed-GV!68CC9B1696D6
Ikarus Trojan.Win32.VMProtect
ESET-NOD32 a variant of Win32/Packed.VMProtect.AB
Rising Trojan.Generic!8.C3 (CLOUD)
Yandex Trojan.Agent!zkvJ4AP6QDc
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_94%
Fortinet W32/Generic!tr
AVG Win32:Malware-gen
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_80% (W)
Qihoo-360 HEUR/QVM19.1.0ED5.Malware.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2018-09-23 19:19:34

Imports

Library KERNEL32.dll:
0xc6d000 GetVersionExW
Library USER32.dll:
0xc6d008 EmptyClipboard
Library ADVAPI32.dll:
Library SHELL32.dll:
0xc6d018 ShellExecuteA
Library IMM32.dll:
0xc6d020 ImmGetContext
Library WS2_32.dll:
0xc6d028 gethostbyname
Library WININET.dll:
0xc6d030 InternetReadFile
Library d3d9.dll:
0xc6d038 Direct3DCreate9
Library WTSAPI32.dll:
0xc6d040 WTSSendMessageW
Library KERNEL32.dll:
0xc6d048 GetCurrentProcess
Library USER32.dll:
0xc6d050 CharUpperBuffW
Library ADVAPI32.dll:
0xc6d058 RegQueryValueExA
Library KERNEL32.dll:
0xc6d060 LocalAlloc
0xc6d064 GetCurrentProcess
0xc6d068 GetCurrentThread
0xc6d06c LocalFree
0xc6d070 GetModuleFileNameW
0xc6d080 Sleep
0xc6d084 ExitProcess
0xc6d088 GetLastError
0xc6d08c FreeLibrary
0xc6d090 LoadLibraryA
0xc6d094 GetModuleHandleA
0xc6d098 GetProcAddress
Library ADVAPI32.dll:
0xc6d0a0 OpenSCManagerW
0xc6d0a8 OpenServiceW
0xc6d0ac QueryServiceConfigW
0xc6d0b0 CloseServiceHandle

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.