4.4
中危
59 个模型检测该样本为恶意!
重新分析
更多

85576673f8ba61d8bfd479962a697da94beb35daa28374b567cc8f491372d26e

69484e4e4295e308fa995395a35bc3a9.exe

分析耗时

58s

最近分析

文件大小

365.0KB
静态报毒 动态报毒 100% AI SCORE=82 BANKERX BEIR CLOUD CONFIDENCE CW@8QX409 ELDORADO EMOTET GENCIRC GENETIC GJUD HCUQ HCWH HIGH CONFIDENCE HIXXQW KRYPTIK NVKKSKIZRKW R333516 S12648788 SCORE SKINTRIM SMDA SUSGEN SUSPICIOUS PE THDBHBO TRICKBOT UNSAFE WACATAC WACATACRI WQX@AA2E3OKO XLNUH ZEXACO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FQC!69484E4E4295 20200527 6.0.6.653
Alibaba Trojan:Win32/Trickbot.d997ba2f 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20200527 18.4.3895.0
Kingsoft 20200527 2013.8.14.323
Tencent Malware.Win32.Gencirc.10b9cf16 20200527 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620953740.82852
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620953740.75052
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1620953740.62552
__exception__
stacktrace: 
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
hook_in_monitor+0x45 lde-0x133 @ 0x756142ea
New_ntdll_NtOpenFile+0x2b New_ntdll_NtOpenKey-0x1ce @ 0x75632c8b
GetVolumeInformationW+0xda GetVolumeInformationByHandleW-0xc6 kernelbase+0x1ab4a @ 0x7fefdc6ab4a
GetVolumeInformationW+0x35 RtlMoveMemory-0x553 kernel32+0x22185 @ 0x77a52185
0x13213c
0x12e5a0

registers.r14: 1238432
registers.r9: 1970009600
registers.rcx: 0
registers.rsi: 0
registers.r10: 0
registers.rbx: 1237260
registers.rdi: 1237296
registers.r11: 0
registers.r8: 5
registers.rdx: 2
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1237200
registers.rax: 1
registers.r13: 0
exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77b69a5a
success 0 0
1620953741.39152
__exception__
stacktrace: 
0x14d540
0x142ffd

registers.r14: 1238432
registers.r9: 0
registers.rcx: 1236608
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 1388088
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1235976
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x14d540
success 0 0
1620953741.39152
__exception__
stacktrace: 
0x14d540
0x142ffd

registers.r14: 1238432
registers.r9: 0
registers.rcx: 1236608
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 1388088
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1235976
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x14d540
success 0 0
1620953741.40652
__exception__
stacktrace: 
0x14d540
0x142ffd

registers.r14: 1238432
registers.r9: 0
registers.rcx: 1236608
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 1388088
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1235976
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x14d540
success 0 0
1620953741.43852
__exception__
stacktrace: 
0x14d540
0x142ffd

registers.r14: 1238432
registers.r9: 0
registers.rcx: 1236608
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 1388088
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1235976
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x14d540
success 0 0
1620953741.45352
__exception__
stacktrace: 
0x14d540
0x142ffd

registers.r14: 1238432
registers.r9: 0
registers.rcx: 1236608
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 1388088
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1235976
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x14d540
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1620954165.263126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 196608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00740000
success 0 0
1620954165.497126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 188416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1620954165.497126
NtProtectVirtualMemory
process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed1000
success 0 0
1620954169.606126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00890000
success 0 0
1620954169.606126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x10000000
success 0 0
1620954169.606126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x10001000
success 0 0
1620954169.606126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x025e0000
success 0 0
1620954169.716126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x025f0000
success 0 0
1620954169.716126
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02600000
success 0 0
Creates hidden or system file (8 个事件)
Time & API Arguments Status Return Repeated
1620954165.419126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.419126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.419126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.419126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.450126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.450126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.450126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1620954165.450126
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.3739997469365655 section {'size_of_data': '0x0003d000', 'virtual_address': '0x00020000', 'entropy': 7.3739997469365655, 'name': '.rsrc', 'virtual_size': '0x0003c4a4'} description A section with a high entropy has been found
entropy 0.6777777777777778 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
MicroWorld-eScan Trojan.Spy.Agent.OOJ
CAT-QuickHeal Trojan.WacatacRI.S12648788
McAfee Emotet-FQC!69484E4E4295
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 00564cc41 )
Alibaba Trojan:Win32/Trickbot.d997ba2f
K7GW Trojan ( 00564cc41 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Spy.Agent.OOJ
TrendMicro Trojan.Win32.WACATAC.THDBHBO
F-Prot W32/Kryptik.BLC.gen!Eldorado
Symantec Packed.Generic.534
ESET-NOD32 a variant of Win32/Kryptik.HCUQ
APEX Malicious
Avast Win32:BankerX-gen [Trj]
GData Trojan.Spy.Agent.OOJ
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.gen
BitDefender Trojan.Spy.Agent.OOJ
NANO-Antivirus Trojan.Win32.Kryptik.hixxqw
Paloalto generic.ml
AegisLab Trojan.Win32.Generic.4!c
Rising Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware Trojan.Spy.Agent.OOJ
Sophos Troj/Agent-BEIR
Comodo TrojWare.Win32.Spy.Agent.CW@8qx409
F-Secure Trojan.TR/AD.TrickBot.xlnuh
DrWeb Trojan.Packed.140
Zillya Trojan.Kryptik.Win32.1982460
McAfee-GW-Edition BehavesLike.Win32.Skintrim.fc
FireEye Generic.mg.69484e4e4295e308
Emsisoft Trojan.Spy.Agent.OOJ (B)
SentinelOne DFI - Suspicious PE
Cyren W32/Kryptik.BLC.gen!Eldorado
Jiangmin TrojanDropper.Agent.gjud
eGambit Unsafe.AI_Score_86%
Avira TR/AD.TrickBot.xlnuh
Antiy-AVL Trojan/Win32.Wacatac
Microsoft Trojan:Win32/Emotet!rfn
Endgame malicious (high confidence)
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.gen
TACHYON Trojan/W32.Agent.373794.B
AhnLab-V3 Trojan/Win32.Trickbot.R333516
BitDefenderTheta Gen:NN.ZexaCO.34122.wqX@aa2e3okO
ALYac Trojan.Spy.Agent.OOJ
MAX malware (ai score=82)
VBA32 Trojan.Packed
Malwarebytes Trojan.TrickBot
TrendMicro-HouseCall TrojanSpy.Win32.TRICKBOT.SMDA
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-09-10 20:27:41

Imports

Library SHLWAPI.dll:
0x417170 PathFindExtensionA
0x417174 PathFindFileNameA
Library comdlg32.dll:
0x4171ac GetOpenFileNameA
Library KERNEL32.dll:
0x417008 GetLocaleInfoW
0x41700c GetCurrentProcess
0x417010 LockResource
0x417014 SizeofResource
0x417018 LoadResource
0x41701c FindResourceA
0x417020 CloseHandle
0x417024 FindFirstFileA
0x417028 WriteFile
0x41702c ReadFile
0x417030 GetFileSize
0x417034 CreateFileA
0x417038 MoveFileA
0x41703c GetTempFileNameA
0x417040 LoadLibraryA
0x417044 GetModuleHandleA
0x417048 LoadLibraryW
0x417050 SetStdHandle
0x417054 WriteConsoleW
0x417058 GetConsoleOutputCP
0x41705c WriteConsoleA
0x417060 IsValidCodePage
0x417064 IsValidLocale
0x417068 EnumSystemLocalesA
0x41706c GetUserDefaultLCID
0x417070 DeleteFileA
0x417074 TerminateProcess
0x417078 Sleep
0x41707c InterlockedExchange
0x417090 WideCharToMultiByte
0x4170a0 MultiByteToWideChar
0x4170a8 RaiseException
0x4170ac RtlUnwind
0x4170b0 GetLastError
0x4170b4 HeapFree
0x4170b8 GetCommandLineA
0x4170bc GetVersionExA
0x4170c0 HeapAlloc
0x4170c4 GetProcessHeap
0x4170c8 GetStartupInfoA
0x4170d4 IsDebuggerPresent
0x4170d8 LCMapStringA
0x4170dc LCMapStringW
0x4170e0 GetCPInfo
0x4170e4 GetStringTypeA
0x4170e8 GetStringTypeW
0x4170ec GetProcAddress
0x4170f0 TlsGetValue
0x4170f4 TlsAlloc
0x4170f8 TlsSetValue
0x4170fc TlsFree
0x417100 SetLastError
0x417104 GetCurrentThreadId
0x417108 HeapDestroy
0x41710c HeapCreate
0x417110 VirtualFree
0x417114 VirtualAlloc
0x417118 HeapReAlloc
0x41711c ExitProcess
0x417120 GetStdHandle
0x417124 GetModuleFileNameA
0x417138 SetHandleCount
0x41713c GetFileType
0x417144 GetTickCount
0x417148 GetCurrentProcessId
0x41714c GetConsoleCP
0x417150 GetConsoleMode
0x417154 FlushFileBuffers
0x417158 SetFilePointer
0x41715c HeapSize
0x417160 GetACP
0x417164 GetOEMCP
0x417168 GetLocaleInfoA
Library USER32.dll:
0x41717c DialogBoxParamA
0x417180 SendMessageA
0x417184 GetDlgItem
0x417188 EndDialog
0x41718c LoadIconA
0x417190 MessageBoxA
0x417194 SetDlgItemTextA
0x417198 GetDlgItemTextA
0x41719c EnableWindow
0x4171a0 LoadBitmapA
0x4171a4 ShowWindow
Library GDI32.dll:
0x417000 DeleteObject

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.