8.4
高危
52 个模型检测该样本为恶意!
重新分析
更多

866de889c68e9b0147480544b7e312decbe5483c1162fe3d205f85aeeb8e75a4

6e5b122d49f7779416f98647230dd407.exe

分析耗时

78s

最近分析

文件大小

774.0KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=81 ATTRIBUTE CLOUD CONFIDENCE ELDORADO EPID EXTQB FAREIT GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HPXBSE KRYPTIK MALICIOUS PE MALWAREX MASSLOGGER R002C0DGV20 SCORE SUSGEN UNCLASSIFIEDMALWARE@0 UNSAFE WM0@AI@UGRN WQXF ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:MSIL/AgentTesla.3026709d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20200814 18.4.3895.0
Tencent Msil.Trojan.Crypt.Wqxf 20200814 1.0.0.1
Kingsoft 20200814 2013.8.14.323
McAfee Fareit-FXU!6E5B122D49F7 20200814 6.0.6.653
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619613872.674249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 100 个事件)
Time & API Arguments Status Return Repeated
1619596029.519915
IsDebuggerPresent
failed 0 0
1619596029.519915
IsDebuggerPresent
failed 0 0
1619596031.082915
IsDebuggerPresent
failed 0 0
1619596031.597915
IsDebuggerPresent
failed 0 0
1619596032.097915
IsDebuggerPresent
failed 0 0
1619596032.597915
IsDebuggerPresent
failed 0 0
1619596033.097915
IsDebuggerPresent
failed 0 0
1619596033.597915
IsDebuggerPresent
failed 0 0
1619596034.097915
IsDebuggerPresent
failed 0 0
1619596034.597915
IsDebuggerPresent
failed 0 0
1619596035.097915
IsDebuggerPresent
failed 0 0
1619596035.597915
IsDebuggerPresent
failed 0 0
1619596036.097915
IsDebuggerPresent
failed 0 0
1619596036.597915
IsDebuggerPresent
failed 0 0
1619596037.097915
IsDebuggerPresent
failed 0 0
1619596037.597915
IsDebuggerPresent
failed 0 0
1619596038.097915
IsDebuggerPresent
failed 0 0
1619596038.597915
IsDebuggerPresent
failed 0 0
1619596039.097915
IsDebuggerPresent
failed 0 0
1619596039.597915
IsDebuggerPresent
failed 0 0
1619596040.097915
IsDebuggerPresent
failed 0 0
1619596040.597915
IsDebuggerPresent
failed 0 0
1619596041.097915
IsDebuggerPresent
failed 0 0
1619596041.597915
IsDebuggerPresent
failed 0 0
1619596042.097915
IsDebuggerPresent
failed 0 0
1619596042.597915
IsDebuggerPresent
failed 0 0
1619596043.097915
IsDebuggerPresent
failed 0 0
1619596043.597915
IsDebuggerPresent
failed 0 0
1619596044.097915
IsDebuggerPresent
failed 0 0
1619596044.597915
IsDebuggerPresent
failed 0 0
1619596045.097915
IsDebuggerPresent
failed 0 0
1619596045.597915
IsDebuggerPresent
failed 0 0
1619596046.097915
IsDebuggerPresent
failed 0 0
1619596046.597915
IsDebuggerPresent
failed 0 0
1619596047.097915
IsDebuggerPresent
failed 0 0
1619596047.597915
IsDebuggerPresent
failed 0 0
1619596048.097915
IsDebuggerPresent
failed 0 0
1619596048.597915
IsDebuggerPresent
failed 0 0
1619596049.097915
IsDebuggerPresent
failed 0 0
1619596049.597915
IsDebuggerPresent
failed 0 0
1619596050.097915
IsDebuggerPresent
failed 0 0
1619596050.597915
IsDebuggerPresent
failed 0 0
1619596051.097915
IsDebuggerPresent
failed 0 0
1619596051.597915
IsDebuggerPresent
failed 0 0
1619596052.097915
IsDebuggerPresent
failed 0 0
1619596052.597915
IsDebuggerPresent
failed 0 0
1619596053.097915
IsDebuggerPresent
failed 0 0
1619596053.597915
IsDebuggerPresent
failed 0 0
1619596054.097915
IsDebuggerPresent
failed 0 0
1619596054.597915
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619596029.519915
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 145 个事件)
Time & API Arguments Status Return Repeated
1619596029.019915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00780000
success 0 0
1619596029.019915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c0000
success 0 0
1619596029.300915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02200000
success 0 0
1619596029.300915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023c0000
success 0 0
1619596029.347915
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619596029.519915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619596029.519915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619596029.519915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619596029.519915
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619596029.519915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619596029.941915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00542000
success 0 0
1619596030.113915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00565000
success 0 0
1619596030.113915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056b000
success 0 0
1619596030.113915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619596030.347915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00543000
success 0 0
1619596030.363915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00544000
success 0 0
1619596030.410915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054c000
success 0 0
1619596030.488915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c0000
success 0 0
1619596030.503915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00545000
success 0 0
1619596030.503915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c1000
success 0 0
1619596030.519915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c2000
success 0 0
1619596030.519915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c3000
success 0 0
1619596030.550915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c4000
success 0 0
1619596030.582915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c5000
success 0 0
1619596030.753915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619596030.878915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c6000
success 0 0
1619596031.066915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c7000
success 0 0
1619596031.113915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619596031.128915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00548000
success 0 0
1619596031.128915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c8000
success 0 0
1619596031.347915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00549000
success 0 0
1619596031.363915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00556000
success 0 0
1619596031.394915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c9000
success 0 0
1619596031.394915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619596031.394915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619596031.394915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b0000
success 0 0
1619596031.425915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007ca000
success 0 0
1619596031.441915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b1000
success 0 0
1619596031.441915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007cd000
success 0 0
1619596069.785915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619596069.816915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b2000
success 0 0
1619596069.816915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054d000
success 0 0
1619596069.816915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007ce000
success 0 0
1619596069.878915
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 333312
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05060400
failed 3221225550 0
1619596076.910915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007cf000
success 0 0
1619596076.910915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b3000
success 0 0
1619596076.910915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x049f0000
success 0 0
1619596076.941915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x049f1000
success 0 0
1619596076.941915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x049f2000
success 0 0
1619596077.019915
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x049f3000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 6e5b122d49f7779416f98647230dd407.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5659897030532 section {'size_of_data': '0x000c0e00', 'virtual_address': '0x00002000', 'entropy': 7.5659897030532, 'name': '.text', 'virtual_size': '0x000c0cb4'} description A section with a high entropy has been found
entropy 0.9974143503555268 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619596030.878915
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619613872.408249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619596077.535915
NtAllocateVirtualMemory
process_identifier: 2944
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000007bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619596077.535915
WriteProcessMemory
process_identifier: 2944
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL—aô^à Rnq €@ À@…qW€   H.texttQ R `.rsrc€T@@.reloc  X@B
process_handle: 0x000007bc
base_address: 0x00400000
success 1 0
1619596077.535915
WriteProcessMemory
process_identifier: 2944
buffer: €0€HX€¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameJuMSdDGczCLxtIljMoNjToeINNrDYoVvmTdK.exe(LegalCopyright |)OriginalFilenameJuMSdDGczCLxtIljMoNjToeINNrDYoVvmTdK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000007bc
base_address: 0x00448000
success 1 0
1619596077.550915
WriteProcessMemory
process_identifier: 2944
buffer: p p1
process_handle: 0x000007bc
base_address: 0x0044a000
success 1 0
1619596077.550915
WriteProcessMemory
process_identifier: 2944
buffer: @
process_handle: 0x000007bc
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619596077.535915
WriteProcessMemory
process_identifier: 2944
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL—aô^à Rnq €@ À@…qW€   H.texttQ R `.rsrc€T@@.reloc  X@B
process_handle: 0x000007bc
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2060 called NtSetContextThread to modify thread in remote process 2944
Time & API Arguments Status Return Repeated
1619596077.550915
NtSetContextThread
thread_handle: 0x0000690c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4485486
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2060 resumed a thread in remote process 2944
Time & API Arguments Status Return Repeated
1619596077.925915
NtResumeThread
thread_handle: 0x0000690c
suspend_count: 1
process_identifier: 2944
success 0 0
Executed a process and injected code into it, probably while unpacking (21 个事件)
Time & API Arguments Status Return Repeated
1619596029.519915
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2060
success 0 0
1619596029.519915
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2060
success 0 0
1619596029.613915
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2060
success 0 0
1619596031.050915
NtResumeThread
thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2060
success 0 0
1619596031.066915
NtResumeThread
thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 2060
success 0 0
1619596077.238915
NtResumeThread
thread_handle: 0x00008180
suspend_count: 1
process_identifier: 2060
success 0 0
1619596077.253915
NtResumeThread
thread_handle: 0x00008ad8
suspend_count: 1
process_identifier: 2060
success 0 0
1619596077.535915
CreateProcessInternalW
thread_identifier: 2796
thread_handle: 0x0000690c
process_identifier: 2944
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6e5b122d49f7779416f98647230dd407.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6e5b122d49f7779416f98647230dd407.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000007bc
inherit_handles: 0
success 1 0
1619596077.535915
NtGetContextThread
thread_handle: 0x0000690c
success 0 0
1619596077.535915
NtAllocateVirtualMemory
process_identifier: 2944
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000007bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619596077.535915
WriteProcessMemory
process_identifier: 2944
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL—aô^à Rnq €@ À@…qW€   H.texttQ R `.rsrc€T@@.reloc  X@B
process_handle: 0x000007bc
base_address: 0x00400000
success 1 0
1619596077.535915
WriteProcessMemory
process_identifier: 2944
buffer:
process_handle: 0x000007bc
base_address: 0x00402000
success 1 0
1619596077.535915
WriteProcessMemory
process_identifier: 2944
buffer: €0€HX€¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameJuMSdDGczCLxtIljMoNjToeINNrDYoVvmTdK.exe(LegalCopyright |)OriginalFilenameJuMSdDGczCLxtIljMoNjToeINNrDYoVvmTdK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000007bc
base_address: 0x00448000
success 1 0
1619596077.550915
WriteProcessMemory
process_identifier: 2944
buffer: p p1
process_handle: 0x000007bc
base_address: 0x0044a000
success 1 0
1619596077.550915
WriteProcessMemory
process_identifier: 2944
buffer: @
process_handle: 0x000007bc
base_address: 0x7efde008
success 1 0
1619596077.550915
NtSetContextThread
thread_handle: 0x0000690c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4485486
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
1619596077.925915
NtResumeThread
thread_handle: 0x0000690c
suspend_count: 1
process_identifier: 2944
success 0 0
1619613860.112249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2944
success 0 0
1619613860.127249
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2944
success 0 0
1619613860.143249
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2944
success 0 0
1619613874.627249
NtResumeThread
thread_handle: 0x000002e4
suspend_count: 1
process_identifier: 2944
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43572722
FireEye Generic.mg.6e5b122d49f77794
CAT-QuickHeal Trojan.MSIL
ALYac Trojan.GenericKD.43572722
Cylance Unsafe
K7AntiVirus Trojan ( 0056b9c81 )
Alibaba TrojanSpy:MSIL/AgentTesla.3026709d
K7GW Trojan ( 0056b9c81 )
Cybereason malicious.adb0ad
Invincea heuristic
F-Prot W32/MSIL_Troj.YA.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
GData Trojan.GenericKD.43572722
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.43572722
NANO-Antivirus Trojan.Win32.Crypt.hpxbse
AegisLab Trojan.MSIL.Crypt.4!c
Avast Win32:MalwareX-gen [Trj]
Tencent Msil.Trojan.Crypt.Wqxf
Ad-Aware Trojan.GenericKD.43572722
Comodo .UnclassifiedMalware@0
F-Secure Trojan.TR/Kryptik.extqb
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DGV20
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Troj.YA.gen!Eldorado
Avira TR/Kryptik.extqb
Antiy-AVL Trojan/MSIL.Crypt
Arcabit Trojan.Generic.D298DDF2
ViRobot Trojan.Win32.Z.Masslogger.792576.A
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
Microsoft TrojanSpy:MSIL/AgentTesla.AQ!MTB
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.RL_Generic.C4172766
McAfee Fareit-FXU!6E5B122D49F7
MAX malware (ai score=81)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.MalPack.PNG.Generic
ESET-NOD32 a variant of MSIL/Kryptik.XDK
TrendMicro-HouseCall TROJ_GEN.R002C0DGV20
Rising Trojan.Kryptik!8.8 (CLOUD)
Ikarus Trojan.Inject
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/GenKryptik.EPID!tr
BitDefenderTheta Gen:NN.ZemsilF.34152.Wm0@ai@UGRn
AVG Win32:MalwareX-gen [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-30 18:06:31

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702
192.168.56.101 123 51.105.208.173 time.windows.com 123
192.168.56.101 50534 8.8.8.8 53
192.168.56.101 56539 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.