9.8
极危
55 个模型检测该样本为恶意!
重新分析
更多

c21ee6cfa09a79362a7f3b03781a7f252d10b41da48dea433e06fe4a0df26eee

7000d01e779b7b2765741e61b74dfac3.exe

分析耗时

114s

最近分析

文件大小

578.0KB
静态报毒 动态报毒 100% 5VJ+N8NKFI0 AGENTTESLA AI SCORE=84 ATTRIBUTE BASIC CLOUD CONFIDENCE CRYPTERX ELDORADO FAREIT FHGMA GDSDA GENCIRC HIGH CONFIDENCE HIGHCONFIDENCE HWMA3XSA KILLPROC2 KMW@AG9YU6HI KRYPTIK MALICIOUS PE MALWARE@#2XDHSPY1TMBEW MSILKRYPT NANOBOT NANOCORE SAVE SCORE STATIC AI SUSGEN TSCOPE UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:MSIL/AgentTesla.2d61bffb 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20210301 21.1.5827.0
Tencent Malware.Win32.Gencirc.11865290 20210301 1.0.0.1
Kingsoft 20210301 2017.9.26.565
McAfee Fareit-FUG!7000D01E779B 20210301 6.0.6.653
CrowdStrike win/malicious_confidence_100% (D) 20210203 1.0
静态指标
Checks if process is being debugged by a debugger (34 个事件)
Time & API Arguments Status Return Repeated
1619627207.841124
IsDebuggerPresent
failed 0 0
1619627207.841124
IsDebuggerPresent
failed 0 0
1619627211.622124
IsDebuggerPresent
failed 0 0
1619627211.622124
IsDebuggerPresent
failed 0 0
1619627216.481749
IsDebuggerPresent
failed 0 0
1619627216.481749
IsDebuggerPresent
failed 0 0
1619627218.169249
IsDebuggerPresent
failed 0 0
1619627218.169249
IsDebuggerPresent
failed 0 0
1619627221.825626
IsDebuggerPresent
failed 0 0
1619627221.825626
IsDebuggerPresent
failed 0 0
1619627227.825499
IsDebuggerPresent
failed 0 0
1619627227.825499
IsDebuggerPresent
failed 0 0
1619627229.324749
IsDebuggerPresent
failed 0 0
1619627229.324749
IsDebuggerPresent
failed 0 0
1619627233.794374
IsDebuggerPresent
failed 0 0
1619627233.794374
IsDebuggerPresent
failed 0 0
1619627235.482249
IsDebuggerPresent
failed 0 0
1619627235.482249
IsDebuggerPresent
failed 0 0
1619627240.591124
IsDebuggerPresent
failed 0 0
1619627240.591124
IsDebuggerPresent
failed 0 0
1619627242.590874
IsDebuggerPresent
failed 0 0
1619627242.590874
IsDebuggerPresent
failed 0 0
1619627248.824749
IsDebuggerPresent
failed 0 0
1619627248.824749
IsDebuggerPresent
failed 0 0
1619627253.934749
IsDebuggerPresent
failed 0 0
1619627253.934749
IsDebuggerPresent
failed 0 0
1619627259.622501
IsDebuggerPresent
failed 0 0
1619627259.638501
IsDebuggerPresent
failed 0 0
1619627264.762999
IsDebuggerPresent
failed 0 0
1619627264.762999
IsDebuggerPresent
failed 0 0
1619627276.138374
IsDebuggerPresent
failed 0 0
1619627276.138374
IsDebuggerPresent
failed 0 0
1619627281.685249
IsDebuggerPresent
failed 0 0
1619627281.685249
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619627207.888124
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain mogs20.hopto.org
Allocates read-write-execute memory (usually to unpack itself) (50 out of 773 个事件)
Time & API Arguments Status Return Repeated
1619627206.997124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00910000
success 0 0
1619627206.997124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aa0000
success 0 0
1619627207.388124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00610000
success 0 0
1619627207.388124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619627207.466124
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619627207.841124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00460000
success 0 0
1619627207.841124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d0000
success 0 0
1619627207.841124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0030a000
success 0 0
1619627207.857124
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619627207.857124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00302000
success 0 0
1619627208.200124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00312000
success 0 0
1619627208.357124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00335000
success 0 0
1619627208.357124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033b000
success 0 0
1619627208.357124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00337000
success 0 0
1619627208.544124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00313000
success 0 0
1619627208.607124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0031c000
success 0 0
1619627208.716124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00680000
success 0 0
1619627208.763124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00326000
success 0 0
1619627208.810124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032a000
success 0 0
1619627208.810124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00327000
success 0 0
1619627208.919124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00314000
success 0 0
1619627209.216124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00315000
success 0 0
1619627209.279124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00681000
success 0 0
1619627209.341124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00ca0000
success 0 0
1619627210.357124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00cb0000
success 0 0
1619627211.154124
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00682000
success 0 0
1619627211.575124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75261000
success 0 0
1619627211.575124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1619627211.575124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00950000
success 0 0
1619627211.607124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619627211.607124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x751a1000
success 0 0
1619627211.607124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619627211.607124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00500000
success 0 0
1619627211.607124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619627211.622124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619627211.622124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00810000
success 0 0
1619627211.622124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ea000
success 0 0
1619627211.622124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619627211.622124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e2000
success 0 0
1619627211.654124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00742000
success 0 0
1619627211.700124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00775000
success 0 0
1619627211.700124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077b000
success 0 0
1619627211.700124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00777000
success 0 0
1619627211.700124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x755f1000
success 0 0
1619627211.732124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00743000
success 0 0
1619627211.747124
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619627212.216124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00744000
success 0 0
1619627212.247124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00746000
success 0 0
1619627212.341124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0074c000
success 0 0
1619627212.357124
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00747000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8375741185378205 section {'size_of_data': '0x0008fc00', 'virtual_address': '0x00002000', 'entropy': 7.8375741185378205, 'name': '.text', 'virtual_size': '0x0008faa4'} description A section with a high entropy has been found
entropy 0.9956709956709957 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 个事件)
Time & API Arguments Status Return Repeated
1619627211.029124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627216.357124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627217.871749
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627222.341626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627228.919499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627234.982374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627242.263124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627252.949749
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627261.466501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619627281.091374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (16 个事件)
Time & API Arguments Status Return Repeated
1619627217.996749
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000290
failed 0 0
1619627217.996749
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000290
success 0 0
1619627222.466626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619627222.466626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619627229.138499
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619627229.138499
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619627235.419374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619627235.419374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619627242.622124
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
failed 0 0
1619627242.622124
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
success 0 0
1619627253.387749
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619627253.387749
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619627265.607501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619627265.607501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619627281.513374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619627281.513374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
网络通信
One or more of the buffers contains an embedded PE file (9 个事件)
buffer Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
buffer Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 185.140.53.208
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619627216.747124
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegAsm.exe tried to sleep 5456591 seconds, actually delayed analysis time by 5456591 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service reg_value C:\Program Files (x86)\DSL Service\dslsvc.exe
Manipulates memory of a non-child process indicative of process injection (9 个事件)
Process injection Process 2984 manipulating memory of non-child process 2340
Process injection Process 1688 manipulating memory of non-child process 2340
Process injection Process 3472 manipulating memory of non-child process 3576
Time & API Arguments Status Return Repeated
1619627210.763124
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619627210.763124
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619627222.341626
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00070000
success 0 0
1619627222.341626
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00080000
success 0 0
1619627242.091124
NtAllocateVirtualMemory
process_identifier: 3576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x0000023c
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619627242.107124
NtAllocateVirtualMemory
process_identifier: 3576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x0000023c
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.MSIL.Basic.3.Gen
FireEye Generic.mg.7000d01e779b7b27
Qihoo-360 Win32/Backdoor.Nanocore.HwMA3XsA
ALYac Backdoor.RAT.MSIL.NanoCore
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056081c1 )
Alibaba TrojanSpy:MSIL/AgentTesla.2d61bffb
K7GW Trojan ( 0056081c1 )
Cybereason malicious.e779b7
Arcabit Trojan.MSIL.Basic.3.Gen
Cyren W32/MSIL_Kryptik.ATV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:CrypterX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender Trojan.MSIL.Basic.3.Gen
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.11865290
Ad-Aware Trojan.MSIL.Basic.3.Gen
Sophos Mal/Generic-S
Comodo Malware@#2xdhspy1tmbew
F-Secure Trojan.TR/AD.Nanocore.scc
DrWeb Trojan.KillProc2.10756
Zillya Trojan.Kryptik.Win32.2037916
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Emsisoft Trojan.MSIL.Basic.3.Gen (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Generic.fhgma
Webroot W32.Trojan.Gen
Avira TR/AD.Nanocore.scc
MAX malware (ai score=84)
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Gridinsoft Trojan.Win32.Agent.ba
Microsoft Trojan:MSIL/AgentTesla.BB!MTB
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
GData Trojan.MSIL.Basic.3.Gen
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSILKrypt.C3976651
McAfee Fareit-FUG!7000D01E779B
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.WCL
Rising Backdoor.Nanocore!8.F894 (CLOUD)
Yandex Trojan.Kryptik!5vJ+N8nKFI0
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_85%
Fortinet MSIL/Kryptik.WCL!tr
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 个事件)
dead_host 192.168.56.101:49192
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49211
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49208
dead_host 185.140.53.208:1122
dead_host 192.168.56.101:49195
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-31 14:26:05

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 49713 8.8.8.8 53
192.168.56.101 50002 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.