9.6
极危
27 个模型检测该样本为恶意!
重新分析
更多

37e7700554942b7079624e0ee713c169177cfa0604eb614c732f5308b734f55f

7044ea26be5eea41f98883599d6a184b.exe

分析耗时

86s

最近分析

文件大小

1.6MB
静态报毒 动态报毒 2MWI46ZPBXI40UNHHBA5BG BUNDLER FUSIONCORE GBLSFB GENERIC PUA BI GENERIC@ML GRAYWARE HIGH HIGH CONFIDENCE INSTALLCORE KGZR MALWARE@#3899Y8TQ64Z6Q PUAMSON RDML ROSTPAY ROSTPEILTD SCORE SIGADWARE SUSPICIOUS PE UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20191111 6.0.6.653
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20191111 18.4.3895.0
Tencent 20191111 1.0.0.1
Kingsoft 20191111 2013.8.14.323
CrowdStrike 20190702 1.0
静态指标
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
This executable is signed
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\chrome.exe
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620762798.71925
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (5 个事件)
Time & API Arguments Status Return Repeated
1620762799.70325
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74574000
success 0 0
1620762809.20325
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 929792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x043d0000
success 0 0
1620762809.31325
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1204224
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04831000
success 0 0
1620762809.31325
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 925696
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04957000
success 0 0
1620762809.40625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x044d0000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 个事件)
Time & API Arguments Status Return Repeated
1620762813.96925
GetDiskFreeSpaceW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7044ea26be5eea41f98883599d6a184b.exe
sectors_per_cluster: 86767300
number_of_free_clusters: 0
total_number_of_clusters: 78965400
bytes_per_sector: 0
failed 0 0
1620762814.03125
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4786293
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620762816.50025
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4786206
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620762821.17225
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4786186
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620762826.12525
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4787181
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620762831.43825
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4787181
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Steals private information from local Internet browsers (28 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\MEIPreload\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\pnacl\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SafetyTips\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SwReporter\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Floc\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OriginTrials\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Subresource Filter\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Safe Browsing\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\hyphen-data\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crowd Deny\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\AutofillStates\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cache
Creates executable files on the filesystem (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\LangDLL.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\nsProcess.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\SaveInExe.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\InstallOptions.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\Math.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\System.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\Fusion.dll
Drops an executable to the user AppData folder (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\SaveInExe.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\Math.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\InstallOptions.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\nsProcess.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\System.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\Fusion.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl8123.tmp\LangDLL.dll
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620762803.75025
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process 7044ea26be5eea41f98883599d6a184b.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7044ea26be5eea41f98883599d6a184b.exe:Zone.Identifier:$DATA
Checks the version of Bios, possibly for anti-virtualization (1 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620762806.76625
RegSetValueExA
key_handle: 0x000003dc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620762806.76625
RegSetValueExA
key_handle: 0x000003dc
value: ¬ÆF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620762806.76625
RegSetValueExA
key_handle: 0x000003dc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620762806.76625
RegSetValueExW
key_handle: 0x000003dc
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620762806.76625
RegSetValueExA
key_handle: 0x000003f4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620762806.76625
RegSetValueExA
key_handle: 0x000003f4
value: ¬ÆF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620762806.76625
RegSetValueExA
key_handle: 0x000003f4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620762807.06325
RegSetValueExW
key_handle: 0x000003d8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process 7044ea26be5eea41f98883599d6a184b.exe useragent
process 7044ea26be5eea41f98883599d6a184b.exe useragent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2
File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 个事件)
FireEye Gen:Variant.Application.Bundler.FusionCore.2
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Arcabit Trojan.Application.Bundler.FusionCore.2
Cyren W32/Trojan.KGZR-1540
Symantec Trojan.Gen.MBT
ClamAV Win.Malware.Rostpay-6984656-0
BitDefender Gen:Variant.Application.Bundler.FusionCore.2
NANO-Antivirus Trojan.Win32.InstallCore.gblsfb
Avast Win32:Malware-gen
Emsisoft Gen:Variant.Application.Bundler.FusionCore.2 (B)
Comodo Malware@#3899y8tq64z6q
DrWeb Program.Unwanted.1928
Invincea heuristic
Trapmine malicious.high.ml.score
Sophos Generic PUA BI (PUA)
SentinelOne DFI - Suspicious PE
Antiy-AVL GrayWare/Win32.FusionCore
Microsoft PUA:Win32/Puamson.A!ml
Endgame malicious (high confidence)
GData Win32.Application.Rostpay.B
VBA32 SigAdware.ROSTPEILTD
ESET-NOD32 Win32/Rostpay.C potentially unwanted
Rising Trojan.Generic@ML.100 (RDML:2mwi46zPBxI40UnHhbA5bg)
Ikarus Trojan.PSW.Agent
Fortinet Riskware/Rostpay
AVG Win32:Malware-gen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-02-25 03:19:59

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.