6.2
高危
57 个模型检测该样本为恶意!
重新分析
更多

50f42960eb882be0f35a1f4d15edb0ab6e8aea2211dbae7c358288f2b7846fba

716c1b40449ab88d7ee045b6628a27e7.exe

分析耗时

93s

最近分析

文件大小

1.2MB
静态报毒 动态报毒 100% AFHS AGENTTESLA AI SCORE=89 AIDETECTVM APBC ARTEMIS CLOUD CONFIDENCE DROPBACK ESDJ GANDCRAB GENERICKD HIGH HIGH CONFIDENCE KR0@AIQJAOFI MALICIOUS PE O0SFQL25UJU OCCAMY R002C0GDB20 SCORE SIGGEN2 TROJAN3 UNSAFE WACATAC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!716C1B40449A 20200420 6.0.6.653
Alibaba TrojanDropper:Win32/Dropback.c67de106 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200420 18.4.3895.0
Kingsoft 20200421 2013.8.14.323
Tencent Win32.Trojan-dropper.Dropback.Afhs 20200421 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619612638.438875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619612639.469875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619612641.110875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619612636.375875
IsDebuggerPresent
failed 0 0
1619612636.375875
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619612656.235875
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (5 个事件)
resource name 23
resource name 255
resource name AFX
resource name PNG
resource name SGADER
One or more processes crashed (3 个事件)
Time & API Arguments Status Return Repeated
1619612641.000875
__exception__
stacktrace: 
0x73deaa5
0x73ddf62
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73f07856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73f07ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73f07d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
mscorlib+0x8a5e6c @ 0x724b5e6c
DllUnregisterServerInternal-0x3a3b clr+0x25c1 @ 0x73e725c1
CorDllMainForThunk+0x1a215 ClrCreateManagedInstance-0x9fb4 clr+0x18729b @ 0x73ff729b
CorDllMainForThunk+0x1a2ee ClrCreateManagedInstance-0x9edb clr+0x187374 @ 0x73ff7374
CorDllMainForThunk+0x1a354 ClrCreateManagedInstance-0x9e75 clr+0x1873da @ 0x73ff73da
CorDllMainForThunk+0x1a4b9 ClrCreateManagedInstance-0x9d10 clr+0x18753f @ 0x73ff753f
0x480a182
0x2852110
0x2852d77
0x2850577
NlsDispatchAnsiEnumProc+0xbb Internal_EnumSystemLanguageGroups-0x43 kernelbase+0x27d4a @ 0x77907d4a
Internal_EnumCalendarInfo+0xbb7 EnumSystemLanguageGroupsW-0x1b5 kernelbase+0x29e42 @ 0x77909e42
Internal_EnumDateFormats+0x7f EnumTimeFormatsW-0x1d kernelbase+0x2a25d @ 0x7790a25d
EnumDateFormatsA+0x22 EnumDateFormatsExA-0xa kernel32+0xa51c3 @ 0x763e51c3
716c1b40449ab88d7ee045b6628a27e7+0x43be5 @ 0x443be5
716c1b40449ab88d7ee045b6628a27e7+0x5156a @ 0x45156a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632320
registers.edi: 80182016
registers.eax: 0
registers.ebp: 1632364
registers.edx: 8
registers.ebx: 0
registers.esi: 1764275503
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 05 54 01 42
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7cd25da
success 0 0
1619612656.391875
__exception__
stacktrace: 
0x7cdf2f1
0x7cdf1c2
0x7cdd1e0
0x73de843
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73f07856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73f07ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73f07d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
mscorlib+0x8a5e6c @ 0x724b5e6c
DllUnregisterServerInternal-0x3a3b clr+0x25c1 @ 0x73e725c1
CorDllMainForThunk+0x1a215 ClrCreateManagedInstance-0x9fb4 clr+0x18729b @ 0x73ff729b
CorDllMainForThunk+0x1a2ee ClrCreateManagedInstance-0x9edb clr+0x187374 @ 0x73ff7374
CorDllMainForThunk+0x1a354 ClrCreateManagedInstance-0x9e75 clr+0x1873da @ 0x73ff73da
CorDllMainForThunk+0x1a4b9 ClrCreateManagedInstance-0x9d10 clr+0x18753f @ 0x73ff753f
0x480a182
0x2852110
0x2852d77
0x2850577
NlsDispatchAnsiEnumProc+0xbb Internal_EnumSystemLanguageGroups-0x43 kernelbase+0x27d4a @ 0x77907d4a
Internal_EnumCalendarInfo+0xbb7 EnumSystemLanguageGroupsW-0x1b5 kernelbase+0x29e42 @ 0x77909e42
Internal_EnumDateFormats+0x7f EnumTimeFormatsW-0x1d kernelbase+0x2a25d @ 0x7790a25d
EnumDateFormatsA+0x22 EnumDateFormatsExA-0xa kernel32+0xa51c3 @ 0x763e51c3
716c1b40449ab88d7ee045b6628a27e7+0x43be5 @ 0x443be5
716c1b40449ab88d7ee045b6628a27e7+0x5156a @ 0x45156a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1631212
registers.edi: 1631276
registers.eax: 0
registers.ebp: 1631296
registers.edx: 80522900
registers.ebx: 0
registers.esi: 80590296
registers.ecx: 80590296
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 ec e9 6a 01 00 00
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7e9646c
success 0 0
1619612657.594875
__exception__
stacktrace: 
0x7cde553
0x73de843
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73f07856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73f07ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73f07d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
mscorlib+0x8a5e6c @ 0x724b5e6c
DllUnregisterServerInternal-0x3a3b clr+0x25c1 @ 0x73e725c1
CorDllMainForThunk+0x1a215 ClrCreateManagedInstance-0x9fb4 clr+0x18729b @ 0x73ff729b
CorDllMainForThunk+0x1a2ee ClrCreateManagedInstance-0x9edb clr+0x187374 @ 0x73ff7374
CorDllMainForThunk+0x1a354 ClrCreateManagedInstance-0x9e75 clr+0x1873da @ 0x73ff73da
CorDllMainForThunk+0x1a4b9 ClrCreateManagedInstance-0x9d10 clr+0x18753f @ 0x73ff753f
0x480a182
0x2852110
0x2852d77
0x2850577
NlsDispatchAnsiEnumProc+0xbb Internal_EnumSystemLanguageGroups-0x43 kernelbase+0x27d4a @ 0x77907d4a
Internal_EnumCalendarInfo+0xbb7 EnumSystemLanguageGroupsW-0x1b5 kernelbase+0x29e42 @ 0x77909e42
Internal_EnumDateFormats+0x7f EnumTimeFormatsW-0x1d kernelbase+0x2a25d @ 0x7790a25d
EnumDateFormatsA+0x22 EnumDateFormatsExA-0xa kernel32+0xa51c3 @ 0x763e51c3
716c1b40449ab88d7ee045b6628a27e7+0x43be5 @ 0x443be5
716c1b40449ab88d7ee045b6628a27e7+0x5156a @ 0x45156a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1631352
registers.edi: 81660172
registers.eax: 0
registers.ebp: 1631420
registers.edx: 81662332
registers.ebx: 81658352
registers.esi: 1321730068
registers.ecx: 1908490458
exception.instruction_r: 39 00 68 ff ff ff 7f 6a 00 8b 4d c8 e8 23 28 de
exception.instruction: cmp dword ptr [eax], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x80e604c
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 110 个事件)
Time & API Arguments Status Return Repeated
1619612635.047875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 98304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02850000
success 0 0
1619612635.438875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x048a0000
success 0 0
1619612635.438875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a50000
success 0 0
1619612635.578875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x048a0000
success 0 0
1619612635.578875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04900000
success 0 0
1619612636.031875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04a90000
success 0 0
1619612636.031875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be0000
success 0 0
1619612636.188875
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619612636.375875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04a90000
success 0 0
1619612636.375875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ba0000
success 0 0
1619612636.406875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0480a000
success 0 0
1619612636.406875
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619612636.406875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04802000
success 0 0
1619612636.625875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04812000
success 0 0
1619612636.672875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04835000
success 0 0
1619612636.672875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0483b000
success 0 0
1619612636.672875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04837000
success 0 0
1619612636.750875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be1000
success 0 0
1619612636.766875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be2000
success 0 0
1619612636.891875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0480c000
success 0 0
1619612636.906875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04813000
success 0 0
1619612636.922875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be3000
success 0 0
1619612637.000875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0481c000
success 0 0
1619612637.000875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04814000
success 0 0
1619612637.000875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04815000
success 0 0
1619612637.000875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be4000
success 0 0
1619612637.000875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be5000
success 0 0
1619612637.000875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be6000
success 0 0
1619612637.094875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x073d0000
success 0 0
1619612637.094875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x073d1000
success 0 0
1619612637.297875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04817000
success 0 0
1619612637.563875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04818000
success 0 0
1619612637.641875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04826000
success 0 0
1619612637.703875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04be7000
success 0 0
1619612637.766875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0482a000
success 0 0
1619612637.766875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04827000
success 0 0
1619612637.922875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f0000
success 0 0
1619612638.031875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f1000
success 0 0
1619612638.047875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f2000
success 0 0
1619612638.078875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x073de000
success 0 0
1619612638.141875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f3000
success 0 0
1619612638.688875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f4000
success 0 0
1619612638.688875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x073df000
success 0 0
1619612638.719875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x07cd0000
success 0 0
1619612638.844875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f5000
success 0 0
1619612638.906875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x071f6000
success 0 0
1619612638.906875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0481d000
success 0 0
1619612638.906875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x07cc0000
success 0 0
1619612638.906875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x07cc1000
success 0 0
1619612638.906875
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0481a000
success 0 0
Steals private information from local Internet browsers (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.760549110329813 section {'size_of_data': '0x000a4e00', 'virtual_address': '0x0008b000', 'entropy': 7.760549110329813, 'name': '.rsrc', 'virtual_size': '0x000a4dd4'} description A section with a high entropy has been found
entropy 0.5532718120805369 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619612656.125875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619612658.735875
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 716c1b40449ab88d7ee045b6628a27e7.exe tried to sleep 2728326 seconds, actually delayed analysis time by 2728326 seconds
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware
MicroWorld-eScan Trojan.GenericKD.33594977
FireEye Generic.mg.716c1b40449ab88d
CAT-QuickHeal Trojan.Multi
McAfee Artemis!716C1B40449A
Cylance Unsafe
Zillya Worm.AutoRun.Win32.145495
Sangfor Malware
K7AntiVirus Trojan ( 0056069a1 )
Alibaba TrojanDropper:Win32/Dropback.c67de106
K7GW Trojan ( 0056069a1 )
Cybereason malicious.a12112
Invincea heuristic
BitDefenderTheta Gen:NN.ZexaF.34106.kr0@aiQjAOfi
F-Prot W32/Trojan3.APBC
APEX Malicious
Avast Win32:Malware-gen
GData Trojan.GenericKD.33594977
Kaspersky Trojan-Dropper.Win32.Dropback.ni
BitDefender Trojan.GenericKD.33594977
Paloalto generic.ml
ViRobot Trojan.Win32.S.Infostealer.1221632
Rising Spyware.Agent!8.C6 (CLOUD)
Endgame malicious (high confidence)
Sophos Mal/Generic-S
DrWeb Trojan.PWS.Siggen2.46201
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0GDB20
McAfee-GW-Edition Artemis!Trojan
Trapmine malicious.high.ml.score
Emsisoft Trojan.GenericKD.33594977 (B)
SentinelOne DFI - Malicious PE
Cyren W32/Trojan.ESDJ-6522
Webroot W32.Trojan.Gen
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Wacatac
Arcabit Trojan.Generic.D2009E61
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm Trojan-Dropper.Win32.Dropback.ni
Microsoft Trojan:Win32/Occamy.C
AhnLab-V3 Trojan/Win32.Agent.C4049679
Acronis suspicious
VBA32 TrojanDropper.Dropback
ALYac Spyware.AgentTesla
Ad-Aware Trojan.GenericKD.33594977
Malwarebytes Spyware.AgentTesla
ESET-NOD32 MSIL/Autorun.Spy.Agent.DF
TrendMicro-HouseCall TROJ_GEN.R002C0GDB20
Tencent Win32.Trojan-dropper.Dropback.Afhs
Yandex Worm.Autorun!o0SfQL25ujU
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-02 02:20:58

Imports

Library KERNEL32.dll:
0x46c084 DeleteFileW
0x46c088 FlushFileBuffers
0x46c090 GetDriveTypeW
0x46c094 FindFirstFileExW
0x46c098 FindClose
0x46c0a4 WriteConsoleW
0x46c0a8 SetEndOfFile
0x46c0ac SetStdHandle
0x46c0b0 GetOEMCP
0x46c0b4 GetACP
0x46c0b8 IsValidCodePage
0x46c0bc HeapSize
0x46c0c0 GetModuleFileNameW
0x46c0c4 GetProcessHeap
0x46c0c8 EnumSystemLocalesW
0x46c0cc GetUserDefaultLCID
0x46c0d0 IsValidLocale
0x46c0d4 GetLocaleInfoW
0x46c0d8 LCMapStringW
0x46c0dc CompareStringW
0x46c0e0 GetStartupInfoW
0x46c0e4 TlsFree
0x46c0ec lstrcmpA
0x46c0f0 WaitForSingleObject
0x46c0f4 GetTimeFormatA
0x46c0f8 GlobalAlloc
0x46c0fc WideCharToMultiByte
0x46c100 EnumDateFormatsA
0x46c108 OutputDebugStringW
0x46c10c VirtualAlloc
0x46c110 GetLastError
0x46c114 CloseHandle
0x46c118 GetModuleFileNameA
0x46c124 GetTempPathW
0x46c128 CreateFileW
0x46c130 TlsSetValue
0x46c134 TlsGetValue
0x46c138 TlsAlloc
0x46c13c TerminateProcess
0x46c148 RtlUnwind
0x46c14c RaiseException
0x46c150 GetCPInfo
0x46c154 LoadLibraryExW
0x46c158 ExitThread
0x46c15c GetCurrentThreadId
0x46c160 CreateThread
0x46c170 GetCurrentProcessId
0x46c178 HeapReAlloc
0x46c17c GetCommandLineA
0x46c180 GetConsoleCP
0x46c184 ReadConsoleW
0x46c188 GetConsoleMode
0x46c18c GetModuleHandleW
0x46c190 SetFilePointerEx
0x46c194 AreFileApisANSI
0x46c198 GetModuleHandleExW
0x46c19c IsDebuggerPresent
0x46c1a4 HeapAlloc
0x46c1a8 GetFullPathNameW
0x46c1b0 VerLanguageNameA
0x46c1b4 HeapFree
0x46c1b8 GetStringTypeW
0x46c1bc MultiByteToWideChar
0x46c1c0 DecodePointer
0x46c1c4 GetStdHandle
0x46c1c8 SetConsoleTitleA
0x46c1cc EncodePointer
0x46c1d0 SetLastError
0x46c1d4 FormatMessageA
0x46c1d8 ExitProcess
0x46c1dc MoveFileExA
0x46c1e8 GetTickCount
0x46c1ec Sleep
0x46c1f0 GetFileType
0x46c1f8 PeekNamedPipe
0x46c1fc ReadFile
0x46c200 SleepEx
0x46c208 GetModuleHandleA
0x46c20c GetProcAddress
0x46c210 LoadLibraryA
0x46c214 GetSystemDirectoryA
0x46c218 VerSetConditionMask
0x46c21c VerifyVersionInfoA
0x46c220 FreeLibrary
0x46c230 WriteFile
0x46c234 GetCurrentThread
0x46c238 WerRegisterFile
0x46c240 GetCurrentProcess
0x46c244 CreateEventA
Library USER32.dll:
0x46c2c8 SetWindowLongA
0x46c2cc EnableWindow
0x46c2d0 DialogBoxParamA
0x46c2d4 GetShellWindow
0x46c2d8 GetDlgItem
0x46c2dc EndDialog
0x46c2e0 SendMessageA
0x46c2e4 SetFocus
0x46c2e8 RegisterClassA
0x46c2ec GetDialogBaseUnits
0x46c2f0 SetDlgItemTextA
0x46c2f4 DestroyIcon
0x46c2f8 UpdateWindow
0x46c2fc DefMDIChildProcA
0x46c300 IsDlgButtonChecked
0x46c304 ShowWindow
0x46c308 GetCursorPos
0x46c30c GetSysColor
0x46c310 DefWindowProcA
0x46c314 SetScrollPos
0x46c318 CreateWindowExA
0x46c31c UnionRect
0x46c320 MessageBoxA
0x46c324 SetRect
0x46c328 GetWindowTextA
0x46c32c GetForegroundWindow
0x46c334 BeginPaint
0x46c338 DrawTextExW
0x46c33c GetClientRect
0x46c340 DrawIcon
0x46c344 wsprintfA
0x46c348 EndPaint
0x46c34c DestroyWindow
0x46c350 CreateDialogParamA
0x46c354 PostQuitMessage
0x46c358 FillRect
0x46c35c LoadStringA
0x46c360 LoadIconA
0x46c364 RemovePropA
Library GDI32.dll:
0x46c04c SetTextColor
0x46c050 StretchBlt
0x46c054 SetBkMode
0x46c058 DeleteObject
0x46c05c SelectObject
0x46c064 Rectangle
0x46c068 GetStockObject
0x46c06c CreateSolidBrush
Library ADVAPI32.dll:
0x46c008 CryptHashData
0x46c00c CryptDestroyHash
0x46c010 CryptGetHashParam
0x46c014 RegCloseKey
0x46c01c RegOpenKeyExA
0x46c020 CryptCreateHash
0x46c024 CryptDestroyKey
0x46c028 CryptEncrypt
0x46c02c CryptReleaseContext
0x46c030 CryptImportKey
Library ole32.dll:
0x46c468 CoCreateInstance
0x46c46c CoGetMalloc
0x46c470 CoUninitialize
0x46c474 StringFromCLSID
0x46c478 CoInitialize
0x46c47c CoTaskMemFree
Library OLEAUT32.dll:
0x46c254 LoadTypeLib
Library OPENGL32.dll:
0x46c25c glClearDepth
0x46c260 glDepthFunc
0x46c264 glClear
0x46c268 glClearColor
0x46c26c glEnd
0x46c270 glTexImage2D
0x46c274 glBegin
0x46c278 glShadeModel
0x46c27c glColor4f
0x46c280 glTexParameteri
0x46c284 glPopMatrix
0x46c288 glPushMatrix
0x46c28c glVertex3f
0x46c290 glMatrixMode
0x46c294 glViewport
0x46c298 glEnable
0x46c29c glTexGeni
0x46c2a0 glFlush
0x46c2a4 glColor3f
0x46c2a8 glHint
0x46c2ac glLoadIdentity
Library GLU32.dll:
0x46c074 gluQuadricNormals
Library VERSION.dll:
0x46c374 VerQueryValueA
0x46c37c GetFileVersionInfoA
Library COMCTL32.dll:
0x46c03c ImageList_DragLeave
0x46c040 ImageList_DragEnter
0x46c044 ImageList_Destroy
Library WINMM.dll:
0x46c3a0 mmioAscend
0x46c3a4 timeGetTime
Library SETUPAPI.dll:
0x46c2b8 SetupDeleteErrorA
Library WININET.dll:
0x46c384 HttpQueryInfoA
0x46c388 InternetReadFile
0x46c38c HttpOpenRequestA
0x46c390 HttpSendRequestA
0x46c394 InternetOpenA
0x46c398 InternetConnectA
Library USERENV.dll:
Library pdh.dll:
0x46c488 PdhAddCounterW
0x46c48c PdhCollectQueryData
0x46c490 PdhOpenQueryA
0x46c494 PdhCloseQuery
Library wer.dll:
0x46c49c WerReportSubmit
0x46c4a0 WerReportAddFile
0x46c4a4 WerReportCreate
0x46c4a8 WerReportAddDump
Library MSVFW32.dll:
0x46c24c DrawDibOpen
Library ACTIVEDS.dll:
0x46c000
Library WS2_32.dll:
0x46c3f0 __WSAFDIsSet
0x46c3f4 gethostname
0x46c3f8 inet_pton
0x46c3fc closesocket
0x46c400 send
0x46c404 WSAGetLastError
0x46c408 WSACleanup
0x46c40c WSAStartup
0x46c410 recv
0x46c414 WSAIoctl
0x46c418 setsockopt
0x46c41c getsockname
0x46c420 ntohs
0x46c424 bind
0x46c428 htons
0x46c42c getsockopt
0x46c430 getpeername
0x46c434 socket
0x46c438 connect
0x46c43c WSASetLastError
0x46c440 sendto
0x46c444 recvfrom
0x46c448 accept
0x46c44c listen
0x46c450 ioctlsocket
0x46c454 select
0x46c458 freeaddrinfo
0x46c45c getaddrinfo
0x46c460 htonl
Library WLDAP32.dll:
0x46c3ac
0x46c3b0
0x46c3b4
0x46c3b8
0x46c3bc
0x46c3c0
0x46c3c4
0x46c3c8
0x46c3cc
0x46c3d0
0x46c3d4
0x46c3d8
0x46c3dc
0x46c3e0
0x46c3e4
0x46c3e8

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900
192.168.56.101 53657 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.