4.0
中危
61 个模型检测该样本为恶意!
重新分析
更多

d38718407d91457d88bf936f0721183e8673aaf6b12a39dd46b57857b98b9f0e

76026020da52d031302b2efc7bf2fe64.exe

分析耗时

72s

最近分析

文件大小

686.5KB
静态报毒 动态报毒 AI SCORE=87 AIDETECTVM BANKERX BUNITU CLOUD CONFIDENCE ELDORADO ENCPK ERFL GA@8SFC92 GDSDA GENCIRC HDMT HIGH CONFIDENCE HKNFCI IJLWH INJECT3 KRYPTIK MALICIOUS PE MALWARE1 PINKSBOT QAKBOT QBOT QM0@AYWQDIKK QVM20 R011C0DEP20 R337792 S13565483 SCORE SMTHA SUSGEN TBOZLRVYLNE TROJANBANKER UNSAFE URSU VZNS WACATAC WACATACPMF ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanBanker:Win32/Bunitu.577495fa 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent Malware.Win32.Gencirc.10cdcb8c 20200712 1.0.0.1
Kingsoft 20200712 2013.8.14.323
McAfee W32/PinkSbot-GS!76026020DA52 20200712 6.0.6.653
Avast Win32:BankerX-gen [Trj] 20200712 18.4.3895.0
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619649225.582605
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619663090.820499
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619663091.492499
__exception__
stacktrace: 
76026020da52d031302b2efc7bf2fe64+0x3f07 @ 0x403f07
76026020da52d031302b2efc7bf2fe64+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6310200
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 76026020da52d031302b2efc7bf2fe64+0x3449
exception.instruction: in eax, dx
exception.module: 76026020da52d031302b2efc7bf2fe64.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619663091.492499
__exception__
stacktrace: 
76026020da52d031302b2efc7bf2fe64+0x3f10 @ 0x403f10
76026020da52d031302b2efc7bf2fe64+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6310200
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: 76026020da52d031302b2efc7bf2fe64+0x34e2
exception.instruction: in eax, dx
exception.module: 76026020da52d031302b2efc7bf2fe64.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619649225.347605
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619649225.347605
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619649225.347605
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619663090.773499
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619663090.773499
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619663090.773499
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619649226.425605
CreateProcessInternalW
thread_identifier: 428
thread_handle: 0x00000154
process_identifier: 2712
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\76026020da52d031302b2efc7bf2fe64.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000158
inherit_handles: 0
success 1 0
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619663091.492499
__exception__
stacktrace: 
76026020da52d031302b2efc7bf2fe64+0x3f07 @ 0x403f07
76026020da52d031302b2efc7bf2fe64+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6310200
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 76026020da52d031302b2efc7bf2fe64+0x3449
exception.instruction: in eax, dx
exception.module: 76026020da52d031302b2efc7bf2fe64.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Bkav W32.AIDetectVM.malware1
MicroWorld-eScan Trojan.Agent.ERFL
FireEye Trojan.Agent.ERFL
CAT-QuickHeal Trojan.WacatacPMF.S13565483
ALYac Trojan.Agent.ERFL
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2036644
AegisLab Trojan.Win32.Ursu.4!c
Sangfor Malware
K7AntiVirus Trojan ( 005673a11 )
Alibaba TrojanBanker:Win32/Bunitu.577495fa
K7GW Trojan ( 005673a11 )
Cybereason malicious.0da52d
Invincea heuristic
Cyren W32/Trojan.VZNS-1658
Symantec Packed.Generic.459
ESET-NOD32 a variant of Win32/Kryptik.HDMT
APEX Malicious
Paloalto generic.ml
GData Trojan.Agent.ERFL
Kaspersky HEUR:Trojan-Banker.Win32.Qbot.pef
BitDefender Trojan.Agent.ERFL
NANO-Antivirus Trojan.Win32.Inject3.hknfci
Tencent Malware.Win32.Gencirc.10cdcb8c
Ad-Aware Trojan.Agent.ERFL
TACHYON Trojan/W32.Agent.702976.CL
Sophos Mal/EncPk-APV
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/AD.Qbot.ijlwh
DrWeb Trojan.Inject3.40208
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R011C0DEP20
Emsisoft Trojan.Agent.ERFL (B)
Ikarus Backdoor.QBot
F-Prot W32/Trojan.DZW.gen!Eldorado
Jiangmin Trojan.Zenpak.bsq
Avira TR/AD.Qbot.ijlwh
Antiy-AVL Trojan/Win32.Wacatac
Endgame malicious (high confidence)
Arcabit Trojan.Agent.ERFL
ViRobot Trojan.Win32.Qakbot.702976
ZoneAlarm HEUR:Trojan-Banker.Win32.Qbot.pef
Microsoft Trojan:Win32/Bunitu.PVI!MTB
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Bunitu.R337792
McAfee W32/PinkSbot-GS!76026020DA52
MAX malware (ai score=87)
VBA32 TrojanBanker.Qbot
Malwarebytes Trojan.Qbot
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-20 05:23:23

Imports

Library KERNEL32.dll:
0x490968 GetDriveTypeA
0x49096c GetTickCount
0x490970 GetLocalTime
0x490974 WriteFile
0x49097c SetFilePointer
0x490980 ReadFile
0x490984 MoveFileExA
0x490988 CopyFileA
0x490994 GetLongPathNameA
0x490998 GlobalAlloc
0x49099c GlobalFree
0x4909a0 SetFileAttributesA
0x4909a4 DeleteFileA
0x4909a8 GetSystemTime
0x4909ac GetComputerNameA
0x4909b0 CreateDirectoryA
0x4909b8 FindFirstFileA
0x4909bc FindNextFileA
0x4909c0 FindClose
0x4909c4 GetLastError
0x4909cc ResetEvent
0x4909d0 SetEvent
0x4909d4 CreateEventA
0x4909e8 WaitForSingleObject
0x4909ec GetModuleHandleA
0x4909f8 LocalFree
0x4909fc FormatMessageA
0x490a00 GetFileType
0x490a04 FlushFileBuffers
0x490a08 GlobalDeleteAtom
0x490a0c GlobalUnlock
0x490a10 GlobalLock
0x490a14 MultiByteToWideChar
0x490a1c DeleteAtom
0x490a20 GetCurrentThreadId
0x490a24 AddAtomA
0x490a28 RtlUnwind
0x490a2c RaiseException
0x490a30 HeapFree
0x490a34 HeapReAlloc
0x490a38 HeapAlloc
0x490a3c ExitThread
0x490a40 CreateThread
0x490a44 GetStartupInfoA
0x490a48 GetCommandLineA
0x490a4c ExitProcess
0x490a50 WideCharToMultiByte
0x490a54 TlsAlloc
0x490a58 SetLastError
0x490a5c TlsFree
0x490a60 TlsSetValue
0x490a64 TlsGetValue
0x490a68 GetACP
0x490a6c GetOEMCP
0x490a70 GetCPInfo
0x490a74 LCMapStringA
0x490a78 LCMapStringW
0x490a80 HeapDestroy
0x490a84 HeapCreate
0x490a88 VirtualFree
0x490a8c VirtualAlloc
0x490a90 IsBadWritePtr
0x490a98 HeapSize
0x490a9c GetStdHandle
0x490ab0 SetHandleCount
0x490ab4 CompareStringA
0x490ab8 CompareStringW
0x490abc GetStringTypeA
0x490ac0 GetStringTypeW
0x490ac4 IsBadReadPtr
0x490ac8 IsBadCodePtr
0x490acc GetLocaleInfoA
0x490ad0 VirtualProtect
0x490ad4 GetSystemInfo
0x490ad8 InterlockedExchange
0x490adc SetStdHandle
0x490ae4 GetCurrentProcessId
0x490aec SetEndOfFile
0x490af4 GetModuleFileNameA
0x490afc GetVersion
0x490b0c OpenProcess
0x490b10 TerminateProcess
0x490b14 GetVersionExA
0x490b18 GetCurrentProcess
0x490b1c FreeLibrary
0x490b20 LoadLibraryA
0x490b24 GetProcAddress
0x490b28 CreateFileA
0x490b2c GetFileSize
0x490b30 CreateFileMappingA
0x490b34 CloseHandle
0x490b38 MapViewOfFile
0x490b3c VirtualQuery
0x490b40 UnmapViewOfFile
0x490b4c lstrlenA
0x490b50 GetFullPathNameA
0x490b54 GetModuleHandleW
Library USER32.dll:
0x490b5c GetDC
0x490b60 SetDeskWallpaper
0x490b6c LoadIconA
0x490b70 LoadCursorFromFileW
0x490b74 CharNextA
Library COMDLG32.dll:
0x490b7c GetFileTitleW
Library ADVAPI32.dll:
0x490b84 RegCloseKey
0x490b88 RegOpenKeyA
0x490b8c RegQueryValueExA
Library SHELL32.dll:
0x490b94 DragFinish
Library ole32.dll:
0x490b9c OleRun
Library SHLWAPI.dll:
0x490ba4 PathIsUNCW
Library COMCTL32.dll:
Library IMM32.dll:
0x490bb4 ImmGetContext

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.