9.2
极危
52 个模型检测该样本为恶意!
重新分析
更多

251960c51a68122710e9f928d7ea49ea52573f6e9af906e47ce91cfd518e39a7

790289a06e599ab7fae2b0ebaaf482b0.exe

分析耗时

86s

最近分析

文件大小

80.6KB
静态报毒 动态报毒 100% AI SCORE=87 AUTOG BASED BITCOINMINER BOTX BSCOPE CLASSIC CLIPTOSHUFFLER CONFIDENCE FUERBOOSBQ GDSDA GENCIRC GENERICRXLT HIGH CONFIDENCE HUKSUE MALWARE@#3HOJZGWYJUGQD MAXIMU MISC MZNX PHORPIEX QVM07 R + TROJ RECONYC SCORE SIGGEN10 SUSGEN SUSPICIOUS PE TROJANBANKER UNSAFE VILSEL WACATAC ZUXMIB7E 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXLT-YF!790289A06E59 20201027 6.0.6.653
Alibaba Worm:Win32/Reconyc.faed1b0f 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BotX-gen [Trj] 20201027 18.4.3895.0
Tencent Malware.Win32.Gencirc.11ae6532 20201027 1.0.0.1
Kingsoft 20201027 2013.8.14.323
行为判定
动态指标
Performs some HTTP requests (1 个事件)
request GET http://tsrv1.ws/1
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\1530329837.exe
Creates a suspicious process (1 个事件)
cmdline C:\11846296928918\svchost.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620789258.271249
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 113.108.239.196
host 172.217.24.14
host 203.208.41.65
host 203.208.41.66
Installs itself for autorun at Windows startup (2 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services reg_value C:\11846296928918\svchost.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services reg_value C:\11846296928918\svchost.exe
Operates on local firewall's policies and settings (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620789260.818249
RegSetValueExA
key_handle: 0x000003bc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620789260.818249
RegSetValueExA
key_handle: 0x000003bc
value: ¼èF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620789260.818249
RegSetValueExA
key_handle: 0x000003bc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620789260.818249
RegSetValueExW
key_handle: 0x000003bc
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620789260.818249
RegSetValueExA
key_handle: 0x000003d4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620789260.818249
RegSetValueExA
key_handle: 0x000003d4
value: ¼èF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620789260.818249
RegSetValueExA
key_handle: 0x000003d4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620789260.818249
RegSetValueExW
key_handle: 0x000003b8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620789266.474249
RegSetValueExA
key_handle: 0x000003d8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620789266.474249
RegSetValueExA
key_handle: 0x000003d8
value: !èF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620789266.474249
RegSetValueExA
key_handle: 0x000003d8
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620789266.474249
RegSetValueExW
key_handle: 0x000003d8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620789266.474249
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620789266.474249
RegSetValueExA
key_handle: 0x000003d0
value: !èF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620789266.474249
RegSetValueExA
key_handle: 0x000003d0
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Modifies security center warnings (4 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
Attempts to remove evidence of file being downloaded from the Internet (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\790289a06e599ab7fae2b0ebaaf482b0.exe:Zone.Identifier
file C:\11846296928918\svchost.exe:Zone.Identifier
Disables Windows Security features (4 个事件)
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Bkav W32.FuerboosBQ.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan Dropped:Generic.Malware.SYd.B595D5FC
FireEye Generic.mg.790289a06e599ab7
CAT-QuickHeal Trojan.Wacatac
McAfee GenericRXLT-YF!790289A06E59
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005533551 )
Alibaba Worm:Win32/Reconyc.faed1b0f
K7GW Trojan ( 005533551 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Generic.Malware.SYd.B595D5FC
Cyren W32/Downloader-Web-based!Maximu
Symantec Trojan Horse
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win32.Reconyc.mznx
BitDefender Dropped:Generic.Malware.SYd.B595D5FC
NANO-Antivirus Trojan.Win32.Reconyc.huksue
ViRobot Trojan.Win32.Z.Phorpiex.82583
Avast Win32:BotX-gen [Trj]
Tencent Malware.Win32.Gencirc.11ae6532
Ad-Aware Dropped:Generic.Malware.SYd.B595D5FC
Comodo Malware@#3hojzgwyjugqd
DrWeb Trojan.Siggen10.14421
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/AutoG-JD
McAfee-GW-Edition BehavesLike.Win32.Generic.mm
Sophos Troj/AutoG-JD
SentinelOne DFI - Suspicious PE
Webroot W32.Trojan.Gen
Avira TR/Downloader.Gen
eGambit Unsafe.AI_Score_92%
Microsoft Trojan:Win32/Phorpiex!MTB
AegisLab Trojan.Win32.Reconyc.4!c
ZoneAlarm Trojan.Win32.Reconyc.mznx
GData Dropped:Generic.Malware.SYd.B595D5FC
AhnLab-V3 Trojan/Win32.Vilsel.C4197391
BitDefenderTheta AI:Packer.F9A9DBA120
ALYac Misc.Riskware.BitCoinMiner
MAX malware (ai score=87)
VBA32 BScope.TrojanBanker.CliptoShuffler
ESET-NOD32 a variant of Win32/Phorpiex.V
Rising Worm.Phorpiex!1.CA88 (CLASSIC)
Yandex Worm.Phorpiex!zUxmIB7E/LQ
Ikarus Worm.Win32.Phorpiex
MaxSecure Trojan.Malware.106417477.susgen
Fortinet W32/Phorpiex.V!worm
AVG Win32:BotX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-08 03:37:19

Imports

Library MSVCRT.dll:
0x4050fc memcpy
0x405100 _controlfp
0x405104 _except_handler3
0x405108 __set_app_type
0x40510c __p__fmode
0x405110 __p__commode
0x405114 _adjust_fdiv
0x405118 __setusermatherr
0x40511c _initterm
0x405120 __getmainargs
0x405124 _acmdln
0x405128 exit
0x40512c _XcptFilter
0x405130 _exit
0x405134 wcsstr
0x405138 wcslen
0x40513c _wfopen
0x405140 fseek
0x405144 ftell
0x405148 fclose
0x40514c mbstowcs
0x405150 srand
0x405154 rand
0x405158 memset
0x40515c strlen
0x405160 isalpha
0x405164 isdigit
Library WININET.dll:
0x4051c0 InternetOpenA
0x4051c4 InternetOpenUrlA
0x4051c8 HttpQueryInfoA
0x4051cc InternetOpenW
0x4051d0 InternetOpenUrlW
0x4051d4 InternetReadFile
0x4051d8 InternetCloseHandle
Library urlmon.dll:
0x4051ec URLDownloadToFileW
Library SHLWAPI.dll:
0x405174 StrCmpNW
0x405178 PathFileExistsW
0x40517c PathFindFileNameW
0x405180 PathMatchSpecW
Library KERNEL32.dll:
0x40503c CopyFileW
0x405040 lstrcmpiW
0x405044 CreateDirectoryW
0x405048 FindFirstFileW
0x40504c lstrcmpW
0x405050 MoveFileExW
0x405054 FindNextFileW
0x405058 SetFileAttributesW
0x40505c RemoveDirectoryW
0x405060 GetLogicalDrives
0x405064 GetDriveTypeW
0x405068 QueryDosDeviceW
0x40506c lstrcpyW
0x405074 WriteFile
0x40507c GetModuleFileNameW
0x405080 CreateProcessW
0x405084 CreateThread
0x405088 DeleteFileA
0x40508c ExitProcess
0x405090 GetLastError
0x405094 CreateMutexA
0x405098 CopyFileA
0x40509c MoveFileW
0x4050a0 MoveFileA
0x4050a4 GetModuleHandleA
0x4050a8 GetStartupInfoA
0x4050ac FindClose
0x4050b0 GetTickCount
0x4050b4 GlobalUnlock
0x4050b8 GlobalLock
0x4050bc GlobalAlloc
0x4050c0 ExitThread
0x4050c4 Sleep
0x4050c8 SetEndOfFile
0x4050cc SetFilePointer
0x4050d0 CloseHandle
0x4050d4 UnmapViewOfFile
0x4050d8 HeapFree
0x4050dc HeapAlloc
0x4050e0 GetProcessHeap
0x4050e4 MapViewOfFile
0x4050e8 CreateFileMappingA
0x4050ec GetFileSize
0x4050f0 CreateFileW
0x4050f4 DeleteFileW
Library USER32.dll:
0x405188 FindWindowA
0x40518c CloseWindow
0x405190 SetFocus
0x405194 wsprintfA
0x405198 ShowWindow
0x40519c FindWindowW
0x4051a0 wsprintfW
0x4051a4 GetClipboardData
0x4051a8 OpenClipboard
0x4051ac CloseClipboard
0x4051b0 EmptyClipboard
0x4051b4 SetClipboardData
0x4051b8 SetForegroundWindow
Library ADVAPI32.dll:
0x405004 CryptEncrypt
0x405008 CryptImportKey
0x405010 CryptHashData
0x405014 CryptCreateHash
0x405018 RegCloseKey
0x40501c RegQueryValueExW
0x405020 RegOpenKeyExW
0x405024 RegCreateKeyExA
0x405028 RegSetValueExA
0x40502c RegOpenKeyExA
0x405030 RegSetValueExW
0x405034 CryptDestroyKey
Library SHELL32.dll:
0x40516c ShellExecuteW
Library ole32.dll:
0x4051e0 CoInitializeEx
0x4051e4 CoCreateInstance

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49182 185.215.113.93 tsrv1.ws 80
192.168.56.101 49183 185.215.113.93 tsrv1.ws 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://tsrv1.ws/1 
GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Host: tsrv1.ws

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.