SmartHawk

9.2

极危

58 个模型检测该样本为恶意！

重新分析

下载样本

53fc930624ef2347109996f6aca4ad7520cbbfdf354e662351ded8db4ae82b32

7f50a5f0a5b9f0f07f207b3576e89041.exe

分析耗时

78s

最近分析

文件大小

828.5KB

静态报毒动态报毒 100% AGENSLA AGENTTESLA AI SCORE=86 AKFG ATTRIBUTE AVSARHER AVVZB BSK66A CONFIDENCE DYSGZE ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HTNNDF INJECT3 KRYPTIK MALICIOUS PE MALWARE@#12JPI0EY8KXAV MALWAREX NEGASTEAL QQPASS QQROB SCORE SUSGEN TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF ZM0@AYGAZ 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:MSIL/AgentTesla.a46bd12e	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201027	18.4.3895.0
Tencent	Msil.Trojan-qqpass.Qqrob.Akfg	20201027	1.0.0.1
Kingsoft		20201027	2013.8.14.323
McAfee	Fareit-FYV!7F50A5F0A5B9	20201027	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619668178.838501 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619668180.572501 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619668182.822501 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619668183.822501 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (7 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649227.092895 IsDebuggerPresent		failed	0	0
1619649227.108895 IsDebuggerPresent		failed	0	0
1619649272.139895 IsDebuggerPresent		failed	0	0
1619649272.639895 IsDebuggerPresent		failed	0	0
1619649273.155895 IsDebuggerPresent		failed	0	0
1619668166.338501 IsDebuggerPresent		failed	0	0
1619668166.354501 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649227.155895 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619668182.541501 __exception__	stacktrace: 0x23fea65 0x23fdd28 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3468160 registers.edi: 3468188 registers.eax: 0 registers.ebp: 3468204 registers.edx: 8 registers.ebx: 0 registers.esi: 40085192 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 7f 56 d5 5c e9 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x45c25e2	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619668182.541501
__exception__

stacktrace:

0x23fea65
0x23fdd28
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3468160
registers.edi: 3468188
registers.eax: 0
registers.ebp: 3468204
registers.edx: 8
registers.ebx: 0
registers.esi: 40085192
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 7f 56 d5 5c e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x45c25e2

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 个事件)

Time & API	Arguments	Status	Return
1619649226.342895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00690000	success	0
1619649226.342895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00790000	success	0
1619649226.749895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02140000	success	0
1619649226.749895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022c0000	success	0
1619649226.905895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619649227.092895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02300000	success	0
1619649227.092895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02470000	success	0
1619649227.108895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success	0
1619649227.108895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619649227.108895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00432000	success	0
1619649227.546895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00442000	success	0
1619649227.671895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00475000	success	0
1619649227.671895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047b000	success	0
1619649227.671895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success	0
1619649227.874895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00443000	success	0
1619649227.936895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044c000	success	0
1619649228.358895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00444000	success	0
1619649228.374895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00446000	success	0
1619649228.483895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00780000	success	0
1619649228.592895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success	0
1619649228.592895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00467000	success	0
1619649228.749895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00466000	success	0
1619649228.764895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044a000	success	0
1619649228.983895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043c000	success	0
1619649229.092895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00781000	success	0
1619649229.108895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success	0
1619649229.342895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00448000	success	0
1619649229.452895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00910000	success	0
1619649229.577895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00449000	success	0
1619649229.592895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00782000	success	0
1619649262.624895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022c1000	success	0
1619649262.733895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00784000	success	0
1619649263.030895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04950000	success	0
1619649263.046895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00785000	success	0
1619649263.155895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 434176 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x06170400	failed	3221225550
1619649271.327895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00786000	success	0
1619649271.327895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00787000	success	0
1619649271.342895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04951000	success	0
1619649271.342895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00788000	success	0
1619649271.421895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00789000	success	0
1619649271.561895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078a000	success	0
1619649271.749895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078b000	success	0
1619649271.811895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078c000	success	0
1619649271.811895 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078e000	success	0
1619649271.811895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x06170178	failed	3221225550
1619649271.827895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x061701a0	failed	3221225550
1619649271.827895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x061701c8	failed	3221225550
1619649271.827895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x061701f0	failed	3221225550
1619649271.827895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x06170218	failed	3221225550
1619649271.827895 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x061dadbe	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.954150353307624

section

{'size_of_data': '0x00092c00', 'virtual_address': '0x00002000', 'entropy': 7.954150353307624, 'name': '.text', 'virtual_size': '0x00092bac'}

description

A section with a high entropy has been found

entropy

0.7089371980676329

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649263.139895 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619668178.213501 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649272.780895 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2952 process_handle: 0x0000f5d0	failed	0	0
1619649272.780895 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2952 process_handle: 0x0000f5d0	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649272.467895 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000efe8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619649272.858895 NtAllocateVirtualMemory	process_identifier: 2496 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007ddc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1432 manipulating memory of non-child process 2952
1619649272.467895 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000efe8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619649272.858895 WriteProcessMemory	process_identifier: 2496 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL'å_àVþt @ À@¬tOØ H.textU V `.rsrcØX@@.reloc \@B process_handle: 0x00007ddc base_address: 0x00400000	success	1
1619649272.874895 WriteProcessMemory	process_identifier: 2496 buffer: 0HX\|\|4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNameNRMOeaUVVkwIAtJShsOH.exe(LegalCopyright \OriginalFilenameNRMOeaUVVkwIAtJShsOH.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00007ddc base_address: 0x00448000	success	1
1619649272.874895 WriteProcessMemory	process_identifier: 2496 buffer: p5 process_handle: 0x00007ddc base_address: 0x0044a000	success	1
1619649272.874895 WriteProcessMemory	process_identifier: 2496 buffer: @ process_handle: 0x00007ddc base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649272.858895 WriteProcessMemory	process_identifier: 2496 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL'å_àVþt @ À@¬tOØ H.textU V `.rsrcØX@@.reloc \@B process_handle: 0x00007ddc base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1432 called NtSetContextThread to modify thread in remote process 2496
1619649272.874895 NtSetContextThread	thread_handle: 0x0000f5d0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486398 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2496	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1432 resumed a thread in remote process 2496
1619649273.155895 NtResumeThread	thread_handle: 0x0000f5d0 suspend_count: 1 process_identifier: 2496	success	0	0

Executed a process and injected code into it, probably while unpacking (24 个事件)

Time & API	Arguments	Status	Return
1619649227.108895 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1432	success	0
1619649227.124895 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 1432	success	0
1619649227.264895 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 1432	success	0
1619649272.077895 NtResumeThread	thread_handle: 0x0000e6c8 suspend_count: 1 process_identifier: 1432	success	0
1619649272.124895 NtResumeThread	thread_handle: 0x0000bfdc suspend_count: 1 process_identifier: 1432	success	0
1619649272.467895 CreateProcessInternalW	thread_identifier: 2520 thread_handle: 0x000026ac process_identifier: 2952 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7f50a5f0a5b9f0f07f207b3576e89041.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7f50a5f0a5b9f0f07f207b3576e89041.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000efe8 inherit_handles: 0	success	1
1619649272.467895 NtGetContextThread	thread_handle: 0x000026ac	success	0
1619649272.467895 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000efe8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619649272.858895 CreateProcessInternalW	thread_identifier: 1124 thread_handle: 0x0000f5d0 process_identifier: 2496 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7f50a5f0a5b9f0f07f207b3576e89041.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7f50a5f0a5b9f0f07f207b3576e89041.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00007ddc inherit_handles: 0	success	1
1619649272.858895 NtGetContextThread	thread_handle: 0x0000f5d0	success	0
1619649272.858895 NtAllocateVirtualMemory	process_identifier: 2496 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007ddc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619649272.858895 WriteProcessMemory	process_identifier: 2496 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL'å_àVþt @ À@¬tOØ H.textU V `.rsrcØX@@.reloc \@B process_handle: 0x00007ddc base_address: 0x00400000	success	1
1619649272.858895 WriteProcessMemory	process_identifier: 2496 buffer: process_handle: 0x00007ddc base_address: 0x00402000	success	1
1619649272.874895 WriteProcessMemory	process_identifier: 2496 buffer: 0HX\|\|4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNameNRMOeaUVVkwIAtJShsOH.exe(LegalCopyright \OriginalFilenameNRMOeaUVVkwIAtJShsOH.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00007ddc base_address: 0x00448000	success	1
1619649272.874895 WriteProcessMemory	process_identifier: 2496 buffer: p5 process_handle: 0x00007ddc base_address: 0x0044a000	success	1
1619649272.874895 WriteProcessMemory	process_identifier: 2496 buffer: @ process_handle: 0x00007ddc base_address: 0x7efde008	success	1
1619649272.874895 NtSetContextThread	thread_handle: 0x0000f5d0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486398 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2496	success	0
1619649273.155895 NtResumeThread	thread_handle: 0x0000f5d0 suspend_count: 1 process_identifier: 2496	success	0
1619668166.354501 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2496	success	0
1619668166.354501 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2496	success	0
1619668166.385501 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2496	success	0
1619668180.338501 NtResumeThread	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2496	success	0
1619668180.400501 NtResumeThread	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2496	success	0
1619668182.682501 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2496	success	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34425744
FireEye	Generic.mg.7f50a5f0a5b9f0f0
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Trojan.GenericKD.34425744
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2456840
Sangfor	Malware
K7AntiVirus	Trojan ( 0056d50d1 )
Alibaba	TrojanSpy:MSIL/AgentTesla.a46bd12e
K7GW	Trojan ( 0056d50d1 )
Cybereason	malicious.b3a95b
Arcabit	Trojan.Generic.D20D4B90
Invincea	Mal/Generic-S
Cyren	W32/MSIL_Kryptik.BLL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.34425744
NANO-Antivirus	Trojan.Win32.Agensla.htnndf
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan-qqpass.Qqrob.Akfg
Ad-Aware	Trojan.GenericKD.34425744
Emsisoft	Trojan.GenericKD.34425744 (B)
Comodo	Malware@#12jpi0ey8kxav
F-Secure	Trojan.TR/Dropper.MSIL.avvzb
DrWeb	Trojan.Inject3.53142
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.DYSGZE
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
MaxSecure	Trojan.Malware.74499699.susgen
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Dropper.MSIL.avvzb
Microsoft	TrojanSpy:MSIL/AgentTesla.AQ!MTB
AegisLab	Trojan.MSIL.Agensla.i!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.34425744
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Inject.C4183978
McAfee	Fareit-FYV!7F50A5F0A5B9
MAX	malware (ai score=86)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Dropper
Zoner	Trojan.Win32.92901
ESET-NOD32	a variant of MSIL/Kryptik.XLS
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.DYSGZE
Yandex	Trojan.AvsArher.bSK66A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-26 10:20:27

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.