8.8
极危
52 个模型检测该样本为恶意!
重新分析
更多

d606ad2f22a8def869afd7e352766c880404a40948ac435d62d136ea7d61efcc

8064e37c00d515ab176fdfd48b40bde5.exe

分析耗时

68s

最近分析

文件大小

622.0KB
静态报毒 动态报毒 100% AGENSLA AGENTTESLA AI SCORE=85 AUTO BTQ9D6 CLOUD CONFIDENCE ELDORADO GENERICKD GENKRYPTIK HIGH CONFIDENCE IGENT KRYPTIK MALICIOUS PE MM0@ACOZL5N MSILKRYPT PWSX R002C0WF620 R339683 SCORE SIGGEN9 TROJANPSW UNSAFE VQZHA ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.dx 20200619 6.0.6.653
Alibaba TrojanPSW:MSIL/Kryptik.92ff0141 20190527 0.3.0.5
Tencent Win32.Trojan.Inject.Auto 20200619 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200619 2013.8.14.323
Avast Win32:PWSX-gen [Trj] 20200619 18.4.3895.0
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619703973.086499
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619703973.664499
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 个事件)
Time & API Arguments Status Return Repeated
1619703971.914499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c40000
success 0 0
1619703971.914499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e00000
success 0 0
1619703972.961499
NtProtectVirtualMemory
process_identifier: 1164
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619703973.086499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032a000
success 0 0
1619703973.086499
NtProtectVirtualMemory
process_identifier: 1164
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619703973.086499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00322000
success 0 0
1619703973.398499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00332000
success 0 0
1619703973.492499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00333000
success 0 0
1619703973.508499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0046b000
success 0 0
1619703973.508499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00467000
success 0 0
1619703973.539499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033c000
success 0 0
1619703973.601499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00760000
success 0 0
1619703973.648499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00761000
success 0 0
1619703973.664499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00762000
success 0 0
1619703973.664499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00763000
success 0 0
1619703973.680499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00764000
success 0 0
1619703973.867499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00334000
success 0 0
1619703974.508499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00335000
success 0 0
1619703974.523499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1619703974.539499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00337000
success 0 0
1619703974.539499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00765000
success 0 0
1619703974.617499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1619703974.617499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00347000
success 0 0
1619703974.617499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045a000
success 0 0
1619703974.633499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032b000
success 0 0
1619703974.726499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00346000
success 0 0
1619703974.742499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00766000
success 0 0
1619703974.758499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00767000
success 0 0
1619703975.008499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00452000
success 0 0
1619703975.070499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00465000
success 0 0
1619704008.430499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e01000
success 0 0
1619704008.617499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00338000
success 0 0
1619704008.695499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04d90000
success 0 0
1619704008.695499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec0000
success 0 0
1619704008.695499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec1000
success 0 0
1619704008.742499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec2000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec3000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec4000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec5000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec7000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ec9000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ecd000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00768000
success 0 0
1619704008.773499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00339000
success 0 0
1619704008.820499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ede000
success 0 0
1619704008.820499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00769000
success 0 0
1619704008.836499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04edf000
success 0 0
1619704008.851499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0076a000
success 0 0
1619704009.039499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033a000
success 0 0
1619704010.164499
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04760000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8177269497122355 section {'size_of_data': '0x0008a400', 'virtual_address': '0x00002000', 'entropy': 7.8177269497122355, 'name': '.text', 'virtual_size': '0x0008a304'} description A section with a high entropy has been found
entropy 0.8897827835880934 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.41.33
host 203.208.41.34
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619704010.164499
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619704010.164499
WriteProcessMemory
process_identifier: 2120
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $ߪC›Ë-‘›Ë-‘›Ë-‘€V†‘ÙË-‘€V³‘˜Ë-‘€V°‘šË-‘Rich›Ë-‘PELoý¿Fà  Œðµ @ @.text”‹Œ `
process_handle: 0x000001fc
base_address: 0x00400000
success 1 0
1619704010.180499
WriteProcessMemory
process_identifier: 2120
buffer: @
process_handle: 0x000001fc
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619704010.164499
WriteProcessMemory
process_identifier: 2120
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $ߪC›Ë-‘›Ë-‘›Ë-‘€V†‘ÙË-‘€V³‘˜Ë-‘€V°‘šË-‘Rich›Ë-‘PELoý¿Fà  Œðµ @ @.text”‹Œ `
process_handle: 0x000001fc
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1164 called NtSetContextThread to modify thread in remote process 2120
Time & API Arguments Status Return Repeated
1619704010.180499
NtSetContextThread
thread_handle: 0x000001f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306416
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2120
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1164 resumed a thread in remote process 2120
Time & API Arguments Status Return Repeated
1619704011.539499
NtResumeThread
thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2120
success 0 0
Executed a process and injected code into it, probably while unpacking (14 个事件)
Time & API Arguments Status Return Repeated
1619703973.086499
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1164
success 0 0
1619703973.148499
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 1164
success 0 0
1619704009.086499
CreateProcessInternalW
thread_identifier: 2440
thread_handle: 0x000001f8
process_identifier: 2120
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8064e37c00d515ab176fdfd48b40bde5.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8064e37c00d515ab176fdfd48b40bde5.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001fc
inherit_handles: 0
success 1 0
1619704010.164499
NtGetContextThread
thread_handle: 0x000001f8
success 0 0
1619704010.164499
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 172032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619704010.164499
WriteProcessMemory
process_identifier: 2120
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $ߪC›Ë-‘›Ë-‘›Ë-‘€V†‘ÙË-‘€V³‘˜Ë-‘€V°‘šË-‘Rich›Ë-‘PELoý¿Fà  Œðµ @ @.text”‹Œ `
process_handle: 0x000001fc
base_address: 0x00400000
success 1 0
1619704010.164499
WriteProcessMemory
process_identifier: 2120
buffer:
process_handle: 0x000001fc
base_address: 0x00401000
success 1 0
1619704010.180499
WriteProcessMemory
process_identifier: 2120
buffer: @
process_handle: 0x000001fc
base_address: 0x7efde008
success 1 0
1619704010.180499
NtSetContextThread
thread_handle: 0x000001f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306416
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2120
success 0 0
1619704011.539499
NtResumeThread
thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2120
success 0 0
1619704011.695499
NtResumeThread
thread_handle: 0x00000218
suspend_count: 1
process_identifier: 1164
success 0 0
1619704011.758499
NtGetContextThread
thread_handle: 0x00000218
success 0 0
1619704011.758499
NtGetContextThread
thread_handle: 0x00000218
success 0 0
1619704011.758499
NtResumeThread
thread_handle: 0x00000218
suspend_count: 1
process_identifier: 1164
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
DrWeb Trojan.Siggen9.51898
MicroWorld-eScan Trojan.GenericKD.43285654
FireEye Generic.mg.8064e37c00d515ab
CAT-QuickHeal Trojan.Multi
McAfee RDN/Generic.dx
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005681511 )
Alibaba TrojanPSW:MSIL/Kryptik.92ff0141
K7GW Trojan ( 005681511 )
Cybereason malicious.274ef4
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34128.Mm0@aCoZl5n
F-Prot W32/MSIL_Kryptik.AUU.gen!Eldorado
Symantec Trojan.Gen.2
TrendMicro-HouseCall TROJ_GEN.R002C0WF620
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.43285654
Tencent Win32.Trojan.Inject.Auto
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.43285654 (B)
F-Secure Trojan.TR/Kryptik.vqzha
Zillya Trojan.Kryptik.Win32.2040496
TrendMicro TROJ_GEN.R002C0WF620
McAfee-GW-Edition RDN/Generic.dx
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Kryptik.AUU.gen!Eldorado
eGambit Unsafe.AI_Score_100%
Avira TR/Kryptik.vqzha
Fortinet MSIL/Kryptik.97D6!tr
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:MSIL/AgentTesla.AB!MTB
Arcabit Trojan.Generic.D2947C96
ViRobot Trojan.Win32.Z.Genkryptik.636928
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.43285654
AhnLab-V3 Trojan/Win32.MSILKrypt.R339683
ALYac Trojan.GenericKD.43285654
MAX malware (ai score=85)
Malwarebytes Trojan.Crypt.MSIL
APEX Malicious
ESET-NOD32 a variant of MSIL/Kryptik.WEQ
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex Trojan.Igent.bTQ9D6.1
Ikarus Trojan.Inject
Ad-Aware Trojan.GenericKD.43285654
AVG Win32:PWSX-gen [Trj]
Avast Win32:PWSX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-05 05:51:26

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.