SmartHawk

11.8

0-day

52 个模型检测该样本为恶意！

重新分析

下载样本

9b84ca02bdaada52bc0b5b3fd2312b346bf3c2c4c06e29fdd93c3dc9d3af1733

8316df48ccbc3370c85825ac6b93cdf4.exe

分析耗时

108s

最近分析

文件大小

492.5KB

静态报毒动态报毒 73QBNC6IS3Q AGENSLA AGENTTESLA AI SCORE=99 AUTO AVEMARIA CLOUD CONFIDENCE ELDORADO GDSDA GENERIC PWS GENERICKD GENKRYPTIK HIGH CONFIDENCE JKVHH KRYPTIK MALWARE@#1OBXC8LY4G7G PCRYPT PWSX R002C0DED20 R336115 SIGGEN2 SUSPICIOUS PE TSCOPE UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic PWS.y	20200523	6.0.6.653
Alibaba	TrojanSpy:MSIL/AgentTesla.7582e93c	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200523	18.4.3895.0
Kingsoft		20200523	2013.8.14.323
Tencent	Win32.Trojan.Inject.Auto	20200523	1.0.0.1
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619704638.527626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619704645.058626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619704649.371626 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619704616.715124 IsDebuggerPresent		failed	0	0
1619704624.886626 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619704619.872124 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619704649.355626 __exception__	stacktrace: 0x9ef5a5 0x9ee838 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3207680 registers.edi: 3207708 registers.eax: 0 registers.ebp: 3207724 registers.edx: 158 registers.ebx: 0 registers.esi: 41412824 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 51 8c 45 15 e9 6a ff exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9ef99d	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619704649.355626
__exception__

stacktrace:

0x9ef5a5
0x9ee838
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3207680
registers.edi: 3207708
registers.eax: 0
registers.ebp: 3207724
registers.edx: 158
registers.ebx: 0
registers.esi: 41412824
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 51 8c 45 15 e9 6a ff
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x9ef99d

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 88 个事件)

Time & API	Arguments	Status
1619704615.059124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005c0000	success
1619704615.059124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b0000	success
1619704616.450124 NtProtectVirtualMemory	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success
1619704616.715124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fa000	success
1619704616.715124 NtProtectVirtualMemory	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success
1619704616.715124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f2000	success
1619704617.106124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00402000	success
1619704617.184124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00403000	success
1619704617.200124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044b000	success
1619704617.200124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success
1619704617.231124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0040c000	success
1619704617.700124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00404000	success
1619704617.700124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00405000	success
1619704617.778124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00406000	success
1619704617.793124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00690000	success
1619704617.934124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0041a000	success
1619704617.934124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00417000	success
1619704617.934124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success
1619704617.981124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fb000	success
1619704618.606124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00416000	success
1619704618.637124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0040a000	success
1619704618.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00760000	success
1619704618.747124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00691000	success
1619704618.825124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00407000	success
1619704618.965124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00432000	success
1619704619.043124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00445000	success
1619704619.215124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b1000	success
1619704619.403124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00408000	success
1619704619.637124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x05590000	success
1619704619.637124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05710000	success
1619704619.637124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05711000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05712000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05713000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05714000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05715000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05718000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0571c000	success
1619704619.668124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0572d000	success
1619704619.731124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00409000	success
1619704619.793124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00692000	success
1619704619.809124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0572e000	success
1619704619.809124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0572f000	success
1619704619.856124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00693000	success
1619704619.934124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00694000	success
1619704624.434124 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00761000	success
1619704624.871626 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00ae0000	success
1619704624.871626 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c20000	success
1619704624.886626 NtProtectVirtualMemory	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success
1619704624.886626 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ca000	success
1619704624.886626 NtProtectVirtualMemory	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.6201415873736575

section

{'size_of_data': '0x0007a600', 'virtual_address': '0x00002000', 'entropy': 7.6201415873736575, 'name': '.text', 'virtual_size': '0x0007a488'}

description

A section with a high entropy has been found

entropy

0.9949186991869918

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619704624.434124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619704625.371626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (6 个事件)

Time & API	Arguments	Status
1619704624.528124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2144 process_handle: 0x0000026c	failed
1619704624.528124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2144 process_handle: 0x0000026c	success
1619704624.575124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1688 process_handle: 0x00000278	failed
1619704624.575124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1688 process_handle: 0x00000278	success
1619704637.261626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2272 process_handle: 0x00000220	failed
1619704637.261626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2272 process_handle: 0x00000220	success

Communicates with host for which no DNS query was performed (3 个事件)

host	113.108.239.196
host	172.217.24.14
host	203.208.41.65

Allocates execute permission to another process indicative of possible code injection (3 个事件)

Time & API	Arguments	Status	Return
1619704624.387124 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000210 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619704624.543124 NtAllocateVirtualMemory	process_identifier: 1688 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000270 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619704624.590124 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000274 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619704657.886626 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

8316df48ccbc3370c85825ac6b93cdf4.exe tried to sleep 2728223 seconds, actually delayed analysis time by 2728223 seconds

Manipulates memory of a non-child process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2272 manipulating memory of non-child process 2144
Process injection	Process 2272 manipulating memory of non-child process 1688
1619704624.387124 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000210 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619704624.543124 NtAllocateVirtualMemory	process_identifier: 1688 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000270 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619704624.590124 WriteProcessMemory	process_identifier: 3008 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELTN^à« À@ @ÈªSÀðà H.text$ `.rsrcðÀ@@.relocà@B process_handle: 0x00000274 base_address: 0x00400000	success	1
1619704624.622124 WriteProcessMemory	process_identifier: 3008 buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNameFcTKVYgmSbYNxUsqXFPzVOgcGFz.exe(LegalCopyright h OriginalFilenameFcTKVYgmSbYNxUsqXFPzVOgcGFz.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00000274 base_address: 0x0044c000	success	1
1619704624.622124 WriteProcessMemory	process_identifier: 3008 buffer: ; process_handle: 0x00000274 base_address: 0x0044e000	success	1
1619704624.622124 WriteProcessMemory	process_identifier: 3008 buffer: @ process_handle: 0x00000274 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619704624.590124 WriteProcessMemory	process_identifier: 3008 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELTN^à« À@ @ÈªSÀðà H.text$ `.rsrcðÀ@@.relocà@B process_handle: 0x00000274 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2272 called NtSetContextThread to modify thread in remote process 3008
1619704624.622124 NtSetContextThread	thread_handle: 0x00000278 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4500254 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3008	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2272 resumed a thread in remote process 3008
1619704624.715124 NtResumeThread	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 3008	success	0	0

Executed a process and injected code into it, probably while unpacking (26 个事件)

Time & API	Arguments	Status	Return
1619704616.715124 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2272	success	0
1619704616.778124 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2272	success	0
1619704624.356124 CreateProcessInternalW	thread_identifier: 2256 thread_handle: 0x0000020c process_identifier: 2144 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8316df48ccbc3370c85825ac6b93cdf4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8316df48ccbc3370c85825ac6b93cdf4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000210 inherit_handles: 0	success	1
1619704624.387124 NtGetContextThread	thread_handle: 0x0000020c	success	0
1619704624.387124 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000210 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619704624.543124 CreateProcessInternalW	thread_identifier: 2448 thread_handle: 0x0000026c process_identifier: 1688 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8316df48ccbc3370c85825ac6b93cdf4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8316df48ccbc3370c85825ac6b93cdf4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000270 inherit_handles: 0	success	1
1619704624.543124 NtGetContextThread	thread_handle: 0x0000026c	success	0
1619704624.543124 NtAllocateVirtualMemory	process_identifier: 1688 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000270 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619704624.590124 CreateProcessInternalW	thread_identifier: 1036 thread_handle: 0x00000278 process_identifier: 3008 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8316df48ccbc3370c85825ac6b93cdf4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8316df48ccbc3370c85825ac6b93cdf4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000274 inherit_handles: 0	success	1
1619704624.590124 NtGetContextThread	thread_handle: 0x00000278	success	0
1619704624.590124 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000274 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619704624.590124 WriteProcessMemory	process_identifier: 3008 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELTN^à« À@ @ÈªSÀðà H.text$ `.rsrcðÀ@@.relocà@B process_handle: 0x00000274 base_address: 0x00400000	success	1
1619704624.606124 WriteProcessMemory	process_identifier: 3008 buffer: process_handle: 0x00000274 base_address: 0x00402000	success	1
1619704624.622124 WriteProcessMemory	process_identifier: 3008 buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNameFcTKVYgmSbYNxUsqXFPzVOgcGFz.exe(LegalCopyright h OriginalFilenameFcTKVYgmSbYNxUsqXFPzVOgcGFz.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00000274 base_address: 0x0044c000	success	1
1619704624.622124 WriteProcessMemory	process_identifier: 3008 buffer: ; process_handle: 0x00000274 base_address: 0x0044e000	success	1
1619704624.622124 WriteProcessMemory	process_identifier: 3008 buffer: @ process_handle: 0x00000274 base_address: 0x7efde008	success	1
1619704624.622124 NtSetContextThread	thread_handle: 0x00000278 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4500254 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3008	success	0
1619704624.715124 NtResumeThread	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 3008	success	0
1619704624.886626 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 3008	success	0
1619704624.902626 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 3008	success	0
1619704644.761626 NtResumeThread	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 3008	success	0
1619704644.839626 NtResumeThread	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 3008	success	0
1619704655.371626 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 3008	success	0
1619704655.371626 NtResumeThread	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 3008	success	0
1619704656.386626 NtResumeThread	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 3008	success	0
1619704657.386626 NtResumeThread	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 3008	success	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

MicroWorld-eScan	Trojan.GenericKD.33823151
FireEye	Generic.mg.8316df48ccbc3370
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.MSIL.Agensla.i!c
Sangfor	Malware
K7AntiVirus	Trojan ( 005668571 )
Alibaba	TrojanSpy:MSIL/AgentTesla.7582e93c
K7GW	Trojan ( 005668571 )
Cybereason	malicious.cfd0b7
Arcabit	Trojan.Generic.D20419AF
F-Prot	W32/MSIL_Kryptik.ARY.gen!Eldorado
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.33823151
Avast	Win32:PWSX-gen [Trj]
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
Ad-Aware	Trojan.GenericKD.33823151
Sophos	Mal/Generic-S
Comodo	Malware@#1obxc8ly4g7g
F-Secure	Trojan.TR/Kryptik.jkvhh
DrWeb	Trojan.PWS.Siggen2.48634
TrendMicro	TROJ_GEN.R002C0DED20
McAfee-GW-Edition	RDN/Generic PWS.y
Emsisoft	Trojan.GenericKD.33823151 (B)
Ikarus	Trojan-Spy.AveMaria
Cyren	W32/MSIL_Kryptik.ARY.gen!Eldorado
Jiangmin	Trojan.PSW.MSIL.ysw
Avira	TR/Kryptik.jkvhh
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Microsoft	TrojanSpy:MSIL/AgentTesla.AP!MTB
Endgame	malicious (high confidence)
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.33823151
AhnLab-V3	Trojan/Win32.Kryptik.R336115
VBA32	TScope.Trojan.MSIL
ALYac	Spyware.AgentTesla
MAX	malware (ai score=99)
Malwarebytes	Trojan.PCrypt.MSIL
ESET-NOD32	a variant of MSIL/Kryptik.VVH
TrendMicro-HouseCall	TROJ_GEN.R002C0DED20
Tencent	Win32.Trojan.Inject.Auto
Yandex	Trojan.Kryptik!73qBNc6is3Q
SentinelOne	DFI - Suspicious PE
Fortinet	MSIL/Kryptik.VVH!tr
Webroot	W32.Trojan.Gen
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2055-04-02 21:26:11

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.41.66	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49190	203.208.41.66 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60221	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.