4.6
中危
55 个模型检测该样本为恶意!
重新分析
更多

c2f70806a9fddb3ff61f045c92c48a19a0f889b839f68a2acd0e71e6c091499c

840028486eb7da9ee3653218f04561fe.exe

分析耗时

99s

最近分析

文件大小

348.5KB
静态报毒 动态报毒 100% A + TROJ AGEN AI SCORE=89 AJFVK ATTRIBUTE CLASSIC CONFIDENCE DOWNLOADER27 DXCI ELDORADO FCOI FOWW HIGH CONFIDENCE HIGHCONFIDENCE MALICIOUS PE MALWARE@#B8DLW5J9T4KV MCNJ MINTLUKS PASSWORDSTEALER PASSWORDSTEALERA QUASAR QUASARRAT SCORE STATIC AI SUBTI SUSGEN TINCLEX TSPY UNSAFE VM0@AGZ1ZNP ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee PWS-FCOI!840028486EB7 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Backdoor:MSIL/QuasarRAT.0f102a94 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast MSIL:Rat-B [Trj] 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
Tencent Msil.Trojan.Agent.Dxci 20201211 1.0.0.1
静态指标
行为判定
动态指标
Connects to a Dynamic DNS Domain (1 个事件)
domain leetlauncher64.duckdns.org
Performs some HTTP requests (3 个事件)
request GET http://freegeoip.net/xml/
request GET http://freegeoip.net/shutdown
request GET http://api.ipify.org/
Looks up the external IP address (2 个事件)
domain api.ipify.org
domain ip-api.com
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Generic.MSIL.PasswordStealerA.E08FEE36
FireEye Generic.mg.840028486eb7da9e
McAfee PWS-FCOI!840028486EB7
Cylance Unsafe
SUPERAntiSpyware Trojan.Agent/Gen-PasswordStealer
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:MSIL/QuasarRAT.0f102a94
K7GW Trojan ( 00521dab1 )
K7AntiVirus Trojan ( 00521dab1 )
Arcabit Generic.MSIL.PasswordStealerA.E08FEE36
BitDefenderTheta Gen:NN.ZemsilF.34670.vm0@aGZ1zNp
Cyren W32/MSIL_Mintluks.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Generic-6295765-0
Kaspersky Trojan.MSIL.Agent.foww
BitDefender Generic.MSIL.PasswordStealerA.E08FEE36
Avast MSIL:Rat-B [Trj]
Rising Backdoor.Quasar!1.B1DD (CLASSIC)
Ad-Aware Generic.MSIL.PasswordStealerA.E08FEE36
Emsisoft Generic.MSIL.PasswordStealerA.E08FEE36 (B)
Comodo Malware@#b8dlw5j9t4kv
F-Secure Heuristic.HEUR/AGEN.1139814
DrWeb Trojan.DownLoader27.59888
TrendMicro TSPY_TINCLEX.SM1
McAfee-GW-Edition BehavesLike.Win32.Generic.fh
Sophos ML/PE-A + Troj/Subti-A
Ikarus Trojan.MSIL.Spy
Jiangmin Trojan.Generic.ajfvk
Webroot W32.Trojan.Agent.Gen
Avira HEUR/AGEN.1139814
Antiy-AVL Trojan/MSIL.Agent
Gridinsoft Virtool.Win32.Gen.cc!ni
Microsoft Backdoor:Win32/QuasarRAT.A
AegisLab Trojan.MSIL.Agent.mCnJ
ZoneAlarm Trojan.MSIL.Agent.foww
GData Generic.MSIL.PasswordStealerA.E08FEE36
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Subti.C1663822
Acronis suspicious
ALYac Generic.MSIL.PasswordStealerA.E08FEE36
MAX malware (ai score=89)
Malwarebytes Backdoor.Bot
ESET-NOD32 a variant of MSIL/Spy.Agent.AES
TrendMicro-HouseCall TSPY_TINCLEX.SM1
Tencent Msil.Trojan.Agent.Dxci
SentinelOne Static AI - Malicious PE
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
dead_host 208.95.112.1:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-02 11:10:36

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49184 172.67.75.176 freegeoip.net 80
192.168.56.101 49186 54.225.144.221 api.ipify.org 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://freegeoip.net/shutdown 
GET /shutdown HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: freegeoip.net
http://api.ipify.org/ 
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: api.ipify.org
Connection: Keep-Alive
http://freegeoip.net/xml/ 
GET /xml/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: freegeoip.net
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.