8.0
高危
40 个模型检测该样本为恶意!
重新分析
更多

3d30f3e545110a115ed70bb765354c8b3a7cffa96440f0ea45ee819c71ccb8e9

88fa43a2de246c4a9d2e5212d7d9d9d9.exe

分析耗时

87s

最近分析

文件大小

4.7MB
静态报毒 动态报毒 2144FLASHPLAYER AI SCORE=88 ARTEMIS CONFIDENCE EEHU GENERICKD HHTAHS HIGH CONFIDENCE MALWARE@#1PWA28PRJD1GH METERPRETER OCCAMY R011C0RI920 SHELMA UNSAFE YBI0SMTSTRY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!88FA43A2DE24 20201022 6.0.6.653
Alibaba Trojan:Win64/Shelma.be2348cf 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win64:Malware-gen 20201022 18.4.3895.0
Kingsoft 20201022 2013.8.14.323
Tencent Win64.Trojan.Shelma.Eehu 20201022 1.0.0.1
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620829849.361375
NtAllocateVirtualMemory
process_identifier: 1712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000001d80000
success 0 0
1620829849.392375
NtAllocateVirtualMemory
process_identifier: 1712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x0000000002150000
success 0 0
1620829849.392375
NtProtectVirtualMemory
process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x0000000002150000
success 0 0
Foreign language identified in PE resource (14 个事件)
name RT_DIALOG language LANG_CHINESE offset 0x00027cbc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000f2
name RT_DIALOG language LANG_CHINESE offset 0x00027cbc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000f2
name RT_DIALOG language LANG_CHINESE offset 0x00027cbc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000f2
name RT_DIALOG language LANG_CHINESE offset 0x00027cbc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000f2
name RT_DIALOG language LANG_CHINESE offset 0x00027cbc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000f2
name RT_DIALOG language LANG_CHINESE offset 0x00027cbc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000f2
name RT_STRING language LANG_CHINESE offset 0x0002862c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000132
name RT_STRING language LANG_CHINESE offset 0x0002862c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000132
name RT_STRING language LANG_CHINESE offset 0x0002862c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000132
name RT_STRING language LANG_CHINESE offset 0x0002862c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000132
name RT_STRING language LANG_CHINESE offset 0x0002862c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000132
name RT_STRING language LANG_CHINESE offset 0x0002862c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000132
name RT_VERSION language LANG_CHINESE offset 0x004c2f30 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000003f4
name RT_VERSION language LANG_CHINESE offset 0x004c2f30 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000003f4
Creates executable files on the filesystem (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\www.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI6482\MSVCR90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\FLASHP~1.EXE
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI6482\python27.dll
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\FLASHP~1.EXE
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620829854.283375
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.997009278323358 section {'size_of_data': '0x004b4c00', 'virtual_address': '0x0000f000', 'entropy': 7.997009278323358, 'name': '.rsrc', 'virtual_size': '0x004b5000'} description A section with a high entropy has been found
entropy 0.9916658092396337 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 47.240.45.183
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\IXP000.TMP\"
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\www.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620829856.924375
RegSetValueExA
key_handle: 0x0000000000000358
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620829856.924375
RegSetValueExA
key_handle: 0x0000000000000358
value: ÀU“F"G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620829856.924375
RegSetValueExA
key_handle: 0x0000000000000358
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620829856.924375
RegSetValueExW
key_handle: 0x0000000000000358
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620829856.939375
RegSetValueExA
key_handle: 0x0000000000000370
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620829856.939375
RegSetValueExA
key_handle: 0x0000000000000370
value: ÀU“F"G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620829856.939375
RegSetValueExA
key_handle: 0x0000000000000370
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620829857.002375
RegSetValueExW
key_handle: 0x0000000000000354
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.42933716
McAfee Artemis!88FA43A2DE24
Cylance Unsafe
K7AntiVirus Adware ( 0055b8ed1 )
Alibaba Trojan:Win64/Shelma.be2348cf
K7GW Adware ( 0055b8ed1 )
Cybereason malicious.b61c56
Arcabit Trojan.Generic.D28F1DD4
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win64:Malware-gen
Kaspersky Trojan.Win64.Shelma.dlo
BitDefender Trojan.GenericKD.42933716
NANO-Antivirus Trojan.Win64.Meterpreter.hhtahs
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.42933716
Emsisoft Trojan.GenericKD.42933716 (B)
Comodo Malware@#1pwa28prjd1gh
DrWeb BackDoor.Meterpreter.96
Zillya Trojan.Shelma.Win64.2511
Invincea Mal/Generic-S
McAfee-GW-Edition Artemis
FireEye Generic.mg.88fa43a2de246c4a
Sophos Mal/Generic-S
Microsoft Trojan:Win32/Occamy.C3D
AegisLab Trojan.Win64.Shelma.4!c
ZoneAlarm Trojan.Win64.Shelma.dlo
GData Trojan.GenericKD.42933716
ALYac Trojan.GenericKD.42933716
MAX malware (ai score=88)
ESET-NOD32 a variant of Win32/2144FlashPlayer.A potentially unwanted
TrendMicro-HouseCall TROJ_GEN.R011C0RI920
Tencent Win64.Trojan.Shelma.Eehu
Yandex Trojan.Agent!YbI0sMtstrY
Fortinet Adware/Shelma
AVG Win64:Malware-gen
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_60% (W)
Qihoo-360 Win64/Trojan.caf
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
dead_host 47.240.45.183:60002
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1990-07-21 13:22:47

Imports

Library ADVAPI32.dll:
0x140009118 GetTokenInformation
0x140009120 RegDeleteValueA
0x140009128 RegOpenKeyExA
0x140009130 RegQueryInfoKeyA
0x140009138 FreeSid
0x140009140 OpenProcessToken
0x140009148 RegSetValueExA
0x140009150 RegCreateKeyExA
0x140009158 LookupPrivilegeValueA
0x140009160 AllocateAndInitializeSid
0x140009168 RegQueryValueExA
0x140009170 EqualSid
0x140009178 RegCloseKey
0x140009180 AdjustTokenPrivileges
Library KERNEL32.dll:
0x1400091d8 _lopen
0x1400091e0 _llseek
0x1400091e8 CompareStringA
0x1400091f0 GetLastError
0x1400091f8 GetFileAttributesA
0x140009200 GetSystemDirectoryA
0x140009208 LoadLibraryA
0x140009210 DeleteFileA
0x140009218 GlobalAlloc
0x140009220 GlobalFree
0x140009228 CloseHandle
0x140009238 IsDBCSLeadByte
0x140009240 GetWindowsDirectoryA
0x140009248 SetFileAttributesA
0x140009250 GetProcAddress
0x140009258 GlobalLock
0x140009260 LocalFree
0x140009268 RemoveDirectoryA
0x140009270 FreeLibrary
0x140009278 _lclose
0x140009280 CreateDirectoryA
0x140009288 GetPrivateProfileIntA
0x140009290 GetPrivateProfileStringA
0x140009298 GlobalUnlock
0x1400092a0 ReadFile
0x1400092a8 SizeofResource
0x1400092b0 WriteFile
0x1400092b8 GetDriveTypeA
0x1400092c0 LoadLibraryExA
0x1400092c8 SetFileTime
0x1400092d0 SetFilePointer
0x1400092d8 FindResourceA
0x1400092e0 CreateMutexA
0x1400092e8 GetVolumeInformationA
0x1400092f0 WaitForSingleObject
0x1400092f8 GetCurrentDirectoryA
0x140009300 FreeResource
0x140009308 GetVersion
0x140009310 SetCurrentDirectoryA
0x140009318 GetTempPathA
0x140009320 LocalFileTimeToFileTime
0x140009328 CreateFileA
0x140009330 SetEvent
0x140009338 TerminateThread
0x140009340 GetVersionExA
0x140009348 LockResource
0x140009350 GetSystemInfo
0x140009358 CreateThread
0x140009360 ResetEvent
0x140009368 LoadResource
0x140009370 ExitProcess
0x140009378 GetModuleHandleW
0x140009380 CreateProcessA
0x140009388 FormatMessageA
0x140009390 GetTempFileNameA
0x140009398 DosDateTimeToFileTime
0x1400093a0 CreateEventA
0x1400093a8 GetExitCodeProcess
0x1400093b8 LocalAlloc
0x1400093c0 lstrcmpA
0x1400093c8 FindNextFileA
0x1400093d0 GetCurrentProcess
0x1400093d8 FindFirstFileA
0x1400093e0 GetModuleFileNameA
0x1400093e8 GetShortPathNameA
0x1400093f0 Sleep
0x1400093f8 GetStartupInfoW
0x140009400 RtlCaptureContext
0x140009408 RtlLookupFunctionEntry
0x140009410 RtlVirtualUnwind
0x140009418 UnhandledExceptionFilter
0x140009428 TerminateProcess
0x140009430 QueryPerformanceCounter
0x140009438 GetCurrentProcessId
0x140009440 GetCurrentThreadId
0x140009448 GetSystemTimeAsFileTime
0x140009450 GetTickCount
0x140009458 EnumResourceLanguagesA
0x140009460 GetDiskFreeSpaceA
0x140009468 MulDiv
0x140009470 FindClose
Library GDI32.dll:
0x1400091c8 GetDeviceCaps
Library USER32.dll:
0x140009480 ShowWindow
0x140009490 SetWindowPos
0x140009498 GetDC
0x1400094a0 GetWindowRect
0x1400094a8 DispatchMessageA
0x1400094b0 GetSystemMetrics
0x1400094b8 CallWindowProcA
0x1400094c0 SetWindowTextA
0x1400094c8 MessageBoxA
0x1400094d0 SendDlgItemMessageA
0x1400094d8 SendMessageA
0x1400094e0 GetDlgItem
0x1400094e8 DialogBoxIndirectParamA
0x1400094f0 GetWindowLongPtrA
0x1400094f8 SetWindowLongPtrA
0x140009500 SetForegroundWindow
0x140009508 ReleaseDC
0x140009510 EnableWindow
0x140009518 CharNextA
0x140009520 LoadStringA
0x140009528 CharPrevA
0x140009530 EndDialog
0x140009538 MessageBeep
0x140009540 ExitWindowsEx
0x140009548 SetDlgItemTextA
0x140009550 CharUpperA
0x140009558 GetDesktopWindow
0x140009560 PeekMessageA
0x140009568 GetDlgItemTextA
Library msvcrt.dll:
0x140009598 ?terminate@@YAXXZ
0x1400095a0 _commode
0x1400095a8 _fmode
0x1400095b0 _acmdln
0x1400095b8 __C_specific_handler
0x1400095c0 memset
0x1400095c8 __setusermatherr
0x1400095d0 _ismbblead
0x1400095d8 _cexit
0x1400095e0 _exit
0x1400095e8 exit
0x1400095f0 __set_app_type
0x1400095f8 __getmainargs
0x140009600 _amsg_exit
0x140009608 _XcptFilter
0x140009610 memcpy_s
0x140009618 _vsnprintf
0x140009620 _initterm
0x140009628 memcpy
Library COMCTL32.dll:
0x140009190
Library Cabinet.dll:
0x1400091a0
0x1400091a8
0x1400091b0
0x1400091b8
Library VERSION.dll:
0x140009578 VerQueryValueA
0x140009580 GetFileVersionInfoSizeA
0x140009588 GetFileVersionInfoA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.