4.8
中危
59 个模型检测该样本为恶意!
重新分析
更多

72ea08f15fdde5c6398acba210d601bfcce69b2a3d5d7208059effa2f2b23e50

89e62fe900363b227cdae5495c549bc1.exe

分析耗时

73s

最近分析

文件大小

571.5KB
静态报毒 动态报毒 AGENTB AI SCORE=85 AIDETECTVM BANKERX BSCOPE CLASSIC COBRA CONFIDENCE ELDORADO ELJF ENCPK GA@8SFC92 GENCIRC GENERICKDZ GENETIC GENKRYPTIK HDJM HKYKUO INJECT3 JM0@AMR2 JXZQ KCLOUD KRYPTIK MALICIOUS PE MALWARE1 MINT PINKSBOT PJXCH QAKBOT QBOT QVM20 R + MAL R336683 REGOTET SCORE STATIC AI SUSGEN UNSAFE WACATAC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Agentb.267143f9 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10cdcae1 20201211 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee W32/PinkSbot-GS!89E62FE90036 20201211 6.0.6.653
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619686132.999053
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619692900.636249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619692901.308249
__exception__
stacktrace: 
89e62fe900363b227cdae5495c549bc1+0x3f07 @ 0x403f07
89e62fe900363b227cdae5495c549bc1+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5719064
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 89e62fe900363b227cdae5495c549bc1+0x3449
exception.instruction: in eax, dx
exception.module: 89e62fe900363b227cdae5495c549bc1.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619692901.308249
__exception__
stacktrace: 
89e62fe900363b227cdae5495c549bc1+0x3f10 @ 0x403f10
89e62fe900363b227cdae5495c549bc1+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5719064
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: 89e62fe900363b227cdae5495c549bc1+0x34e2
exception.instruction: in eax, dx
exception.module: 89e62fe900363b227cdae5495c549bc1.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619686132.686053
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e00000
success 0 0
1619686132.702053
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e40000
success 0 0
1619686132.702053
NtProtectVirtualMemory
process_identifier: 2120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619692900.527249
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619692900.542249
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619692900.542249
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619686133.968053
CreateProcessInternalW
thread_identifier: 3040
thread_handle: 0x0000014c
process_identifier: 2760
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\89e62fe900363b227cdae5495c549bc1.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 6.923270288131548 section {'size_of_data': '0x00017c00', 'virtual_address': '0x00079000', 'entropy': 6.923270288131548, 'name': '.rsrc', 'virtual_size': '0x00017bdc'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619692901.308249
__exception__
stacktrace: 
89e62fe900363b227cdae5495c549bc1+0x3f07 @ 0x403f07
89e62fe900363b227cdae5495c549bc1+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5719064
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 89e62fe900363b227cdae5495c549bc1+0x3449
exception.instruction: in eax, dx
exception.module: 89e62fe900363b227cdae5495c549bc1.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware1
MicroWorld-eScan Gen:Heur.Mint.Regotet.1
FireEye Generic.mg.89e62fe900363b22
ALYac Trojan.Agent.QakBot
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2027703
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Agentb.267143f9
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_80% (W)
Arcabit Trojan.Mint.Regotet.1
BitDefenderTheta Gen:NN.ZexaF.34670.Jm0@amR2!pii
Cyren W32/Kryptik.BMW.gen!Eldorado
Symantec Packed.Generic.459
ESET-NOD32 a variant of Win32/Kryptik.HDJM
TrendMicro-HouseCall Backdoor.Win32.QAKBOT.SME
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Trojan.Generickdz-9778899-0
Kaspersky Trojan.Win32.Agentb.jxzq
BitDefender Gen:Heur.Mint.Regotet.1
NANO-Antivirus Trojan.Win32.Inject3.hkykuo
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.10cdcae1
Ad-Aware Gen:Heur.Mint.Regotet.1
Sophos Mal/Generic-R + Mal/EncPk-APV
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/Crypt.Agent.pjxch
DrWeb Trojan.Inject3.39996
VIPRE Trojan.Win32.Generic.pak!cobra
TrendMicro Backdoor.Win32.QAKBOT.SME
McAfee-GW-Edition BehavesLike.Win32.Generic.hm
SentinelOne Static AI - Malicious PE
Emsisoft Gen:Heur.Mint.Regotet.1 (B)
APEX Malicious
Jiangmin Trojan.Banker.Qbot.pe
Avira TR/Crypt.Agent.pjxch
MAX malware (ai score=85)
Antiy-AVL Trojan/Win32.Wacatac
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/QakBot.AG!MTB
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm Trojan.Win32.Agentb.jxzq
GData Gen:Heur.Mint.Regotet.1
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Agent.R336683
Acronis suspicious
McAfee W32/PinkSbot-GS!89E62FE90036
VBA32 BScope.Trojan.Inject
Malwarebytes Backdoor.Qbot
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-15 01:23:10

Imports

Library KERNEL32.dll:
0x478004 HeapFree
0x478008 GetProcessHeap
0x47800c GetModuleHandleW
0x478010 GetModuleHandleA
0x478014 LoadLibraryW
0x478018 GetProcAddress
0x47801c FreeLibrary
0x478020 OutputDebugStringW
0x478024 GetLocalTime
0x478028 WriteFile
0x47802c SetFilePointer
0x478038 HeapAlloc
0x47803c CreateFileW
0x478040 DeviceIoControl
0x478044 CreateThread
0x478048 WaitForSingleObject
0x47804c GetCurrentProcess
0x478050 GetLastError
0x478054 CloseHandle
0x478058 ExitThread
0x47805c SetLastError
0x478060 lstrlenW
0x478064 GlobalReAlloc
0x478068 GlobalLock
0x47806c lstrcatW
0x478070 GlobalUnlock
0x478074 lstrcpyW
0x478078 AddAtomW
0x47807c IsValidLocale
0x478080 GlobalFree
0x478084 DeleteAtom
0x478088 lstrcmpW
0x47808c LocalAlloc
0x478090 lstrcpynW
0x478094 GetLocaleInfoW
0x478098 GlobalGetAtomNameW
0x47809c LocalFree
0x4780a0 WinExec
0x4780a4 GetStartupInfoW
0x4780a8 GetAtomNameW
0x4780ac ExitProcess
0x4780b0 GlobalAlloc
0x4780b4 lstrcmpiW
0x4780b8 VirtualAlloc
Library USER32.dll:
0x4780c0 LoadIconA
0x4780c4 AnyPopup
0x4780c8 CloseWindow
0x4780cc GetListBoxInfo
0x4780d0 InSendMessage
0x4780d4 GetKeyboardType
0x4780d8 GetSystemMetrics
0x4780dc GetMenu
0x4780e0 IsIconic
0x4780e4 GetParent
0x4780e8 GetTopWindow
0x4780ec DestroyCursor
0x4780f0 CloseClipboard
0x4780f8 IsCharAlphaNumericW
0x4780fc GetActiveWindow
0x478100 IsCharUpperW
0x478104 CopyIcon
0x478108 GetKeyboardLayout
0x47810c GetDoubleClickTime
Library GDI32.dll:
0x478114 GetEnhMetaFileW
0x478118 CreatePatternBrush
0x47811c GetROP2
0x478120 DeleteEnhMetaFile
0x478124 CloseFigure
0x478128 GetTextAlign
0x478130 SetMetaRgn
0x478134 DeleteColorSpace
0x478138 GetStockObject
0x47813c GetObjectType
0x478140 UnrealizeObject
Library ADVAPI32.dll:
0x478148 RegOpenKeyA
0x47814c RegQueryValueExA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.