4.2
中危
52 个模型检测该样本为恶意!
重新分析
更多

70eae6d411554b0587f9bc3e7e7cc753e81b8086310dc5fa8181c44632fe1ada

929382d455868a6037c3a4ff93e81314.exe

分析耗时

77s

最近分析

文件大小

1.3MB
静态报毒 动态报毒 AI SCORE=99 APUB ARTEMIS BSCOPE CLOUD COBALTSTRIKE DOWNLOAD4 EHLS GENCIRC GENERICKD GRAYWARE HFFW HIGH CONFIDENCE HPJNEG ICVEL@0 IRVD KRYPTIK KZIP PANDA QVM07 R346632 SCORE SUSPICIOUS PE UMAL UNSAFE UQVFT UR1@AEQBQAFI VSNTGT20 WACATAC ZENPAK ZEUS ZEXAE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Alibaba Backdoor:Win32/KZip.5b1b87ce 20190527 0.3.0.5
Kingsoft 20200812 2013.8.14.323
McAfee Artemis!929382D45586 20200812 6.0.6.653
Tencent Malware.Win32.Gencirc.11aad65c 20200812 1.0.0.1
Avast Win32:Trojan-gen 20200812 18.4.3895.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619686190.109734
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
This executable is signed
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619686134.218734
NtAllocateVirtualMemory
process_identifier: 784
region_size: 376832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619686188.796734
NtAllocateVirtualMemory
process_identifier: 784
region_size: 372736
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e10000
success 0 0
1619686188.812734
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 385024
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619686189.875734
NtAllocateVirtualMemory
process_identifier: 784
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01fd0000
success 0 0
1619686189.875734
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02000000
success 0 0
1619686189.875734
NtAllocateVirtualMemory
process_identifier: 784
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02001000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619686190.078734
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 151552
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x02180000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619686191.687734
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619686194.281734
RegSetValueExA
key_handle: 0x000003a0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619686194.281734
RegSetValueExA
key_handle: 0x000003a0
value: €Bý4á<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619686194.281734
RegSetValueExA
key_handle: 0x000003a0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619686194.281734
RegSetValueExW
key_handle: 0x000003a0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619686194.296734
RegSetValueExA
key_handle: 0x000003bc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619686194.296734
RegSetValueExA
key_handle: 0x000003bc
value: €Bý4á<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619686194.296734
RegSetValueExA
key_handle: 0x000003bc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619686194.328734
RegSetValueExW
key_handle: 0x0000039c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34253875
CAT-QuickHeal Trojan.Wacatac
ALYac Trojan.Agent.Zenpak
Malwarebytes Spyware.ZeuS.Panda
Zillya Trojan.Zenpak.Win32.2547
BitDefender Trojan.GenericKD.34253875
K7GW Trojan ( 0056b9e91 )
K7AntiVirus Trojan ( 0056b9e91 )
Invincea heuristic
Cyren W32/Trojan.IRVD-8631
Symantec Trojan Horse
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win32.Zenpak.apub
Alibaba Backdoor:Win32/KZip.5b1b87ce
NANO-Antivirus Trojan.Win32.Zenpak.hpjneg
ViRobot Trojan.Win32.Z.Zenpak.1379752
AegisLab Trojan.Win32.Zenpak.4!c
Rising Trojan.Zenpak!8.10372 (CLOUD)
Ad-Aware Trojan.GenericKD.34253875
Comodo TrojWare.Win32.UMal.icvel@0
F-Secure Trojan.TR/AD.CobaltStrike.uqvft
DrWeb Trojan.DownLoad4.13998
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_FRS.VSNTGT20
FireEye Generic.mg.929382d455868a60
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Webroot W32.Zenpak.apub
Avira TR/AD.CobaltStrike.uqvft
Antiy-AVL GrayWare/Win32.Kryptik.ehls
Microsoft Trojan:Win32/Cobaltstrike.MK!MTB
Arcabit Trojan.Generic.D20AAC33
ZoneAlarm Trojan.Win32.Zenpak.apub
GData Trojan.GenericKD.34253875
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.CobaltStrike.R346632
McAfee Artemis!929382D45586
MAX malware (ai score=99)
VBA32 BScope.Trojan.Zenpak
Cylance Unsafe
Panda Trj/CI.A
ESET-NOD32 a variant of Win32/Kryptik.HFFW
TrendMicro-HouseCall TROJ_FRS.VSNTGT20
Tencent Malware.Win32.Gencirc.11aad65c
Ikarus Malware.Win32.CobaltStrike
Fortinet W32/Generic_PUA_JB.HFFW!tr
BitDefenderTheta Gen:NN.ZexaE.34152.ur1@aeQBqAfi
AVG Win32:Trojan-gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-25 21:03:25

Imports

Library KERNEL32.dll:
0x54fa40 GetLastError
0x54fa44 LoadLibraryW
0x54fa48 GetProcAddress
0x54fa4c GetModuleHandleW
0x54fa50 VirtualAllocEx
0x54fa54 GetStartupInfoA
0x54fa58 GetModuleHandleA
Library USER32.dll:
0x54fa60 GetDesktopWindow
0x54fa64 CharNextA
0x54fa68 wsprintfA
0x54fa6c DispatchMessageW
0x54fa70 RegisterClassA
0x54fa74 LoadImageA
0x54fa78 GetSystemMetrics
0x54fa7c DispatchMessageA
0x54fa80 PostMessageA
0x54fa84 AppendMenuA
0x54fa88 CreatePopupMenu
0x54fa8c ShowWindow
0x54fa94 GetCursorPos
0x54fa98 DefWindowProcA
0x54fa9c IsWindowUnicode
0x54faa0 PeekMessageA
0x54faa4 LoadIconA
0x54faa8 BeginPaint
0x54faac GetClientRect
0x54fab0 DrawTextA
0x54fab4 EndPaint
0x54fab8 PostQuitMessage
Library GDI32.dll:
0x54fac0 GetStockObject
0x54fac4 GetEnhMetaFileW
Library ADVAPI32.dll:
0x54facc RegOpenKeyA
Library WINMM.dll:
0x54fad4 PlaySoundA
Library MSVCRT.dll:
0x54fadc _except_handler3
0x54fae0 __set_app_type
0x54fae4 __p__fmode
0x54fae8 __p__commode
0x54faec _adjust_fdiv
0x54faf0 __setusermatherr
0x54faf4 _initterm
0x54faf8 __getmainargs
0x54fafc _acmdln
0x54fb00 exit
0x54fb04 _XcptFilter
0x54fb08 _exit
0x54fb0c _onexit
0x54fb10 __dllonexit
0x54fb14 _controlfp
Library IMM32.dll:
0x54fb1c ImmGetContext
0x54fb20 ImmGetOpenStatus
0x54fb24 ImmReleaseContext

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.