7.0
高危
57 个模型检测该样本为恶意!
重新分析
更多

7c5221b4ce4e0daa9ae1fb13678858f1e6bc60ed0df117918053d0bcb35342f7

97b87e59482170df3cb56b199d865345.exe

分析耗时

82s

最近分析

文件大小

165.0KB
静态报毒 动态报毒 100% 3IFMYR6MBOA AI SCORE=87 AIDETECTVM ATTRIBUTE BEAK CLASSIC CONFIDENCE ELDORADO FSJZ FUGRAFA GENCIRC GENKRYPTIK HDVJ HDWC HIGH CONFIDENCE HIGHCONFIDENCE HKYHLY HPGEN INJECT3 KCLOUD KRYPT KRYPTIK KY0@AIYD LNUDG MALWARE1 MALWARE@#K6NS99ASX33S PROXYGATE QVM10 SCORE STATIC AI SUSGEN SUSPICIOUS PE TRICKBOT TROJANX UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Trickbot-FSJZ!97B87E594821 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Trojan:Win32/Trickbot.a88fc2a4 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.118b2b86 20201211 1.0.0.1
Kingsoft Win32.Troj.Inject.(kcloud) 20201211 2017.9.26.565
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619797870.75125
NtProtectVirtualMemory
process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0087c000
success 0 0
1619797871.95475
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Foreign language identified in PE resource (1 个事件)
name RT_VERSION language LANG_CHINESE offset 0x0002b57c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002e4
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97b87e59482170df3cb56b199d865345.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97b87e59482170df3cb56b199d865345.exe
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619797872.01675
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x006c0000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.965136910396317 section {'size_of_data': '0x00008a00', 'virtual_address': '0x00023000', 'entropy': 7.965136910396317, 'name': '.rsrc', 'virtual_size': '0x000089dd'} description A section with a high entropy has been found
entropy 0.21036585365853658 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97b87e59482170df3cb56b199d865345.exe
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 3040 called NtSetContextThread to modify thread in remote process 2344
Time & API Arguments Status Return Repeated
1619797871.58025
NtSetContextThread
thread_handle: 0x000000cc
registers.eip: 2010382788
registers.esp: 1572772
registers.edi: 0
registers.eax: 4260288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2344
success 0 0
Executed a process and injected code into it, probably while unpacking (4 个事件)
Time & API Arguments Status Return Repeated
1619797871.00125
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3040
success 0 0
1619797871.47025
CreateProcessInternalW
thread_identifier: 2636
thread_handle: 0x000000cc
process_identifier: 2344
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97b87e59482170df3cb56b199d865345.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97b87e59482170df3cb56b199d865345.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97b87e59482170df3cb56b199d865345.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000000d0
inherit_handles: 0
success 1 0
1619797871.48625
NtGetContextThread
thread_handle: 0x000000cc
success 0 0
1619797871.58025
NtSetContextThread
thread_handle: 0x000000cc
registers.eip: 2010382788
registers.esp: 1572772
registers.edi: 0
registers.eax: 4260288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2344
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Fugrafa.47090
FireEye Generic.mg.97b87e59482170df
McAfee Trickbot-FSJZ!97B87E594821
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2039510
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Trickbot.a88fc2a4
K7GW Trojan ( 00567ef11 )
K7AntiVirus Trojan ( 00567ef11 )
Arcabit Trojan.Fugrafa.DB7F2
BitDefenderTheta Gen:NN.ZexaF.34670.ky0@aiyD!Ujj
Cyren W32/S-2985393c!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.Win32.Adload.pef
BitDefender Gen:Variant.Fugrafa.47090
NANO-Antivirus Trojan.Win32.Inject3.hkyhly
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.118b2b86
Ad-Aware Gen:Variant.Fugrafa.47090
Sophos Mal/Generic-S
Comodo Malware@#k6ns99asx33s
F-Secure Trojan.TR/Kryptik.lnudg
DrWeb Trojan.Inject3.41013
VIPRE Trojan.Win32.Generic!BT
TrendMicro Mal_HPGen-37b
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
Emsisoft Gen:Variant.Fugrafa.47090 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Inject.beak
Avira TR/Kryptik.lnudg
MAX malware (ai score=87)
Antiy-AVL Trojan/Win32.Inject
Kingsoft Win32.Troj.Inject.(kcloud)
Microsoft Trojan:Win32/Trickbot.PVB!MTB
ZoneAlarm HEUR:Trojan-Downloader.Win32.Adload.pef
GData Gen:Variant.Fugrafa.47090
Cynet Malicious (score: 85)
Acronis suspicious
VBA32 Trojan.Trickbot
ALYac Gen:Variant.Fugrafa.47090
Malwarebytes Adware.ProxyGate
ESET-NOD32 a variant of Win32/Kryptik.HDVJ
TrendMicro-HouseCall Mal_HPGen-37b
Rising Trojan.Kryptik!1.C75C (CLASSIC)
Yandex Trojan.GenKryptik!3iFmyr6MBOA
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-02 17:24:00

Imports

Library WININET.dll:
0x41213c FtpOpenFileA
0x412140 InternetReadFile
Library WINMM.dll:
0x412150 waveOutPause
0x412154 tid32Message
0x412158 midiInClose
0x41215c midiOutReset
Library imagehlp.dll:
0x412174 ImageRvaToSection
0x412178 SymInitialize
Library WINSPOOL.DRV:
0x412164
0x412168 EnumPrinterDataExW
Library SHELL32.dll:
0x41212c ExtractIconW
Library ODBC32.dll:
0x412104
0x412108
0x41210c
Library RESUTILS.dll:
0x412118 ClusWorkerCreate
0x412120 ResUtilStopService
Library KERNEL32.dll:
0x412000 TlsSetValue
0x412004 DecodePointer
0x412008 WriteConsoleW
0x41200c CreateFileW
0x412010 SetFilePointerEx
0x412014 CloseHandle
0x412018 HeapReAlloc
0x41201c HeapSize
0x412020 GetConsoleMode
0x412024 GetConsoleCP
0x412028 FlushFileBuffers
0x41202c GetProcessHeap
0x412030 GetStringTypeW
0x412034 SetStdHandle
0x412040 GetCommandLineW
0x412044 GetCommandLineA
0x412048 GetCPInfo
0x41204c GetOEMCP
0x412050 IsValidCodePage
0x412054 FindNextFileA
0x412058 FindFirstFileExA
0x41205c FindClose
0x412060 VirtualProtect
0x41206c GetCurrentProcess
0x412070 TerminateProcess
0x41207c GetCurrentProcessId
0x412080 GetCurrentThreadId
0x412088 InitializeSListHead
0x41208c IsDebuggerPresent
0x412090 GetStartupInfoW
0x412094 GetModuleHandleW
0x412098 RtlUnwind
0x41209c GetLastError
0x4120a0 SetLastError
0x4120b4 TlsAlloc
0x4120b8 TlsGetValue
0x4120bc RaiseException
0x4120c0 TlsFree
0x4120c4 FreeLibrary
0x4120c8 GetProcAddress
0x4120cc LoadLibraryExW
0x4120d0 GetStdHandle
0x4120d4 WriteFile
0x4120d8 GetModuleFileNameA
0x4120dc MultiByteToWideChar
0x4120e0 WideCharToMultiByte
0x4120e4 ExitProcess
0x4120e8 GetModuleHandleExW
0x4120ec GetACP
0x4120f0 HeapFree
0x4120f4 HeapAlloc
0x4120f8 LCMapStringW
0x4120fc GetFileType

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 50005 239.255.255.250 3702
192.168.56.101 51968 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.