4.8
中危
59 个模型检测该样本为恶意!
重新分析
更多

894660e6d861ffa1731da58aeb71ce98e9c5344155479b1c6f7e999aef8c32b1

98c8a48e0b4279c3cbf25bdb52833069.exe

分析耗时

72s

最近分析

文件大小

571.5KB
静态报毒 动态报毒 A + MAL AGENTB AI SCORE=87 AIDETECTVM BANKERX BFSCZ BSCOPE CLASSIC COBRA CONFIDENCE ELDORADO ELJF ENCPK GA@8SFC92 GENCIRC GENERICKDZ GENETIC GENKRYPTIK HDJM HIGH CONFIDENCE HKPGOG INJECT3 JM0@ASZCWYHI JXZO KCLOUD KRYPTIK MALICIOUS PE MALWARE1 MINT PINKSBOT QAKBOT QBOT R336864 REGOTET SCORE STATIC AI UNSAFE WACATAC ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee W32/PinkSbot-GS!98C8A48E0B42 20201211 6.0.6.653
Alibaba Trojan:Win32/Agentb.2da23981 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201210 21.1.5827.0
Kingsoft Win32.Troj.Banker.(kcloud) 20201211 2017.9.26.565
Tencent Malware.Win32.Gencirc.10cdcae2 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619781064.872538
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619781066.541767
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619781067.259767
__exception__
stacktrace: 
98c8a48e0b4279c3cbf25bdb52833069+0x3f07 @ 0x403f07
98c8a48e0b4279c3cbf25bdb52833069+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6110600
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 98c8a48e0b4279c3cbf25bdb52833069+0x3449
exception.instruction: in eax, dx
exception.module: 98c8a48e0b4279c3cbf25bdb52833069.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619781067.259767
__exception__
stacktrace: 
98c8a48e0b4279c3cbf25bdb52833069+0x3f10 @ 0x403f10
98c8a48e0b4279c3cbf25bdb52833069+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6110600
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: 98c8a48e0b4279c3cbf25bdb52833069+0x34e2
exception.instruction: in eax, dx
exception.module: 98c8a48e0b4279c3cbf25bdb52833069.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619781064.622538
NtAllocateVirtualMemory
process_identifier: 884
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619781064.638538
NtAllocateVirtualMemory
process_identifier: 884
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619781064.638538
NtProtectVirtualMemory
process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619781066.353767
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619781066.369767
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619781066.384767
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619781065.810538
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x0000014c
process_identifier: 2984
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\98c8a48e0b4279c3cbf25bdb52833069.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 6.922404964217177 section {'size_of_data': '0x00017c00', 'virtual_address': '0x00079000', 'entropy': 6.922404964217177, 'name': '.rsrc', 'virtual_size': '0x00017bdc'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 203.208.40.66
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619781067.259767
__exception__
stacktrace: 
98c8a48e0b4279c3cbf25bdb52833069+0x3f07 @ 0x403f07
98c8a48e0b4279c3cbf25bdb52833069+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 6110600
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: 98c8a48e0b4279c3cbf25bdb52833069+0x3449
exception.instruction: in eax, dx
exception.module: 98c8a48e0b4279c3cbf25bdb52833069.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Heur.Mint.Regotet.1
FireEye Generic.mg.98c8a48e0b4279c3
McAfee W32/PinkSbot-GS!98C8A48E0B42
Cylance Unsafe
VIPRE Trojan.Win32.Generic.pak!cobra
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Agentb.2da23981
K7GW Riskware ( 0040eff71 )
Cybereason malicious.7febc8
Arcabit Trojan.Mint.Regotet.1
BitDefenderTheta Gen:NN.ZexaF.34670.Jm0@aSzCWyhi
Cyren W32/Kryptik.BMW.gen!Eldorado
Symantec W32.Qakbot
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Trojan.Generickdz-9778899-0
Kaspersky Trojan.Win32.Agentb.jxzo
BitDefender Gen:Heur.Mint.Regotet.1
NANO-Antivirus Trojan.Win32.Inject3.hkpgog
Paloalto generic.ml
Rising Trojan.Kryptik!1.C745 (CLASSIC)
Ad-Aware Gen:Heur.Mint.Regotet.1
Emsisoft Gen:Heur.Mint.Regotet.1 (B)
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/AD.Qbot.bfscz
DrWeb Trojan.Inject3.40031
Zillya Trojan.Qbot.Win32.8206
TrendMicro Backdoor.Win32.QAKBOT.SME
McAfee-GW-Edition BehavesLike.Win32.Generic.hm
Sophos ML/PE-A + Mal/EncPk-APV
Ikarus Backdoor.QBot
Jiangmin Trojan.Zenpak.bss
Webroot W32.Rogue.Gen
Avira TR/AD.Qbot.bfscz
MAX malware (ai score=87)
Antiy-AVL Trojan/Win32.Wacatac
Kingsoft Win32.Troj.Banker.(kcloud)
Microsoft Trojan:Win32/Qakbot.AR!MTB
ViRobot Trojan.Win32.S.QakBot.585216.F
ZoneAlarm Trojan.Win32.Agentb.jxzo
GData Gen:Heur.Mint.Regotet.1
Cynet Malicious (score: 100)
AhnLab-V3 Backdoor/Win32.Qakbot.R336864
Acronis suspicious
VBA32 BScope.Trojan.Inject
ALYac Trojan.Agent.QakBot
Malwarebytes Backdoor.Qbot
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-15 16:27:31

Imports

Library KERNEL32.dll:
0x47804c HeapFree
0x478050 GetProcessHeap
0x478054 GetModuleHandleW
0x478058 GetModuleHandleA
0x47805c LoadLibraryW
0x478060 GetProcAddress
0x478064 FreeLibrary
0x478068 OutputDebugStringW
0x47806c GetLocalTime
0x478070 WriteFile
0x478074 SetFilePointer
0x478080 HeapAlloc
0x478084 CreateFileW
0x478088 DeviceIoControl
0x47808c CreateThread
0x478090 WaitForSingleObject
0x478094 GetCurrentProcess
0x478098 GetLastError
0x47809c CloseHandle
0x4780a0 ExitThread
0x4780a4 SetLastError
0x4780a8 lstrlenW
0x4780ac GlobalReAlloc
0x4780b0 GlobalLock
0x4780b4 lstrcatW
0x4780b8 GlobalUnlock
0x4780bc lstrcpyW
0x4780c0 AddAtomW
0x4780c4 IsValidLocale
0x4780c8 GlobalFree
0x4780cc DeleteAtom
0x4780d0 lstrcmpW
0x4780d4 LocalAlloc
0x4780d8 lstrcpynW
0x4780dc GetLocaleInfoW
0x4780e0 GlobalGetAtomNameW
0x4780e4 LocalFree
0x4780e8 WinExec
0x4780ec GetStartupInfoW
0x4780f0 GetAtomNameW
0x4780f4 ExitProcess
0x4780f8 GlobalAlloc
0x4780fc lstrcmpiW
0x478100 VirtualAlloc
Library USER32.dll:
0x478108 LoadIconA
0x47810c AnyPopup
0x478110 CloseWindow
0x478114 GetListBoxInfo
0x478118 InSendMessage
0x47811c GetKeyboardType
0x478120 GetSystemMetrics
0x478124 GetMenu
0x478128 IsIconic
0x47812c GetParent
0x478130 GetTopWindow
0x478134 DestroyCursor
0x478138 CloseClipboard
0x478140 IsCharAlphaNumericW
0x478144 GetActiveWindow
0x478148 IsCharUpperW
0x47814c CopyIcon
0x478150 GetKeyboardLayout
0x478154 GetDoubleClickTime
Library GDI32.dll:
0x47815c GetEnhMetaFileW
0x478160 CreatePatternBrush
0x478164 GetROP2
0x478168 DeleteEnhMetaFile
0x47816c CloseFigure
0x478170 GetTextAlign
0x478178 SetMetaRgn
0x47817c DeleteColorSpace
0x478180 GetStockObject
0x478184 GetObjectType
0x478188 UnrealizeObject
Library ADVAPI32.dll:
0x478190 RegOpenKeyA
0x478194 RegQueryValueExA
Library SHELL32.dll:
0x47819c ShellExecuteW
0x4781a8 SHChangeNotify
0x4781ac SHBrowseForFolderW
0x4781b0

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 51381 239.255.255.250 3702
192.168.56.101 51964 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.