8.2
高危
51 个模型检测该样本为恶意!
重新分析
更多

7b8df140852947533df21149c9bcb88be9cf040440dfb8f5eb7140171d67ce52

99996216855c81d9cc40d112468cfc26.exe

分析耗时

76s

最近分析

文件大小

762.0KB
静态报毒 动态报毒 0NA104GV20 AGENTTESLA AI SCORE=83 ATTRIBUTE AVSARHER BUBVUR CONFIDENCE ELDORADO EPID FAREIT FNQHN@0 GDSDA GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HPSUBX HVJD IRRIW KRYPTIK LOKIBOT MALICIOUS PE MALWAREX SCORE SPYBOTNET UMAL UNSAFE VM0@ASJOQ3J ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXU!99996216855C 20200910 6.0.6.653
Alibaba TrojanSpy:MSIL/AgentTesla.8967a816 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20200911 18.4.3895.0
Tencent Msil.Trojan.Crypt.Hvjd 20200911 1.0.0.1
Kingsoft 20200911 2013.8.14.323
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (50 out of 98 个事件)
Time & API Arguments Status Return Repeated
1619786219.778501
IsDebuggerPresent
failed 0 0
1619786220.887501
IsDebuggerPresent
failed 0 0
1619786221.387501
IsDebuggerPresent
failed 0 0
1619786221.887501
IsDebuggerPresent
failed 0 0
1619786222.387501
IsDebuggerPresent
failed 0 0
1619786222.887501
IsDebuggerPresent
failed 0 0
1619786223.387501
IsDebuggerPresent
failed 0 0
1619786223.887501
IsDebuggerPresent
failed 0 0
1619786224.387501
IsDebuggerPresent
failed 0 0
1619786224.887501
IsDebuggerPresent
failed 0 0
1619786225.387501
IsDebuggerPresent
failed 0 0
1619786225.887501
IsDebuggerPresent
failed 0 0
1619786226.387501
IsDebuggerPresent
failed 0 0
1619786226.887501
IsDebuggerPresent
failed 0 0
1619786227.387501
IsDebuggerPresent
failed 0 0
1619786227.887501
IsDebuggerPresent
failed 0 0
1619786228.387501
IsDebuggerPresent
failed 0 0
1619786228.887501
IsDebuggerPresent
failed 0 0
1619786229.387501
IsDebuggerPresent
failed 0 0
1619786229.887501
IsDebuggerPresent
failed 0 0
1619786230.387501
IsDebuggerPresent
failed 0 0
1619786230.887501
IsDebuggerPresent
failed 0 0
1619786231.387501
IsDebuggerPresent
failed 0 0
1619786231.887501
IsDebuggerPresent
failed 0 0
1619786232.387501
IsDebuggerPresent
failed 0 0
1619786232.887501
IsDebuggerPresent
failed 0 0
1619786233.387501
IsDebuggerPresent
failed 0 0
1619786233.887501
IsDebuggerPresent
failed 0 0
1619786234.387501
IsDebuggerPresent
failed 0 0
1619786234.887501
IsDebuggerPresent
failed 0 0
1619786235.387501
IsDebuggerPresent
failed 0 0
1619786235.887501
IsDebuggerPresent
failed 0 0
1619786236.387501
IsDebuggerPresent
failed 0 0
1619786236.887501
IsDebuggerPresent
failed 0 0
1619786237.387501
IsDebuggerPresent
failed 0 0
1619786237.887501
IsDebuggerPresent
failed 0 0
1619786238.387501
IsDebuggerPresent
failed 0 0
1619786238.887501
IsDebuggerPresent
failed 0 0
1619786239.387501
IsDebuggerPresent
failed 0 0
1619786239.887501
IsDebuggerPresent
failed 0 0
1619786240.387501
IsDebuggerPresent
failed 0 0
1619786240.887501
IsDebuggerPresent
failed 0 0
1619786241.387501
IsDebuggerPresent
failed 0 0
1619786241.887501
IsDebuggerPresent
failed 0 0
1619786242.387501
IsDebuggerPresent
failed 0 0
1619786242.887501
IsDebuggerPresent
failed 0 0
1619786243.387501
IsDebuggerPresent
failed 0 0
1619786243.887501
IsDebuggerPresent
failed 0 0
1619786244.387501
IsDebuggerPresent
failed 0 0
1619786244.887501
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619786220.387501
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 114 个事件)
Time & API Arguments Status Return Repeated
1619786219.012501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00450000
success 0 0
1619786219.012501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d0000
success 0 0
1619786219.622501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619786219.778501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0030a000
success 0 0
1619786219.778501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619786219.778501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00302000
success 0 0
1619786220.153501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00322000
success 0 0
1619786220.231501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00323000
success 0 0
1619786220.247501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045b000
success 0 0
1619786220.247501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619786220.262501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032c000
success 0 0
1619786220.340501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619786220.372501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00324000
success 0 0
1619786220.372501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00691000
success 0 0
1619786220.372501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00692000
success 0 0
1619786220.387501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00693000
success 0 0
1619786220.403501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00694000
success 0 0
1619786220.575501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00325000
success 0 0
1619786220.606501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00695000
success 0 0
1619786220.622501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032a000
success 0 0
1619786220.684501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1619786220.700501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00342000
success 0 0
1619786220.747501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00455000
success 0 0
1619786220.840501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00696000
success 0 0
1619786220.840501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00697000
success 0 0
1619786220.981501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00698000
success 0 0
1619786221.075501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00326000
success 0 0
1619786221.184501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033a000
success 0 0
1619786221.184501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00337000
success 0 0
1619786259.309501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0030b000
success 0 0
1619786259.544501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034c000
success 0 0
1619786259.575501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1619786259.575501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00327000
success 0 0
1619786259.590501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00699000
success 0 0
1619786259.637501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 324096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b0400
failed 3221225550 0
1619786266.934501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069a000
success 0 0
1619786266.934501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00328000
success 0 0
1619786266.934501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069b000
success 0 0
1619786266.981501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069c000
success 0 0
1619786267.028501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069d000
success 0 0
1619786267.044501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069e000
success 0 0
1619786267.169501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069f000
success 0 0
1619786267.215501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x011d0000
success 0 0
1619786267.215501
NtAllocateVirtualMemory
process_identifier: 784
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x011d1000
success 0 0
1619786267.231501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b0178
failed 3221225550 0
1619786267.231501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b01a0
failed 3221225550 0
1619786267.231501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b01c8
failed 3221225550 0
1619786267.231501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b01f0
failed 3221225550 0
1619786267.231501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b0218
failed 3221225550 0
1619786267.231501
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050fff8e
failed 3221225550 0
A process attempted to delay the analysis task. (1 个事件)
description 99996216855c81d9cc40d112468cfc26.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.556805361450621 section {'size_of_data': '0x000bde00', 'virtual_address': '0x00002000', 'entropy': 7.556805361450621, 'name': '.text', 'virtual_size': '0x000bdc94'} description A section with a high entropy has been found
entropy 0.9973736047275115 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619786220.653501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619786280.403374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619786267.434501
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000ac4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL$!ÿ^à TÞr €@ À@…„rW€   H.textäR T `.rsrc€V@@.reloc  Z@B
process_handle: 0x00000ac4
base_address: 0x00400000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: €0€HX€¤¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNamejNSLqLWEqhptUUuBTdstVFxYmdXbeS.exe(LegalCopyright p#OriginalFilenamejNSLqLWEqhptUUuBTdstVFxYmdXbeS.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000ac4
base_address: 0x00448000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: p à2
process_handle: 0x00000ac4
base_address: 0x0044a000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: @
process_handle: 0x00000ac4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL$!ÿ^à TÞr €@ À@…„rW€   H.textäR T `.rsrc€V@@.reloc  Z@B
process_handle: 0x00000ac4
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 784 called NtSetContextThread to modify thread in remote process 2964
Time & API Arguments Status Return Repeated
1619786267.450501
NtSetContextThread
thread_handle: 0x0000f108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4485854
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2964
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 784 resumed a thread in remote process 2964
Time & API Arguments Status Return Repeated
1619786267.825501
NtResumeThread
thread_handle: 0x0000f108
suspend_count: 1
process_identifier: 2964
success 0 0
Executed a process and injected code into it, probably while unpacking (18 个事件)
Time & API Arguments Status Return Repeated
1619786219.778501
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 784
success 0 0
1619786219.825501
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 784
success 0 0
1619786220.825501
NtResumeThread
thread_handle: 0x00000214
suspend_count: 1
process_identifier: 784
success 0 0
1619786220.856501
NtResumeThread
thread_handle: 0x00000230
suspend_count: 1
process_identifier: 784
success 0 0
1619786267.247501
NtResumeThread
thread_handle: 0x00006064
suspend_count: 1
process_identifier: 784
success 0 0
1619786267.262501
NtResumeThread
thread_handle: 0x00002338
suspend_count: 1
process_identifier: 784
success 0 0
1619786267.434501
CreateProcessInternalW
thread_identifier: 2968
thread_handle: 0x0000f108
process_identifier: 2964
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\99996216855c81d9cc40d112468cfc26.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\99996216855c81d9cc40d112468cfc26.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000ac4
inherit_handles: 0
success 1 0
1619786267.434501
NtGetContextThread
thread_handle: 0x0000f108
success 0 0
1619786267.434501
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000ac4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL$!ÿ^à TÞr €@ À@…„rW€   H.textäR T `.rsrc€V@@.reloc  Z@B
process_handle: 0x00000ac4
base_address: 0x00400000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer:
process_handle: 0x00000ac4
base_address: 0x00402000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: €0€HX€¤¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNamejNSLqLWEqhptUUuBTdstVFxYmdXbeS.exe(LegalCopyright p#OriginalFilenamejNSLqLWEqhptUUuBTdstVFxYmdXbeS.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000ac4
base_address: 0x00448000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: p à2
process_handle: 0x00000ac4
base_address: 0x0044a000
success 1 0
1619786267.450501
WriteProcessMemory
process_identifier: 2964
buffer: @
process_handle: 0x00000ac4
base_address: 0x7efde008
success 1 0
1619786267.450501
NtSetContextThread
thread_handle: 0x0000f108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4485854
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2964
success 0 0
1619786267.825501
NtResumeThread
thread_handle: 0x0000f108
suspend_count: 1
process_identifier: 2964
success 0 0
1619786268.184374
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2964
success 0 0
1619786268.247374
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2964
success 0 0
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43569728
FireEye Generic.mg.99996216855c81d9
McAfee Fareit-FXU!99996216855C
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 0056ba0b1 )
Alibaba TrojanSpy:MSIL/AgentTesla.8967a816
K7GW Trojan ( 0056ba0b1 )
Cybereason malicious.4c6fc6
Arcabit Trojan.Generic.D298D240
Invincea Mal/Generic-S
BitDefenderTheta Gen:NN.ZemsilF.34216.Vm0@aSjoQ3j
Cyren W32/MSIL_Troj.YA.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.43569728
NANO-Antivirus Trojan.Win32.Crypt.hpsubx
Paloalto generic.ml
AegisLab Trojan.MSIL.Crypt.4!c
Tencent Msil.Trojan.Crypt.Hvjd
Ad-Aware Trojan.GenericKD.43569728
Comodo TrojWare.Win32.UMal.fnqhn@0
F-Secure Trojan.TR/Kryptik.irriw
DrWeb BackDoor.SpyBotNET.25
TrendMicro TROJ_FRS.0NA104GV20
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Avira TR/Kryptik.irriw
Antiy-AVL Trojan/MSIL.Crypt
Microsoft TrojanSpy:MSIL/AgentTesla.AQ!MTB
ViRobot Trojan.Win32.S.LokiBot.780288
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Trojan.GenericKD.43569728
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.AgentTesla.C4173388
VBA32 CIL.HeapOverride.Heur
ALYac Trojan.GenericKD.43569728
MAX malware (ai score=83)
Malwarebytes Trojan.MalPack.PNG.Generic
ESET-NOD32 a variant of MSIL/Kryptik.XDK
TrendMicro-HouseCall TROJ_FRS.0NA104GV20
Yandex Trojan.AvsArher.bUbVUr
Ikarus Trojan.Inject
Fortinet MSIL/GenKryptik.EPID!tr
AVG Win32:MalwareX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_80% (W)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-30 18:30:53

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49714 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.