11.2
0-day
53 个模型检测该样本为恶意!
重新分析
更多

3c913eb5c708579a85685ccee10a9ce487c51f9da743f2100c46e3e0e88d2569

9e88228d3c9f2a1f68d4ee212ee618f5.exe

分析耗时

90s

最近分析

文件大小

404.5KB
静态报毒 动态报毒 100% AGEN AGENSLA AGENTTESLA AI SCORE=80 ATTRIBUTE BTRIEZ CONFIDENCE EHBT ELDORADO FCSU GDSDA GENERICKD GENKRYPTIK HHFAFY HIGH CONFIDENCE HIGHCONFIDENCE HWWM IGENT KRYPTIK MALWARE@#2KQ161JV5ZU5O MSILKRYPT13 NEGASTEAL OCCAMY OXSV PWSX SCORE SUSGEN TROJANPSW TSCOPE UNSAFE YAKBEEXMSIL ZAPCHAST ZEMSILF ZM0@ASUSTBL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanPSW:MSIL/AgentTesla.6e8ebb07 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201228 21.1.5827.0
Kingsoft 20201228 2017.9.26.565
McAfee PWS-FCSU!9E88228D3C9F 20201228 6.0.6.653
Tencent Msil.Trojan.Zapchast.Hwwm 20201228 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619804560.449876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619804563.730876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619804568.199876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619804548.527626
IsDebuggerPresent
failed 0 0
1619804559.605876
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619804559.137626
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619804568.184876
__exception__
stacktrace: 
0x459f4fd
0x459e8ea
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3862796
registers.edi: 39288260
registers.eax: 0
registers.ebp: 3862840
registers.edx: 158
registers.ebx: 0
registers.esi: 1309946470
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc 69 c6 66 ef 83 09 35 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x459f89f
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 91 个事件)
Time & API Arguments Status Return Repeated
1619804548.012626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00870000
success 0 0
1619804548.012626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00950000
success 0 0
1619804548.480626
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619804548.527626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619804548.527626
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619804548.527626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1619804548.887626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00442000
success 0 0
1619804548.949626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00443000
success 0 0
1619804549.137626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047b000
success 0 0
1619804549.137626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00477000
success 0 0
1619804549.199626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044c000
success 0 0
1619804549.762626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00444000
success 0 0
1619804549.762626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00445000
success 0 0
1619804549.793626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00446000
success 0 0
1619804549.809626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b0000
success 0 0
1619804550.012626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045a000
success 0 0
1619804550.012626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619804550.027626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0046a000
success 0 0
1619804550.059626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043b000
success 0 0
1619804550.199626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00456000
success 0 0
1619804552.355626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00462000
success 0 0
1619804552.402626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00475000
success 0 0
1619804552.746626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04be0000
success 0 0
1619804552.746626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf0000
success 0 0
1619804552.746626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf1000
success 0 0
1619804552.777626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf2000
success 0 0
1619804552.793626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619804553.371626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b1000
success 0 0
1619804553.668626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf3000
success 0 0
1619804553.715626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf4000
success 0 0
1619804554.746626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf5000
success 0 0
1619804555.090626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b2000
success 0 0
1619804555.559626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044a000
success 0 0
1619804558.402626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00448000
success 0 0
1619804558.543626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02150000
success 0 0
1619804558.715626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00449000
success 0 0
1619804558.777626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00951000
success 0 0
1619804558.777626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x021b0000
success 0 0
1619804558.949626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022d0000
success 0 0
1619804559.059626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b3000
success 0 0
1619804559.059626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cf6000
success 0 0
1619804559.059626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04cfa000
success 0 0
1619804559.059626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d0b000
success 0 0
1619804559.074626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d0c000
success 0 0
1619804559.090626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d0d000
success 0 0
1619804559.090626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d0e000
success 0 0
1619804559.090626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d0f000
success 0 0
1619804559.090626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022d1000
success 0 0
1619804559.105626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b4000
success 0 0
1619804559.105626
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d12000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.910653530283724 section {'size_of_data': '0x00064800', 'virtual_address': '0x00002000', 'entropy': 7.910653530283724, 'name': '.text', 'virtual_size': '0x00064648'} description A section with a high entropy has been found
entropy 0.995049504950495 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619804568.199876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619804581.480876
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2560
process_handle: 0x00000354
failed 0 0
1619804581.480876
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2560
process_handle: 0x00000354
failed 3221225738 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.34
host 203.208.41.65
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619804559.340626
NtAllocateVirtualMemory
process_identifier: 3056
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000020c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TQBmNUfk reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\TYlcCjV\JObZX.exe
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619804559.340626
WriteProcessMemory
process_identifier: 3056
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx¢n^à ˆ~¦ À@ @…$¦WÀðà  H.text„† ˆ `.rsrcðÀŠ@@.reloc àŽ@B
process_handle: 0x0000020c
base_address: 0x00400000
success 1 0
1619804559.355626
WriteProcessMemory
process_identifier: 3056
buffer: €0€HXÀ””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNameBTQBXnlUvupbFarlFOXmKUemQza.exe(LegalCopyright h OriginalFilenameBTQBXnlUvupbFarlFOXmKUemQza.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000020c
base_address: 0x0044c000
success 1 0
1619804559.355626
WriteProcessMemory
process_identifier: 3056
buffer:   €6
process_handle: 0x0000020c
base_address: 0x0044e000
success 1 0
1619804559.355626
WriteProcessMemory
process_identifier: 3056
buffer: @
process_handle: 0x0000020c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619804559.340626
WriteProcessMemory
process_identifier: 3056
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx¢n^à ˆ~¦ À@ @…$¦WÀðà  H.text„† ˆ `.rsrcðÀŠ@@.reloc àŽ@B
process_handle: 0x0000020c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2560 called NtSetContextThread to modify thread in remote process 3056
Time & API Arguments Status Return Repeated
1619804559.355626
NtSetContextThread
thread_handle: 0x00000208
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4499070
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3056
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\TYlcCjV\JObZX.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2560 resumed a thread in remote process 3056
Time & API Arguments Status Return Repeated
1619804559.418626
NtResumeThread
thread_handle: 0x00000208
suspend_count: 1
process_identifier: 3056
success 0 0
Executed a process and injected code into it, probably while unpacking (16 个事件)
Time & API Arguments Status Return Repeated
1619804548.527626
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2560
success 0 0
1619804548.590626
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2560
success 0 0
1619804559.340626
CreateProcessInternalW
thread_identifier: 2448
thread_handle: 0x00000208
process_identifier: 3056
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9e88228d3c9f2a1f68d4ee212ee618f5.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9e88228d3c9f2a1f68d4ee212ee618f5.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000020c
inherit_handles: 0
success 1 0
1619804559.340626
NtGetContextThread
thread_handle: 0x00000208
success 0 0
1619804559.340626
NtAllocateVirtualMemory
process_identifier: 3056
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000020c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619804559.340626
WriteProcessMemory
process_identifier: 3056
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx¢n^à ˆ~¦ À@ @…$¦WÀðà  H.text„† ˆ `.rsrcðÀŠ@@.reloc àŽ@B
process_handle: 0x0000020c
base_address: 0x00400000
success 1 0
1619804559.340626
WriteProcessMemory
process_identifier: 3056
buffer:
process_handle: 0x0000020c
base_address: 0x00402000
success 1 0
1619804559.355626
WriteProcessMemory
process_identifier: 3056
buffer: €0€HXÀ””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNameBTQBXnlUvupbFarlFOXmKUemQza.exe(LegalCopyright h OriginalFilenameBTQBXnlUvupbFarlFOXmKUemQza.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000020c
base_address: 0x0044c000
success 1 0
1619804559.355626
WriteProcessMemory
process_identifier: 3056
buffer:   €6
process_handle: 0x0000020c
base_address: 0x0044e000
success 1 0
1619804559.355626
WriteProcessMemory
process_identifier: 3056
buffer: @
process_handle: 0x0000020c
base_address: 0x7efde008
success 1 0
1619804559.355626
NtSetContextThread
thread_handle: 0x00000208
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4499070
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3056
success 0 0
1619804559.418626
NtResumeThread
thread_handle: 0x00000208
suspend_count: 1
process_identifier: 3056
success 0 0
1619804559.605876
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3056
success 0 0
1619804559.621876
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 3056
success 0 0
1619804562.434876
NtResumeThread
thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 3056
success 0 0
1619804562.934876
NtResumeThread
thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 3056
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33568654
FireEye Generic.mg.9e88228d3c9f2a1f
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.33568654
Cylance Unsafe
K7AntiVirus Trojan ( 005635f31 )
Alibaba TrojanPSW:MSIL/AgentTesla.6e8ebb07
K7GW Trojan ( 005635f31 )
Cybereason malicious.d3c9f2
Arcabit Trojan.Generic.D200378E
BitDefenderTheta Gen:NN.ZemsilF.34700.zm0@aSUSTbl
Cyren W32/MSIL_Kryptik.AKH.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.VLK
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Zapchast.gen
BitDefender Trojan.GenericKD.33568654
NANO-Antivirus Trojan.Win32.Agensla.hhfafy
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Ad-Aware Trojan.GenericKD.33568654
Sophos Mal/Generic-S
Comodo Malware@#2kq161jv5zu5o
F-Secure Heuristic.HEUR/AGEN.1134071
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.NEGASTEAL.VLK
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Emsisoft Trojan.GenericKD.33568654 (B)
APEX Malicious
Jiangmin Trojan.MSIL.oxsv
eGambit Unsafe.AI_Score_91%
Avira HEUR/AGEN.1134071
Microsoft Trojan:Win32/Occamy.C3C
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33568654
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_MSILKrypt13.C4034915
McAfee PWS-FCSU!9E88228D3C9F
MAX malware (ai score=80)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Crypt.MSIL
ESET-NOD32 a variant of MSIL/Kryptik.VFQ
Tencent Msil.Trojan.Zapchast.Hwwm
Yandex Trojan.Igent.bTrIez.32
Ikarus Trojan.MSIL.Inject
MaxSecure Trojan.Malware.74499699.susgen
Fortinet MSIL/GenKryptik.EHBT!tr
Webroot W32.Trojan.Gen
AVG Win32:PWSX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-26 11:43:43

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.