9.2
极危
53 个模型检测该样本为恶意!
重新分析
更多

e938ade8d2fa23f38ba4bcbf425863e5966e19a215ee351d83bcb3d70dc5b8ec

a2c11142f02d5ff23a667a6e2d6255c8.exe

分析耗时

100s

最近分析

文件大小

727.5KB
静态报毒 动态报毒 AGENSLA AI SCORE=89 ALI2000016 AUSG BASIC BUH4EE CLOUD ELDORADO EQPB FAREIT FORMBOOK GDSDA GENKRYPTIK HIGH CONFIDENCE HSMLMP IGENT KCLOUD KRYPTIK LMUB MALWARE@#2MX7TWHI5XT3G MXRESICN PSWTROJ QNTUC QQPASS QQROB RATX SCORE SPYBOTNET TQ0@AOPFH8G TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVT!A2C11142F02D 20210224 6.0.6.653
Alibaba Trojan:Win32/Kryptik.ali2000016 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20210224 21.1.5827.0
Tencent Msil.Trojan-qqpass.Qqrob.Lmub 20210224 1.0.0.1
Kingsoft Win32.PSWTroj.Undef.(kcloud) 20210224 2017.9.26.565
CrowdStrike 20210203 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619794545.890374
IsDebuggerPresent
failed 0 0
1619794610.967999
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619794609.640374
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sdata
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 73 个事件)
Time & API Arguments Status Return Repeated
1619794544.968374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00870000
success 0 0
1619794544.968374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c0000
success 0 0
1619794545.859374
NtProtectVirtualMemory
process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619794545.890374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619794545.890374
NtProtectVirtualMemory
process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619794545.890374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619794546.218374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619794551.499374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d3000
success 0 0
1619794551.609374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048b000
success 0 0
1619794551.609374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00487000
success 0 0
1619794552.374374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dc000
success 0 0
1619794552.577374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d4000
success 0 0
1619794552.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d5000
success 0 0
1619794552.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00870000
success 0 0
1619794552.609374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d6000
success 0 0
1619794552.655374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619794552.655374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619794552.655374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619794552.780374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cb000
success 0 0
1619794552.812374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1619794552.812374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fc000
success 0 0
1619794552.827374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619794552.859374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef50000
success 0 0
1619794552.859374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef50000
success 0 0
1619794552.874374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef50000
success 0 0
1619794552.874374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619794552.874374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619794552.874374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00871000
success 0 0
1619794553.030374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00485000
success 0 0
1619794553.296374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c1000
success 0 0
1619794553.452374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619794553.468374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00872000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d8000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d9000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04830000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04831000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04832000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dd000
success 0 0
1619794608.593374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04833000
success 0 0
1619794608.734374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04834000
success 0 0
1619794608.734374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00873000
success 0 0
1619794609.390374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00874000
success 0 0
1619794609.437374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00879000
success 0 0
1619794609.640374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0087a000
success 0 0
1619794609.968374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0087f000
success 0 0
1619794610.030374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c3000
success 0 0
1619794610.030374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619794610.030374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048f0000
success 0 0
1619794610.046374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048f1000
success 0 0
1619794610.671374
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048f2000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.827802198045922 section {'size_of_data': '0x000ac200', 'virtual_address': '0x00002000', 'entropy': 7.827802198045922, 'name': '.text', 'virtual_size': '0x000ac044'} description A section with a high entropy has been found
entropy 0.9476944253269098 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619794610.093374
NtAllocateVirtualMemory
process_identifier: 1108
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619794610.093374
WriteProcessMemory
process_identifier: 1108
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELbO1_à &ÎD `@  @…€DK`ð€  H.textÔ$ & `.rsrcð`(@@.reloc €,@B
process_handle: 0x000001e0
base_address: 0x00400000
success 1 0
1619794610.109374
WriteProcessMemory
process_identifier: 1108
buffer: €0€HX`””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameFZVFyJtBjpQvcAhKBoeCGhjOOr.exe(LegalCopyright hOriginalFilenameFZVFyJtBjpQvcAhKBoeCGhjOOr.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000001e0
base_address: 0x00456000
success 1 0
1619794610.109374
WriteProcessMemory
process_identifier: 1108
buffer: @ Ð4
process_handle: 0x000001e0
base_address: 0x00458000
success 1 0
1619794610.109374
WriteProcessMemory
process_identifier: 1108
buffer: @
process_handle: 0x000001e0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619794610.093374
WriteProcessMemory
process_identifier: 1108
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELbO1_à &ÎD `@  @…€DK`ð€  H.textÔ$ & `.rsrcð`(@@.reloc €,@B
process_handle: 0x000001e0
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2056 called NtSetContextThread to modify thread in remote process 1108
Time & API Arguments Status Return Repeated
1619794610.109374
NtSetContextThread
thread_handle: 0x000001dc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4539598
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1108
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2056 resumed a thread in remote process 1108
Time & API Arguments Status Return Repeated
1619794610.671374
NtResumeThread
thread_handle: 0x000001dc
suspend_count: 1
process_identifier: 1108
success 0 0
Executed a process and injected code into it, probably while unpacking (14 个事件)
Time & API Arguments Status Return Repeated
1619794545.890374
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2056
success 0 0
1619794545.952374
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2056
success 0 0
1619794610.093374
CreateProcessInternalW
thread_identifier: 2900
thread_handle: 0x000001dc
process_identifier: 1108
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2c11142f02d5ff23a667a6e2d6255c8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2c11142f02d5ff23a667a6e2d6255c8.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000001e0
inherit_handles: 0
success 1 0
1619794610.093374
NtGetContextThread
thread_handle: 0x000001dc
success 0 0
1619794610.093374
NtAllocateVirtualMemory
process_identifier: 1108
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619794610.093374
WriteProcessMemory
process_identifier: 1108
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELbO1_à &ÎD `@  @…€DK`ð€  H.textÔ$ & `.rsrcð`(@@.reloc €,@B
process_handle: 0x000001e0
base_address: 0x00400000
success 1 0
1619794610.093374
WriteProcessMemory
process_identifier: 1108
buffer:
process_handle: 0x000001e0
base_address: 0x00402000
success 1 0
1619794610.109374
WriteProcessMemory
process_identifier: 1108
buffer: €0€HX`””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameFZVFyJtBjpQvcAhKBoeCGhjOOr.exe(LegalCopyright hOriginalFilenameFZVFyJtBjpQvcAhKBoeCGhjOOr.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000001e0
base_address: 0x00456000
success 1 0
1619794610.109374
WriteProcessMemory
process_identifier: 1108
buffer: @ Ð4
process_handle: 0x000001e0
base_address: 0x00458000
success 1 0
1619794610.109374
WriteProcessMemory
process_identifier: 1108
buffer: @
process_handle: 0x000001e0
base_address: 0x7efde008
success 1 0
1619794610.109374
NtSetContextThread
thread_handle: 0x000001dc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4539598
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1108
success 0 0
1619794610.671374
NtResumeThread
thread_handle: 0x000001dc
suspend_count: 1
process_identifier: 1108
success 0 0
1619794610.967999
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1108
success 0 0
1619794610.967999
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1108
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.MSIL.Basic.6.Gen
FireEye Generic.mg.a2c11142f02d5ff2
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FVT!A2C11142F02D
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2388651
Sangfor Trojan.MSIL.Formbook.MK
K7AntiVirus Trojan ( 0056cbe11 )
Alibaba Trojan:Win32/Kryptik.ali2000016
K7GW Trojan ( 0056cbe11 )
Cybereason malicious.2f02d5
Arcabit Trojan.MSIL.Basic.6.Gen
Cyren W32/MSIL_Kryptik.BKX.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.MSIL.Basic.6.Gen
NANO-Antivirus Trojan.Win32.Agensla.hsmlmp
Paloalto generic.ml
Tencent Msil.Trojan-qqpass.Qqrob.Lmub
Ad-Aware Trojan.MSIL.Basic.6.Gen
Emsisoft Trojan.MSIL.Basic.6.Gen (B)
Comodo Malware@#2mx7twhi5xt3g
F-Secure Trojan.TR/Dropper.MSIL.qntuc
DrWeb BackDoor.SpyBotNET.25
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Fareit-FVT!A2C11142F02D
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
Jiangmin Trojan.PSW.MSIL.ausg
Webroot W32.Malware.Gen
Avira TR/Dropper.MSIL.qntuc
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Microsoft Trojan:MSIL/Formbook.MK!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.MSIL.Basic.6.Gen
Cynet Malicious (score: 90)
BitDefenderTheta Gen:NN.ZemsilF.34590.Tq0@aOpFh8g
ALYac Trojan.MSIL.Basic.6.Gen
MAX malware (ai score=89)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of MSIL/Kryptik.XJL
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex Trojan.Igent.bUh4eE.4
eGambit Generic.Malware
Fortinet MSIL/GenKryptik.EQPB!tr
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-18 11:35:59

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.