10.4
0-day
52 个模型检测该样本为恶意!
重新分析
更多

e464f0e7a409ae14400f2a3591019306918fdede6b5564de9f0e91abfd78e83a

a358283045e9c0f0700af70a76216918.exe

分析耗时

98s

最近分析

文件大小

256.0KB
静态报毒 动态报毒 100% AI SCORE=81 ATTRIBUTE CHAPAK CLOUD CONFIDENCE ELDORADO EQOI GDSDA GENERICKDZ GENKRYPTIK GINEA HEVK HEXG HIGH CONFIDENCE HIGHCONFIDENCE HNWMYL KPOT KRYPTIK LKNG MALICIOUS PE PROPAGATE QQW@AKC3DDJG R002C0DGG20 SCORE TROJANX UNSAFE URSNIF WACATAC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Packed-GAO!A358283045E9 20200719 6.0.6.653
Alibaba TrojanSpy:Win32/Chapak.82196e4d 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20200719 18.4.3895.0
Tencent Win32.Trojan.Chapak.Lkng 20200719 1.0.0.1
Kingsoft 20200719 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620818517.49975
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620808751.750125
IsDebuggerPresent
failed 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features Connection to IP address suspicious_request GET http://45.83.176.82/__utm.gif
Performs some HTTP requests (1 个事件)
request GET http://45.83.176.82/__utm.gif
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620808751.563125
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 163840
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00dd9000
success 0 0
1620808751.563125
NtAllocateVirtualMemory
process_identifier: 2260
region_size: 290816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00390000
success 0 0
1620818516.49975
NtAllocateVirtualMemory
process_identifier: 192
region_size: 249856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00700000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620818516.49975
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 208896
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00680000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620818521.39075
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.610231347017685 section {'size_of_data': '0x0002c000', 'virtual_address': '0x00011000', 'entropy': 7.610231347017685, 'name': '.data', 'virtual_size': '0x0086e888'} description A section with a high entropy has been found
entropy 0.6901960784313725 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 45.83.176.82
host 52.218.61.132
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1620808752.235125
NtAllocateVirtualMemory
process_identifier: 192
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000080
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1620808752.391125
WriteProcessMemory
process_identifier: 192
buffer: @
process_handle: 0x00000080
base_address: 0x7efde008
success 1 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620818524.32775
RegSetValueExA
key_handle: 0x0000034c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620818524.32775
RegSetValueExA
key_handle: 0x0000034c
value: 6,G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620818524.32775
RegSetValueExA
key_handle: 0x0000034c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620818524.32775
RegSetValueExW
key_handle: 0x0000034c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620818524.32775
RegSetValueExA
key_handle: 0x00000368
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620818524.32775
RegSetValueExA
key_handle: 0x00000368
value: 6,G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620818524.32775
RegSetValueExA
key_handle: 0x00000368
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620818525.15575
RegSetValueExW
key_handle: 0x00000348
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620818525.70275
RegSetValueExA
key_handle: 0x00000370
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620818525.70275
RegSetValueExA
key_handle: 0x00000370
value: `*÷6,G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620818525.70275
RegSetValueExA
key_handle: 0x00000370
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620818525.70275
RegSetValueExW
key_handle: 0x00000370
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620818525.70275
RegSetValueExA
key_handle: 0x00000374
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620818525.70275
RegSetValueExA
key_handle: 0x00000374
value: `*÷6,G×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620818525.70275
RegSetValueExA
key_handle: 0x00000374
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2260 called NtSetContextThread to modify thread in remote process 192
Time & API Arguments Status Return Repeated
1620808752.391125
NtSetContextThread
thread_handle: 0x0000007c
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199600
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2260 resumed a thread in remote process 192
Time & API Arguments Status Return Repeated
1620808754.297125
NtResumeThread
thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 192
success 0 0
Executed a process and injected code into it, probably while unpacking (8 个事件)
Time & API Arguments Status Return Repeated
1620808752.235125
CreateProcessInternalW
thread_identifier: 708
thread_handle: 0x0000007c
process_identifier: 192
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a358283045e9c0f0700af70a76216918.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a358283045e9c0f0700af70a76216918.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a358283045e9c0f0700af70a76216918.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000080
inherit_handles: 0
success 1 0
1620808752.235125
NtGetContextThread
thread_handle: 0x0000007c
success 0 0
1620808752.235125
NtUnmapViewOfSection
process_identifier: 192
region_size: 4096
process_handle: 0x00000080
base_address: 0x00400000
success 0 0
1620808752.235125
NtAllocateVirtualMemory
process_identifier: 192
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000080
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620808752.391125
WriteProcessMemory
process_identifier: 192
buffer: @
process_handle: 0x00000080
base_address: 0x7efde008
success 1 0
1620808752.391125
NtSetContextThread
thread_handle: 0x0000007c
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199600
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
1620808754.297125
NtResumeThread
thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 192
success 0 0
1620818518.23375
NtResumeThread
thread_handle: 0x000000f4
suspend_count: 1
process_identifier: 192
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
MicroWorld-eScan Trojan.GenericKDZ.68698
FireEye Generic.mg.a358283045e9c0f0
McAfee Packed-GAO!A358283045E9
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 003e58dd1 )
Alibaba TrojanSpy:Win32/Chapak.82196e4d
K7GW Trojan ( 003e58dd1 )
CrowdStrike win/malicious_confidence_100% (W)
TrendMicro TROJ_GEN.R002C0DGG20
Cyren W32/Ursnif.DA.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
ClamAV Win.Dropper.KPOT-8865955-0
GData Trojan.GenericKDZ.68698
Kaspersky Trojan.Win32.Chapak.eqoi
BitDefender Trojan.GenericKDZ.68698
NANO-Antivirus Trojan.Win32.Chapak.hnwmyl
Paloalto generic.ml
ViRobot Trojan.Win32.Z.Ursnif.262144.AI
Tencent Win32.Trojan.Chapak.Lkng
Endgame malicious (high confidence)
Sophos Mal/Generic-S
F-Secure Trojan.TR/Crypt.Agent.ginea
Invincea heuristic
Emsisoft Trojan.GenericKDZ.68698 (B)
SentinelOne DFI - Malicious PE
F-Prot W32/Ursnif.DA.gen!Eldorado
Jiangmin Trojan.Propagate.byy
Avira TR/Crypt.Agent.ginea
Arcabit Trojan.Generic.D10C5A
AegisLab Trojan.Win32.Chapak.4!c
ZoneAlarm Trojan.Win32.Chapak.eqoi
Microsoft TrojanSpy:Win32/Ursnif.AR!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Ursnif.C4159858
VBA32 Trojan.Wacatac
ALYac Trojan.GenericKDZ.68698
MAX malware (ai score=81)
Ad-Aware Trojan.GenericKDZ.68698
Malwarebytes Trojan.Downloader
ESET-NOD32 a variant of Win32/Kryptik.HEVK
TrendMicro-HouseCall TROJ_GEN.R002C0DGG20
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ikarus Trojan.Win32.Crypt
Fortinet W32/Kryptik.HEXG!tr
BitDefenderTheta Gen:NN.ZexaF.34136.qqW@aKC3ddjG
AVG Win32:TrojanX-gen [Trj]
Cybereason malicious.8a8eaf
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-04-20 19:50:31

Imports

Library KERNEL32.dll:
0x40e004 ZombifyActCtx
0x40e00c WaitForSingleObject
0x40e010 GetModuleHandleW
0x40e014 GetTickCount
0x40e018 GetConsoleCP
0x40e01c SetFileShortNameW
0x40e020 GetCalendarInfoW
0x40e024 lstrcpynW
0x40e028 GetACP
0x40e02c lstrlenW
0x40e030 GetLastError
0x40e034 GetProcAddress
0x40e038 BuildCommDCBW
0x40e03c ResetEvent
0x40e040 DeleteFileA
0x40e044 GetCommandLineA
0x40e048 GetStartupInfoA
0x40e04c RaiseException
0x40e050 RtlUnwind
0x40e054 TerminateProcess
0x40e058 GetCurrentProcess
0x40e064 IsDebuggerPresent
0x40e068 HeapAlloc
0x40e06c HeapFree
0x40e078 TlsGetValue
0x40e07c TlsAlloc
0x40e080 TlsSetValue
0x40e084 TlsFree
0x40e088 SetLastError
0x40e08c GetCurrentThreadId
0x40e094 Sleep
0x40e098 HeapSize
0x40e09c ExitProcess
0x40e0a0 SetHandleCount
0x40e0a4 GetStdHandle
0x40e0a8 GetFileType
0x40e0b0 SetFilePointer
0x40e0b4 WriteFile
0x40e0b8 GetModuleFileNameA
0x40e0c8 WideCharToMultiByte
0x40e0cc HeapCreate
0x40e0d0 VirtualFree
0x40e0d8 GetCurrentProcessId
0x40e0e0 GetConsoleMode
0x40e0e4 GetCPInfo
0x40e0e8 GetOEMCP
0x40e0ec IsValidCodePage
0x40e0f0 VirtualAlloc
0x40e0f4 HeapReAlloc
0x40e0f8 MultiByteToWideChar
0x40e0fc LoadLibraryA
0x40e104 SetStdHandle
0x40e108 FlushFileBuffers
0x40e10c WriteConsoleA
0x40e110 GetConsoleOutputCP
0x40e114 WriteConsoleW
0x40e118 LCMapStringA
0x40e11c LCMapStringW
0x40e120 GetStringTypeA
0x40e124 GetStringTypeW
0x40e128 GetLocaleInfoA
0x40e12c CreateFileA
0x40e130 CloseHandle
Library WINHTTP.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 45.83.176.82 80
52.218.61.132 80 192.168.56.101 49192

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://45.83.176.82/__utm.gif 
GET /__utm.gif HTTP/1.1
Accept: */*
Cookie: NTvcOx6gYYB/0g11Ufp3xINb0BemXi8y/nHMm6apP68fbe3jiW1zoD1wxNmJEvZesXCWu5S7UuTL/451eWeyw3fC/eoVv8V3gJbyInCRoDnkJ8B5OukhalvWtVyIY4VS0UPMfUdx6Yp8xw3d2gd8BlXxKtz3noHoZl95dqV1Q5Y=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)
Host: 45.83.176.82
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.