7.2
高危
54 个模型检测该样本为恶意!
重新分析
更多

4cfbcf63017435ed008e8406fadc555579ba4a5c7b77b648133b6d98e5df49bf

a68d582885e8865dc92a47794c2d53f7.exe

分析耗时

90s

最近分析

文件大小

566.0KB
静态报毒 动态报毒 5BJMNFMPGNP AGENSLA AGENTTESLA AI SCORE=84 BLUTEAL BSCOPE BUK2BF CONFIDENCE EREQ GENERICKD GENKRYPTIK HFUX HIGH CONFIDENCE HTNGIX IGENT IXAEA@0 JY0@AQKMO0EI KRYPTIK LMUN QQPASS QQROB R06CC0WHS20 R349358 SCORE SPYBOTNET SUSGEN SUSPICIOUS PE TROJANPSW TROJANPWS UNSAFE VQKWE WACATAC WOREFLINT ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanPSW:MSIL/Agensla.a60c5641 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Avast Win32:Trojan-gen 20200910 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200910 2013.8.14.323
McAfee RDN/Generic.hra 20200910 6.0.6.653
Tencent Msil.Trojan-qqpass.Qqrob.Lmun 20200910 1.0.0.1
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619811649.300876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619811650.925876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619811652.956876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619811653.175876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619811636.316876
IsDebuggerPresent
failed 0 0
1619811636.316876
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619781466.172375
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619811652.738876
__exception__
stacktrace: 
0x4842605
0x4841950
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x739821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x739a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x739a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x739a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x739a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73a6ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73a6cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73a6cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73a6d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73a6d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73aeaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745f55ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2026680
registers.edi: 2026712
registers.eax: 0
registers.ebp: 2026728
registers.edx: 8
registers.ebx: 0
registers.esi: 36294320
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 b8 91 f2 ff 3c e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4845d62
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 个事件)
Time & API Arguments Status Return Repeated
1619781466.172375
NtProtectVirtualMemory
process_identifier: 2668
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00f72000
success 0 0
1619811621.285876
NtProtectVirtualMemory
process_identifier: 1300
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00f72000
success 0 0
1619811635.972876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005d0000
success 0 0
1619811635.972876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00640000
success 0 0
1619811636.191876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006e0000
success 0 0
1619811636.191876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1619811636.222876
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73981000
success 0 0
1619811636.316876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006e0000
success 0 0
1619811636.316876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619811636.316876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049a000
success 0 0
1619811636.316876
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73982000
success 0 0
1619811636.316876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00492000
success 0 0
1619811636.519876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a2000
success 0 0
1619811636.597876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d5000
success 0 0
1619811636.597876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005db000
success 0 0
1619811636.597876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d7000
success 0 0
1619811636.706876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a3000
success 0 0
1619811636.753876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a4000
success 0 0
1619811636.753876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ac000
success 0 0
1619811636.831876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04820000
success 0 0
1619811636.831876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04830000
success 0 0
1619811636.831876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04831000
success 0 0
1619811637.097876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a8000
success 0 0
1619811637.378876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c0000
success 0 0
1619811637.456876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04841000
success 0 0
1619811637.519876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c6000
success 0 0
1619811637.597876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00791000
success 0 0
1619811637.644876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619811637.644876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619811637.675876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c2000
success 0 0
1619811637.800876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c3000
success 0 0
1619811637.800876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c4000
success 0 0
1619811637.878876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04842000
success 0 0
1619811649.160876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c5000
success 0 0
1619811649.910876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c6000
success 0 0
1619811649.910876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04843000
success 0 0
1619811650.160876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c7000
success 0 0
1619811650.394876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c8000
success 0 0
1619811650.394876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ad000
success 0 0
1619811650.394876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04850000
success 0 0
1619811650.394876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04851000
success 0 0
1619811650.394876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004aa000
success 0 0
1619811650.394876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ab000
success 0 0
1619811650.519876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c9000
success 0 0
1619811650.519876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04844000
success 0 0
1619811650.550876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04845000
success 0 0
1619811650.722876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ca000
success 0 0
1619811650.722876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009cb000
success 0 0
1619811650.722876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009cc000
success 0 0
1619811650.738876
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009cd000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.737671580952436 section {'size_of_data': '0x00001a00', 'virtual_address': '0x00002000', 'entropy': 7.737671580952436, 'name': '.data', 'virtual_size': '0x0000185c'} description A section with a high entropy has been found
entropy 6.852433308584436 section {'size_of_data': '0x0008b000', 'virtual_address': '0x00005000', 'entropy': 6.852433308584436, 'name': '.rsrc', 'virtual_size': '0x0008afa0'} description A section with a high entropy has been found
entropy 0.995575221238938 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619811648.956876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619811649.128876
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1316
process_handle: 0x00000234
failed 0 0
1619811649.128876
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1316
process_handle: 0x00000234
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
A process attempted to delay the analysis task. (1 个事件)
description MSBuild.exe tried to sleep 2728191 seconds, actually delayed analysis time by 2728191 seconds
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1300 called NtSetContextThread to modify thread in remote process 708
Time & API Arguments Status Return Repeated
1619811635.738876
NtSetContextThread
thread_handle: 0x000000b0
registers.eip: 2010382788
registers.esp: 2029956
registers.edi: 0
registers.eax: 4588686
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 708
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
DrWeb BackDoor.SpyBotNET.25
MicroWorld-eScan Trojan.GenericKD.43732900
FireEye Generic.mg.a68d582885e8865d
CAT-QuickHeal Trojanpws.Msil
ALYac Trojan.GenericKD.43732900
Cylance Unsafe
K7AntiVirus Trojan ( 0056d5581 )
Alibaba TrojanPSW:MSIL/Agensla.a60c5641
K7GW Trojan ( 0056d5581 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Generic.D29B4FA4
Invincea Mal/Generic-S
BitDefenderTheta Gen:NN.ZexaF.34216.Jy0@aqkMo0ei
Symantec Trojan Horse
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-PSW.MSIL.Agensla.sqo
BitDefender Trojan.GenericKD.43732900
NANO-Antivirus Trojan.Win32.Agensla.htngix
AegisLab Trojan.Multi.Generic.4!c
Avast Win32:Trojan-gen
Rising Trojan.Woreflint!8.F5EA (TFE:2:5BJmNfMPgNP)
Ad-Aware Trojan.GenericKD.43732900
Comodo TrojWare.Win32.Agent.ixaea@0
F-Secure Trojan.TR/AD.AgentTesla.vqkwe
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06CC0WHS20
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Avira TR/AD.AgentTesla.vqkwe
MAX malware (ai score=84)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:Win32/Bluteal!rfn
ViRobot Trojan.Win32.Z.Wacatac.579584.D
ZoneAlarm Trojan-PSW.MSIL.Agensla.sqo
GData Trojan.GenericKD.43732900
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Agent.R349358
Acronis suspicious
McAfee RDN/Generic.hra
VBA32 BScope.Trojan.Wacatac
ESET-NOD32 a variant of Win32/Kryptik.HFUX
TrendMicro-HouseCall TROJ_GEN.R06CC0WHS20
Tencent Msil.Trojan-qqpass.Qqrob.Lmun
Yandex Trojan.Igent.bUk2bF.2
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_72%
Fortinet W32/GenKryptik.EREQ!tr
MaxSecure Trojan.Malware.105981149.susgen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-26 15:57:18

Imports

Library KERNEL32.dll:
0x490000 WideCharToMultiByte
0x490004 GetAtomNameA
0x49000c SetVolumeLabelA
0x490010 lstrcatA
0x490014 FindResourceA
0x490018 GetProcAddress
0x49001c VirtualProtect
0x490020 LoadLibraryA
Library USER32.dll:
0x490028 SetMessageQueue
0x49002c ScreenToClient
0x490030 MapWindowPoints
0x490034 MoveWindow
0x490038 SendNotifyMessageW
0x49003c CreateDialogParamA
0x490044 EnumThreadWindows
Library GDI32.dll:
0x49004c BitBlt
0x490050 SetICMProfileW
Library WINSPOOL.DRV:
0x490060 EnumPrinterDriversA
Library COMDLG32.dll:
0x490068 FindTextA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.