6.0
高危
53 个模型检测该样本为恶意!
重新分析
更多

c2d759d5e844e35914f07c0ece1627c824c7a05f0addafbf45a80f595f7b49e4

a6d1b7c8576fcd8fb5a645f2a5369552.exe

分析耗时

74s

最近分析

文件大小

1.2MB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM AMADEY BSCOPE CERT CLASSIC CONFIDENCE CRIDEX DANGEROUSSIG DEYMA DOWNLOADER34 ENCPK GDSDA GENCIRC HFHM HIGH CONFIDENCE HPRZYF KR1@AWCEDTPI KRYPTIK MALICIOUS PE MALWARE1 OWNOT PASSWORDSTEALER QVM20 R002C0DGU20 RAZY SCORE SUSGEN UNCLASSIFIEDMALWARE@0 UNSAFE XIOQ ZEXAF ZLOB 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Packed-GBS!A6D1B7C8576F 20200902 6.0.6.653
Alibaba TrojanDownloader:Win32/Deyma.bda5f2d3 20190527 0.3.0.5
Avast Win32:DangerousSig [Trj] 20200901 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200902 2013.8.14.323
Tencent Malware.Win32.Gencirc.10cde7e4 20200902 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619826883.620503
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619826885.120503
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01eb0000
success 0 0
1619826885.136503
NtProtectVirtualMemory
process_identifier: 2988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619848990.329124
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619848991.688124
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00780000
success 0 0
1619848991.688124
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Creates executable files on the filesystem (2 个事件)
file c:\programdata\1321ba6d1f\bdif.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cred.dll
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619826885.776503
CreateProcessInternalW
thread_identifier: 912
thread_handle: 0x000000c4
process_identifier: 2520
current_directory:
filepath:
track: 1
command_line: c:\programdata\1321ba6d1f\bdif.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000c0
inherit_handles: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619848992.438124
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 217.8.117.52
Attempts to identify installed AV products by installation directory (7 个事件)
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619848995.016124
RegSetValueExA
key_handle: 0x000003cc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619848995.016124
RegSetValueExA
key_handle: 0x000003cc
value: €\æ¤]>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619848995.016124
RegSetValueExA
key_handle: 0x000003cc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619848995.016124
RegSetValueExW
key_handle: 0x000003cc
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619848995.016124
RegSetValueExA
key_handle: 0x000003e0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619848995.016124
RegSetValueExA
key_handle: 0x000003e0
value: €\æ¤]>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619848995.016124
RegSetValueExA
key_handle: 0x000003e0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619848995.048124
RegSetValueExW
key_handle: 0x000003c8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 217.8.117.52:80
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader34.24777
MicroWorld-eScan Gen:Variant.Razy.725518
FireEye Generic.mg.a6d1b7c8576fcd8f
McAfee Packed-GBS!A6D1B7C8576F
Cylance Unsafe
Zillya Downloader.Deyma.Win32.166
Sangfor Malware
K7AntiVirus Trojan ( 005652be1 )
Alibaba TrojanDownloader:Win32/Deyma.bda5f2d3
K7GW Trojan ( 005652be1 )
Cybereason malicious.fc13f9
Arcabit Trojan.Razy.DB120E
Invincea heuristic
BitDefenderTheta Gen:NN.ZexaF.34196.kr1@aWcEDtpi
Cyren W32/Trojan.XIOQ-2324
Symantec Packed.Generic.459
ESET-NOD32 a variant of Win32/Kryptik.HFHM
TrendMicro-HouseCall TROJ_GEN.R002C0DGU20
Avast Win32:DangerousSig [Trj]
Kaspersky Trojan-Downloader.Win32.Deyma.bok
BitDefender Gen:Variant.Razy.725518
NANO-Antivirus Trojan.Win32.Deyma.hprzyf
Paloalto generic.ml
Rising Trojan.Kryptik!1.C974 (CLASSIC)
Ad-Aware Gen:Variant.Razy.725518
Comodo .UnclassifiedMalware@0
F-Secure Trojan.TR/AD.Zlob.ownot
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DGU20
Sophos Mal/EncPk-APV
Ikarus Trojan-Spy.Agent
Jiangmin TrojanDownloader.Deyma.qq
MaxSecure Trojan.Malware.104387815.susgen
Avira TR/AD.Zlob.ownot
MAX malware (ai score=100)
Antiy-AVL Trojan[Downloader]/Win32.Deyma
Microsoft Trojan:Win32/Cridex.AR!cert
ZoneAlarm Trojan-Downloader.Win32.Deyma.bok
GData Gen:Variant.Razy.725518
Cynet Malicious (score: 85)
ALYac Trojan.Agent.Amadey
VBA32 BScope.Trojan.Inject
Malwarebytes Spyware.PasswordStealer
APEX Malicious
Tencent Malware.Win32.Gencirc.10cde7e4
SentinelOne DFI - Malicious PE
Fortinet W32/Cridex.VHO!tr
AVG Win32:DangerousSig [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-30 14:04:16

Imports

Library KERNEL32.dll:
0x52921c DeleteFileW
0x529220 ReleaseMutex
0x529224 SetFilePointer
0x529228 HeapFree
0x52922c GetProcessHeap
0x529230 HeapAlloc
0x529234 CreateMutexW
0x529238 FreeLibrary
0x52923c FreeConsole
0x529244 GetFileAttributesW
0x529248 ReadConsoleOutputW
0x52924c UnmapViewOfFile
0x529250 SetConsoleMode
0x529254 GetConsoleMode
0x529258 GetStdHandle
0x52925c GetProcAddress
0x529260 LoadLibraryW
0x529264 WriteConsoleOutputW
0x529268 WriteConsoleW
0x52926c IsValidLocale
0x529270 lstrcmpW
0x529274 lstrlenW
0x529278 lstrcmpiW
0x52927c GetTempFileNameW
0x529280 FindFirstFileW
0x529284 FindNextFileW
0x529288 FindClose
0x52928c CopyFileW
0x529290 SetFileAttributesW
0x529294 FormatMessageW
0x529298 RaiseException
0x52929c GetFileSize
0x5292a0 CreateFileMappingW
0x5292a8 MapViewOfFile
0x5292ac CreateThread
0x5292b0 Sleep
0x5292bc WriteFile
0x5292c0 CreateFileW
0x5292d0 SetEvent
0x5292d4 CreateEventW
0x5292d8 LocalReAlloc
0x5292dc DeviceIoControl
0x5292e0 GetExitCodeProcess
0x5292e4 VerSetConditionMask
0x5292e8 VerifyVersionInfoW
0x5292ec CreateDirectoryW
0x5292f0 RemoveDirectoryW
0x5292f8 GetShortPathNameW
0x5292fc GetFullPathNameW
0x529304 MoveFileExW
0x529308 SearchPathW
0x529310 LoadLibraryExW
0x529314 CreateFileA
0x529318 GetLocaleInfoW
0x52931c SetEndOfFile
0x529320 GetConsoleOutputCP
0x529324 WriteConsoleA
0x529328 FlushFileBuffers
0x52932c SetStdHandle
0x529330 GetConsoleCP
0x529334 LoadLibraryA
0x529338 GetLocaleInfoA
0x52933c GetStringTypeW
0x529340 ReadFile
0x529344 LCMapStringW
0x529348 LCMapStringA
0x52934c GetOEMCP
0x529350 GetACP
0x529354 GetThreadLocale
0x529358 SetThreadLocale
0x529360 GetVersionExW
0x529364 GetLocalTime
0x529370 GetStringTypeA
0x529374 WaitForSingleObject
0x529378 GetCPInfo
0x529380 TerminateProcess
0x529384 OutputDebugStringA
0x52938c GetCurrentProcessId
0x529390 GetTickCount
0x529398 VirtualFree
0x52939c HeapCreate
0x5293a0 GetCurrentThreadId
0x5293a4 SetLastError
0x5293a8 TlsFree
0x5293ac TlsSetValue
0x5293b0 TlsAlloc
0x5293b4 TlsGetValue
0x5293b8 GetStartupInfoA
0x5293bc GetFileType
0x5293c0 SetHandleCount
0x5293c4 GetCommandLineA
0x5293d8 GetModuleFileNameW
0x5293dc GetModuleFileNameA
0x5293e0 ExitProcess
0x5293e4 GetModuleHandleA
0x5293ec VirtualQuery
0x5293f0 GetSystemInfo
0x5293f4 GetModuleHandleW
0x5293f8 VirtualAlloc
0x5293fc VirtualProtect
0x529400 GetStartupInfoW
0x529408 CompareStringW
0x52940c WideCharToMultiByte
0x529410 InterlockedExchange
0x529414 HeapSize
0x529418 HeapReAlloc
0x52941c HeapDestroy
0x529420 GetVersionExA
0x529434 GetCommandLineW
0x529438 LocalAlloc
0x52943c GlobalFree
0x529440 LocalFree
0x529444 MultiByteToWideChar
0x529448 GetCurrentProcess
0x52944c GetLastError
0x529450 CloseHandle
0x529454 FindResourceExW
0x529458 FindResourceW
0x52945c LoadResource
0x529460 LockResource
0x529464 SizeofResource
0x52946c GetSystemDirectoryW
0x529470 lstrcatA
0x529478 CreateProcessA
0x52947c DisconnectNamedPipe
0x529480 DebugBreak
0x529488 GetComputerNameExW
0x52948c RemoveDirectoryA
0x529490 LocalFlags
0x529498 CreateFileMappingA
0x52949c EraseTape
0x5294a4 SetTapePosition
0x5294a8 LocalShrink
0x5294b0 SuspendThread
0x5294b4 SetFileApisToOEM
0x5294bc CreateSemaphoreA
0x5294c0 LockFileEx
0x5294d0 GetLogicalDrives
0x5294d4 SetFileApisToANSI
0x5294d8 DefineDosDeviceW
0x5294dc CompareFileTime
0x5294e0 MapViewOfFileEx
0x5294ec _lread
0x5294f0 CreateDirectoryA
0x5294f4 lstrcpyW
0x5294f8 CreateProcessW
0x5294fc lstrcatW
0x529500 GetSystemTime
0x529504 GetCurrentThread
0x529508 SetThreadPriority
0x529518 OpenEventW
Library USER32.dll:
0x529528 ShowWindow
0x52952c CreateWindowExW
0x529530 DefWindowProcW
0x529534 PostQuitMessage
0x529540 GetIconInfo
0x529544 DrawIconEx
0x529548 CreateIconIndirect
0x52954c LoadIconW
0x529550 LoadBitmapW
0x529554 DrawTextExW
0x529558 LoadImageW
0x52955c GetSystemMetrics
0x529560 GetSysColor
0x529564 DestroyWindow
0x529568 GetWindowLongW
0x52956c SendDlgItemMessageW
0x529570 InvalidateRect
0x529574 SetWindowTextW
0x52957c GetDC
0x529580 ReleaseDC
0x529584 SetWindowLongW
0x529588 SetDlgItemTextW
0x52958c GetParent
0x529590 PostMessageW
0x529594 IsDlgButtonChecked
0x529598 CheckDlgButton
0x52959c SetFocus
0x5295a0 CallWindowProcW
0x5295a4 DestroyIcon
0x5295a8 DialogBoxParamW
0x5295ac GetDlgItem
0x5295b0 SendMessageW
0x5295b4 MessageBoxW
0x5295b8 RegisterClassExW
0x5295bc UnregisterClassA
0x5295c0 CharLowerW
0x5295c4 CharPrevW
0x5295c8 EndDialog
0x5295cc EnumDesktopWindows
0x5295d0 SetThreadDesktop
0x5295d4 PaintDesktop
0x5295d8 GetInputState
0x5295dc CharNextExA
0x5295e4 SetWinEventHook
0x5295e8 EnumPropsExA
0x5295ec wsprintfW
0x5295f0 GetKeyboardLayout
0x5295f4 GetDesktopWindow
0x5295f8 LoadStringW
0x5295fc ExitWindowsEx
0x529600 CharNextW
0x529604 GetKBCodePage
0x52960c GetMessageTime
0x529610 GetMessageExtraInfo
0x529618 GetDoubleClickTime
0x52961c GetDialogBaseUnits
0x529620 GetMessagePos
0x529624 GetFocus
0x529628 GetForegroundWindow
0x52962c GetActiveWindow
Library GDI32.dll:
0x529634 SetLayout
0x529638 DeleteDC
0x52963c GetObjectW
0x529644 CreateBitmap
0x529648 SelectObject
0x52964c StartPage
0x529650 EndPage
0x529654 StartDocW
0x529658 EndDoc
0x52965c GetTextMetricsW
0x529660 GetDeviceCaps
0x529664 CreateFontIndirectW
0x529668 DeleteObject
0x52966c CreateCompatibleDC
0x529674 OffsetViewportOrgEx
0x529678 LPtoDP
0x52967c SetDIBColorTable
0x529680 GetLogColorSpaceA
0x529690 EngLoadModule
0x529694 GetTextExtentPointA
0x529698 GdiGetCodePage
0x52969c EnumICMProfilesA
0x5296a0 SetBrushOrgEx
0x5296a4 ExtFloodFill
0x5296a8 PolyBezier
0x5296ac GdiEntry14
0x5296b0 SetBoundsRect
0x5296b4 GetEnhMetaFileA
0x5296b8 GdiConvertRegion
0x5296bc SetSystemPaletteUse
0x5296c0 SetPixelV
0x5296c4 GetWorldTransform
0x5296c8 CloseMetaFile
0x5296cc DeleteMetaFile
0x5296d0 GetICMProfileW
0x5296d8 SetFontEnumeration
0x5296dc PlgBlt
0x5296e0 GetViewportOrgEx
0x5296e4 FillPath
0x5296e8 CopyMetaFileW
0x5296ec GdiEntry6
0x5296f0 EqualRgn
0x5296f4 GetKerningPairs
0x5296f8 GdiEntry15
0x5296fc ExtTextOutA
0x529700 GetTextExtentPointW
0x529704 SetRelAbs
0x529708 CreateFontIndirectA
0x52970c AddFontResourceW
0x529710 AbortPath
0x529714 GdiGetBatchLimit
0x529718 AddFontResourceA
0x52971c AbortDoc
0x529720 GdiFlush
0x529724 GetStockObject
Library COMDLG32.dll:
0x52972c GetSaveFileNameW
0x529730 PrintDlgExW
Library ADVAPI32.dll:
0x529738 RegCloseKey
0x52973c RegQueryValueExW
0x529740 RegOpenKeyExW
0x529744 FreeSid
0x529748 EqualSid
0x529750 GetTokenInformation
0x529754 OpenProcessToken
0x529758 IsTextUnicode
0x529764 AddAccessAllowedAce
0x529768 InitializeAcl
0x52976c GetLengthSid
0x529774 SetEntriesInAclW
0x529778 DeleteService
0x52977c StartServiceW
0x529780 ControlService
0x529784 OpenSCManagerW
0x529788 CloseServiceHandle
0x52978c OpenServiceW
0x529790 QueryServiceStatus
0x529794 RegDeleteValueW
0x529798 RegCreateKeyExW
0x52979c RegSetValueExW
0x5297a0 RegDeleteKeyW
0x5297a8 RegOpenKeyExA
0x5297ac ReportEventW
0x5297b8 GetUserNameW
0x5297bc RegQueryInfoKeyW
0x5297c0 RegQueryValueExA
0x5297c4 RegOpenKeyW
Library SHELL32.dll:
0x5297cc SHGetFolderPathW
0x5297d0 ShellExecuteExW
0x5297d4 CommandLineToArgvW
0x5297d8 SHFileOperationA
0x5297dc DragQueryFileAorW
0x5297e0 FindExecutableA
0x5297e4 DragQueryFileW
0x5297e8 SHQueryRecycleBinA
0x5297ec SHGetDesktopFolder
Library ole32.dll:
0x5297f4 CoTaskMemFree
0x5297f8 CoUninitialize
0x5297fc CoInitialize
0x529800 CoCreateInstance
0x529804 StringFromCLSID
Library COMCTL32.dll:
0x529814 ImageList_Create
0x52981c PropertySheetW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.