6.6
高危
61 个模型检测该样本为恶意!
重新分析
更多

09a4b8050e81c0d265bb05d6ef4b7155d0ffda7ebe00820aa5a1fd08c3f4a768

aa0d25108c420b68af8a98d877a10e9a.exe

分析耗时

74s

最近分析

文件大小

64.5KB
静态报毒 动态报毒 100% AI SCORE=87 AXDX BEHAV BTN@4Q3GVQ CLASSIC COBRA CONFIDENCE COQSL DELF DOWNLOADER9 ELDORADO EXTRAT GEN1 GENCIRC GENERICKD GENETIC HIGH CONFIDENCE KRYPTIK MALICIOUS PE NOT MALICIOUS PATCHER PROCESSPATCHER REMTASU RISKTOOL SCORE SMUJ UNSAFE XTRAT XTREME XTREMERAT 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/Xtreme.fbc33d09 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu Win32.Backdoor.Agent.ag 20190318 1.0.0.2
Avast Win32:AutoRun-CCW [Wrm] 20200910 18.4.3895.0
Kingsoft 20200910 2013.8.14.323
McAfee BackDoor-FAJ 20200910 6.0.6.653
Tencent Malware.Win32.Gencirc.10b3c85f 20200910 1.0.0.1
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Creates a suspicious process (1 个事件)
cmdline svchost.exe
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.74241572905101 section {'size_of_data': '0x00001600', 'virtual_address': '0x00048000', 'entropy': 7.74241572905101, 'name': '.rsrc', 'virtual_size': '0x00001530'} description A section with a high entropy has been found
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 145900a23e6aeec70015cf1992da0047cc1850e1
buffer Buffer with sha1: cc9c74995061bcb140a9592a3b30891dfb0be12d
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619826881.917343
NtAllocateVirtualMemory
process_identifier: 648
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000f4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10000000
success 0 0
1619826882.120343
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000017c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10000000
success 0 0
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (4 个事件)
Process injection Process 2056 created a remote thread in non-child process 648
Process injection Process 2056 created a remote thread in non-child process 2272
Time & API Arguments Status Return Repeated
1619826881.917343
CreateRemoteThread
thread_identifier: 580
process_identifier: 648
function_address: 0x1000c998
flags: 0
process_handle: 0x000000f4
parameter: 0x1000f81c
stack_size: 0
success 368 0
1619826882.120343
CreateRemoteThread
thread_identifier: 0
process_identifier: 2272
function_address: 0x1000bf18
flags: 0
process_handle: 0x0000017c
parameter: 0x10010bac
stack_size: 0
failed 0 0
Manipulates memory of a non-child process indicative of process injection (4 个事件)
Process injection Process 2056 manipulating memory of non-child process 648
Process injection Process 2056 manipulating memory of non-child process 2272
Time & API Arguments Status Return Repeated
1619826881.917343
NtAllocateVirtualMemory
process_identifier: 648
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000f4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10000000
success 0 0
1619826882.120343
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000017c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10000000
success 0 0
Creates known XtremeRAT files, registry keys or mutexes (1 个事件)
regkey HKEY_CURRENT_USER\SOFTWARE\XtremeRAT
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43558938
CAT-QuickHeal Backdoor.Xtrat.AA8
ALYac Trojan.GenericKD.43558938
Cylance Unsafe
Zillya Backdoor.Xtreme.Win32.19044
SUPERAntiSpyware Trojan.Agent/Gen-Patcher
Sangfor Malware
K7AntiVirus Backdoor ( 00265a041 )
Alibaba Backdoor:Win32/Xtreme.fbc33d09
K7GW Backdoor ( 00265a041 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta AI:Packer.6796565A17
Cyren W32/Xtrat.A.gen!Eldorado
Symantec W32.Extrat!gen1
ESET-NOD32 a variant of Win32/AutoRun.Remtasu.E
Baidu Win32.Backdoor.Agent.ag
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Keylogger-192
Kaspersky Backdoor.Win32.Xtreme.axdx
BitDefender Trojan.GenericKD.43558938
NANO-Antivirus Trojan.Win32.MLW.coqsl
ViRobot Trojan.Win32.A.KeyLogger.66048
Avast Win32:AutoRun-CCW [Wrm]
Rising Backdoor.Xtrat!1.6A25 (CLASSIC)
Ad-Aware Trojan.GenericKD.43558938
Comodo TrojWare.Win32.Kryptik.BTN@4q3gvq
F-Secure Trojan.TR/Spy.59904216
DrWeb Trojan.DownLoader9.43701
VIPRE RiskTool.Win32.ProcessPatcher.Nor!cobra (v) (not malicious)
TrendMicro BKDR_XTREME.SMUJ
FireEye Generic.mg.aa0d25108c420b68
Sophos Mal/Behav-328
Ikarus Trojan.SuspectCRC
GData Win32.Backdoor.Xtrat.L
Jiangmin Backdoor/Xtreme.j
Webroot W32.Trojan.Keylogger.Gen
Avira TR/Spy.59904216
Antiy-AVL Trojan[Backdoor]/Win32.Xtreme
Arcabit Trojan.Generic.D298A81A
ZoneAlarm Backdoor.Win32.Xtreme.axdx
Microsoft Backdoor:Win32/Xtrat.A
Cynet Malicious (score: 100)
AhnLab-V3 Spyware/Win32.KeyLogger.C77144
Acronis suspicious
McAfee BackDoor-FAJ
MAX malware (ai score=87)
VBA32 Backdoor.Xtrat
Malwarebytes Backdoor.XTRat.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:
0x100441e8 TlsSetValue
0x100441ec TlsGetValue
0x100441f0 LocalAlloc
0x100441f4 GetModuleHandleA
Library KERNEL32.DLL:
0x10044214 lstrlenW
0x10044218 WriteProcessMemory
0x1004421c WriteFile
0x10044220 WaitForSingleObject
0x10044224 VirtualProtectEx
0x10044228 VirtualFreeEx
0x1004422c VirtualFree
0x10044230 VirtualAllocEx
0x10044234 VirtualAlloc
0x10044238 TerminateThread
0x1004423c TerminateProcess
0x10044240 Sleep
0x10044244 SizeofResource
0x10044248 SetThreadPriority
0x1004424c SetThreadContext
0x10044250 SetFilePointer
0x10044254 SetFileAttributesW
0x10044258 SetEvent
0x1004425c SetErrorMode
0x10044260 SetEndOfFile
0x10044264 ResumeThread
0x10044268 ReadProcessMemory
0x1004426c ReadFile
0x10044270 LockResource
0x10044274 LoadResource
0x10044278 LoadLibraryA
0x10044280 GlobalUnlock
0x10044284 GlobalSize
0x10044288 GlobalLock
0x1004428c GetWindowsDirectoryW
0x10044290 GetThreadContext
0x10044294 GetTempPathW
0x10044298 GetSystemDirectoryW
0x1004429c GetModuleHandleA
0x100442a0 GetModuleFileNameW
0x100442a4 GetLocalTime
0x100442a8 GetLastError
0x100442ac GetFileSize
0x100442b0 GetFileAttributesW
0x100442b4 GetCommandLineW
0x100442b8 FreeResource
0x100442bc InterlockedIncrement
0x100442c0 InterlockedDecrement
0x100442c4 FindResourceW
0x100442c8 FindFirstFileW
0x100442cc FindClose
0x100442d0 ExitProcess
0x100442d4 DeleteFileW
0x100442d8 DeleteCriticalSection
0x100442dc CreateThread
0x100442e0 CreateRemoteThread
0x100442e4 CreateProcessW
0x100442e8 CreateMutexW
0x100442ec CreateFileW
0x100442f0 CreateEventA
0x100442f4 CreateDirectoryW
0x100442f8 CopyFileW
0x100442fc CloseHandle
Library KERNEL32.DLL:
0x10044154 DeleteCriticalSection
0x10044158 LeaveCriticalSection
0x1004415c EnterCriticalSection
0x10044164 VirtualFree
0x10044168 VirtualAlloc
0x1004416c LocalFree
0x10044170 LocalAlloc
0x10044174 GetVersion
0x10044178 GetCurrentThreadId
0x1004417c WideCharToMultiByte
0x10044180 MultiByteToWideChar
0x10044184 GetThreadLocale
0x10044188 GetStartupInfoA
0x1004418c GetLocaleInfoA
0x10044190 GetCommandLineA
0x10044194 FreeLibrary
0x10044198 ExitProcess
0x1004419c ExitThread
0x100441a0 CreateThread
0x100441a4 WriteFile
0x100441ac RtlUnwind
0x100441b0 RaiseException
0x100441b4 GetStdHandle
Library advapi32.dll:
0x100441c8 RegQueryValueExA
0x100441cc RegOpenKeyExA
0x100441d0 RegCloseKey
Library advapi32.dll:
0x100441fc RegSetValueExW
0x10044200 RegQueryValueExW
0x10044204 RegOpenKeyExW
0x10044208 RegCreateKeyW
0x1004420c RegCloseKey
Library ntdll.dll:
0x100443e4 NtUnmapViewOfSection
Library oleaut32.dll:
0x100441d8 SysFreeString
0x100441dc SysReAllocStringLen
0x100441e0 SysAllocStringLen
Library shell32.dll:
0x100443a4 SHGetPathFromIDListW
0x100443ac SHGetMalloc
0x100443b0 FindExecutableW
Library shell32.dll:
0x100443f8 ShellExecuteW
Library shlwapi.dll:
0x1004439c SHDeleteKeyW
Library shlwapi.dll:
0x100443ec SHDeleteValueW
0x100443f0 SHDeleteKeyW
Library URLMON.DLL:
Library user32.dll:
0x10044304 CreateWindowExW
0x10044308 CreateWindowExA
0x1004430c UnregisterClassW
0x10044310 UnregisterClassA
0x10044314 UnhookWindowsHookEx
0x10044318 TranslateMessage
0x1004431c ShowWindow
0x10044320 SetWindowsHookExW
0x10044324 SetWindowLongA
0x10044328 SetClipboardViewer
0x1004432c SendMessageA
0x10044330 RegisterWindowMessageW
0x10044334 RegisterClassW
0x10044338 RegisterClassA
0x1004433c PostMessageA
0x10044340 PeekMessageA
0x10044344 OpenClipboard
0x10044348 MapVirtualKeyW
0x10044350 GetWindowTextW
0x10044354 GetWindowRect
0x10044358 GetWindowLongA
0x1004435c GetMessageA
0x10044360 GetKeyboardLayout
0x10044364 GetKeyState
0x10044368 GetForegroundWindow
0x1004436c GetDesktopWindow
0x10044370 GetClipboardData
0x10044374 GetClassInfoA
0x10044378 DispatchMessageA
0x1004437c DestroyWindow
0x10044380 DefWindowProcA
0x10044384 CloseClipboard
0x10044388 CharUpperW
0x1004438c CharNextW
0x10044390 CharLowerW
0x10044394 CallNextHookEx
Library user32.dll:
0x100441bc GetKeyboardType
0x100441c0 MessageBoxA
Library user32.dll:
0x100443d8 GetKeyboardState
0x100443dc ToUnicodeEx
Library wininet.dll:
0x100443c0 InternetCloseHandle
0x100443c4 FtpPutFileW
0x100443cc InternetOpenW
0x100443d0 InternetConnectW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 51811 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.