3.0
中危
54 个模型检测该样本为恶意!
重新分析
更多

9059531fbff89a14fc3761330cac92437bee44349e6b62e7e807422b4c57e2fe

aca370cb867228cb76446a8c1caa9de3.exe

分析耗时

19s

最近分析

文件大小

96.0KB
静态报毒 动态报毒 100% AIDETECTVM ANDROM ATTRIBUTE AUTO AVAP CLASSIC CONFIDENCE ELDORADO ELTA FAREIT FAREITVB GDSDA GM0@A0T8PZMB GM0@B0T8PZMB GULOADER HIGH CONFIDENCE HIGHCONFIDENCE MALWARE1 MALWARE@#38FQI7KVKRGNO PNEWY6S+DUO PONYSTEALER POSSIBLE R + MAL R335093 SCORE SIGGEN9 SMHPFAREITTH SUSGEN THKFC TZQZ UNSAFE VBGENERIC VBKRYPT VHII WACATAC ZEVBACO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/VBKrypt.b017b98a 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201229 21.1.5827.0
McAfee Fareit-FST!ACA370CB8672 20201229 6.0.6.653
Tencent Win32.Backdoor.Fareit.Auto 20201229 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619826881.366269
NtAllocateVirtualMemory
process_identifier: 784
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00480000
success 0 0
1619826883.600269
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d40000
success 0 0
1619836216.74825
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d40000
success 0 0
Foreign language identified in PE resource (1 个事件)
name RT_VERSION language LANG_CHINESE offset 0x00017150 filetype data sublanguage SUBLANG_CHINESE_TRADITIONAL size 0x00000210
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619826881.006269
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00430000
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Siggen9.44213
MicroWorld-eScan Gen:Heur.PonyStealer.gm0@B0T8pzmb
FireEye Generic.mg.aca370cb867228cb
ALYac Gen:Heur.PonyStealer.gm0@B0T8pzmb
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005660ee1 )
Alibaba Backdoor:Win32/VBKrypt.b017b98a
K7GW Trojan ( 005660ee1 )
Cybereason malicious.b86722
Arcabit Trojan.PonyStealer.EFD267
Cyren W32/Trojan.DPE.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Trojan.VBGeneric-7750994-0
Kaspersky Backdoor.Win32.Androm.tzqz
BitDefender Gen:Heur.PonyStealer.gm0@B0T8pzmb
Paloalto generic.ml
Rising Downloader.Guloader!1.C601 (CLASSIC)
Ad-Aware Gen:Heur.PonyStealer.gm0@B0T8pzmb
Sophos Mal/Generic-R + Mal/FareitVB-AB
Comodo Malware@#38fqi7kvkrgno
F-Secure Trojan.TR/Injector.thkfc
BitDefenderTheta Gen:NN.ZevbaCO.34700.gm0@a0T8pzmb
VIPRE Trojan.Win32.Generic!BT
TrendMicro Possible_SMHPFAREITTH
McAfee-GW-Edition BehavesLike.Win32.Fareit.nt
Emsisoft Trojan.Injector (A)
Jiangmin Backdoor.Androm.avap
Avira TR/Injector.thkfc
Antiy-AVL Trojan/Win32.Wacatac
Microsoft Trojan:Win32/VBKrypt.AJ!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm Backdoor.Win32.Androm.tzqz
GData Gen:Heur.PonyStealer.gm0@B0T8pzmb
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.VBKrypt.R335093
McAfee Fareit-FST!ACA370CB8672
Malwarebytes Trojan.Injector
ESET-NOD32 a variant of Win32/Injector.ELTA
TrendMicro-HouseCall Possible_SMHPFAREITTH
Tencent Win32.Backdoor.Fareit.Auto
Yandex Trojan.Injector!pneWy6s+DUo
Ikarus Trojan.VB.Crypt
eGambit Unsafe.AI_Score_99%
Fortinet W32/GuLoader.VHII!tr
MaxSecure Trojan.Malware.7679664.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-01-21 13:01:14

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaVarMove
0x40100c __vbaFreeVar
0x401010 __vbaFreeVarList
0x401014 _adj_fdiv_m64
0x401018 _adj_fprem1
0x40101c __vbaStrCat
0x401024 __vbaLenBstrB
0x401028
0x40102c
0x401030 _adj_fdiv_m32
0x401034
0x401038 __vbaAryDestruct
0x40103c
0x401040
0x401044 __vbaLateMemSt
0x401048 __vbaObjSet
0x40104c _adj_fdiv_m16i
0x401050 __vbaObjSetAddref
0x401054 _adj_fdivr_m16i
0x401058
0x40105c
0x401060 _CIsin
0x401064 __vbaErase
0x401068
0x40106c __vbaChkstk
0x401070 EVENT_SINK_AddRef
0x401078 __vbaStrCmp
0x40107c __vbaAryConstruct2
0x401080 __vbaVarTstEq
0x401084 __vbaR4Str
0x401088
0x40108c __vbaObjVar
0x401090 __vbaI2I4
0x401094 _adj_fpatan
0x401098
0x40109c
0x4010a0 __vbaRedim
0x4010a4
0x4010a8 EVENT_SINK_Release
0x4010ac _CIsqrt
0x4010b4
0x4010b8 __vbaExceptHandler
0x4010bc
0x4010c0 _adj_fprem
0x4010c4 _adj_fdivr_m64
0x4010c8 __vbaFPException
0x4010cc
0x4010d0
0x4010d4 _CIlog
0x4010d8
0x4010dc __vbaFileOpen
0x4010e0 __vbaNew2
0x4010e4 __vbaR8Str
0x4010e8 _adj_fdiv_m32i
0x4010ec _adj_fdivr_m32i
0x4010f0
0x4010f4 __vbaStrCopy
0x4010f8
0x4010fc __vbaFreeStrList
0x401100 __vbaDerefAry1
0x401104 _adj_fdivr_m32
0x401108
0x40110c _adj_fdiv_r
0x401110
0x401114
0x401118 __vbaVarTstNe
0x40111c __vbaLateMemCall
0x401120 __vbaVarDup
0x401124
0x401128 __vbaVarCopy
0x40112c __vbaLateMemCallLd
0x401130
0x401134 _CIatan
0x401138 __vbaStrMove
0x40113c __vbaUI1Str
0x401140 _allmul
0x401144 _CItan
0x401148 _CIexp
0x40114c __vbaFreeStr
0x401150 __vbaFreeObj

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.