3.4
中危
48 个模型检测该样本为恶意!
重新分析
更多

09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845

ad8c735d94137108fc606c9e92fa067a.exe

分析耗时

82s

最近分析

文件大小

400.0KB
静态报毒 动态报毒 AI SCORE=80 ARTEMIS ATTRIBUTE AVSJ CONFIDENCE DRYFV EMOTETCRYPT GENERICKD GENERICKDZ HGCC HIGH CONFIDENCE HIGHCONFIDENCE HWFLZA KRYPTIK KZIP MALWARE@#2T8W2YUG91HRG PDSNCVREEAR R03BC0WID20 SCORE SUSGEN SUSPICIOUS PE TRICKBOT UNSAFE WACATAC WNWU YMACCO ZENPAK 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!AD8C735D9413 20201010 6.0.6.653
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Alibaba Backdoor:Win32/KZip.64ee269c 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20201011 2013.8.14.323
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620897716.131429
IsDebuggerPresent
failed 0 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1620897737.131429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 217088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00470000
success 0 0
1620897737.318429
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 204800
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00611000
success 0 0
1620897738.396429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1620897738.396429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x10000000
success 0 0
1620897738.396429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x10001000
success 0 0
1620897738.662429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
1620897738.662429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006a0000
success 0 0
1620897738.662429
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02440000
success 0 0
1620908754.882626
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000390000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.705992750148467 section {'size_of_data': '0x00044000', 'virtual_address': '0x00022000', 'entropy': 7.705992750148467, 'name': '.rsrc', 'virtual_size': '0x00043328'} description A section with a high entropy has been found
entropy 0.6868686868686869 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1620908770.116626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620908790.663626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 151.139.128.14
host 172.217.24.14
host 203.208.40.34
host 52.218.97.124
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43811822
FireEye Generic.mg.ad8c735d94137108
CAT-QuickHeal Trojan.Wacatac
McAfee Artemis!AD8C735D9413
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2526395
Sangfor Malware
CrowdStrike win/malicious_confidence_60% (W)
Alibaba Backdoor:Win32/KZip.64ee269c
K7GW Trojan ( 0056e2be1 )
K7AntiVirus Trojan ( 0056e2be1 )
Arcabit Trojan.Generic.D29C83EE
TrendMicro TROJ_GEN.R03BC0WID20
Cyren W32/Trojan.WNWU-3687
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky Trojan.Win32.Zenpak.avsj
BitDefender Trojan.GenericKD.43811822
NANO-Antivirus Trojan.Win32.Zenpak.hwflza
Ad-Aware Trojan.GenericKD.43811822
Emsisoft Trojan.GenericKD.43811822 (B)
Comodo Malware@#2t8w2yug91hrg
F-Secure Trojan.TR/AD.TrickBot.dryfv
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Dropper.gc
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Avira TR/AD.TrickBot.dryfv
MAX malware (ai score=80)
Microsoft Trojan:Win32/Ymacco.AA09
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm Trojan.Win32.Zenpak.avsj
GData Trojan.GenericKD.43811822
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Trickbot.C4202162
ALYac Trojan.Agent.Wacatac
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of Win32/Kryptik.HGCC
TrendMicro-HouseCall TROJ_GEN.R03BC0WID20
Rising Trojan.EmotetCrypt!8.120EC (TFE:6:pdsnCVreEAR)
Ikarus Trojan.Win32.Crypt
Fortinet W32/GenericKDZ.7014!tr
MaxSecure Trojan.Malware.106440295.susgen
AVG Win32:Trojan-gen
Panda Trj/CI.A
Qihoo-360 Generic/Trojan.BO.be8
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-09 22:05:35

Imports

Library KERNEL32.dll:
0x41d020 CreateThread
0x41d024 TerminateThread
0x41d028 GetExitCodeThread
0x41d02c CreateDirectoryW
0x41d030 ReadFile
0x41d034 SetFilePointerEx
0x41d038 WriteFile
0x41d03c GetCurrentProcessId
0x41d040 GetCurrentThreadId
0x41d044 GetTickCount
0x41d04c HeapSize
0x41d050 LCMapStringW
0x41d054 LCMapStringA
0x41d058 GetSystemInfo
0x41d05c VirtualProtect
0x41d060 GetLocaleInfoA
0x41d064 VirtualQuery
0x41d068 InterlockedExchange
0x41d06c LoadLibraryA
0x41d070 IsBadCodePtr
0x41d074 IsBadReadPtr
0x41d078 ExitProcess
0x41d07c GetCPInfo
0x41d080 GetOEMCP
0x41d084 GetACP
0x41d088 GetStringTypeW
0x41d08c MultiByteToWideChar
0x41d090 GetStringTypeA
0x41d094 GetFileType
0x41d098 SetHandleCount
0x41d0a0 GetLastError
0x41d0a4 WideCharToMultiByte
0x41d0b8 GetModuleFileNameA
0x41d0bc GetStdHandle
0x41d0c0 GetCurrentProcess
0x41d0c4 TerminateProcess
0x41d0c8 IsBadWritePtr
0x41d0cc HeapReAlloc
0x41d0d0 VirtualAlloc
0x41d0d4 VirtualFree
0x41d0d8 HeapCreate
0x41d0dc GetProcAddress
0x41d0e0 CreateFileW
0x41d0e4 GlobalFree
0x41d0e8 CloseHandle
0x41d0ec GlobalAlloc
0x41d0f0 GetModuleHandleW
0x41d0f4 lstrcpynW
0x41d0fc HeapDestroy
0x41d100 GetVersionExA
0x41d104 GetCommandLineA
0x41d108 GetStartupInfoA
0x41d10c HeapAlloc
0x41d110 HeapFree
0x41d114 RtlUnwind
0x41d118 GetModuleHandleA
Library USER32.dll:
0x41d12c CallWindowProcW
0x41d130 SendDlgItemMessageW
0x41d134 SetDlgItemTextW
0x41d138 EndDialog
0x41d13c GetDlgItemTextW
0x41d140 MessageBoxW
0x41d144 EnableWindow
0x41d148 ShowWindow
0x41d14c LoadIconW
0x41d150 DialogBoxParamW
0x41d154 wsprintfW
0x41d158 GetParent
0x41d15c GetDlgItem
0x41d160 SetWindowTextW
0x41d164 IsWindow
0x41d168 CreateCursor
0x41d16c SetWindowLongW
0x41d170 DestroyCursor
0x41d174 BeginPaint
0x41d178 DrawTextW
0x41d17c EndPaint
0x41d180 LoadCursorW
0x41d184 SetCursor
0x41d188 SetFocus
0x41d18c SetCapture
0x41d190 ReleaseCapture
0x41d194 ClientToScreen
0x41d198 GetWindowRect
0x41d19c PtInRect
0x41d1a0 InvalidateRect
0x41d1a4 UpdateWindow
0x41d1a8 GetDC
0x41d1ac ReleaseDC
0x41d1b0 SetWindowPos
0x41d1b4 GetWindowLongW
0x41d1b8 SendMessageW
0x41d1bc GetClientRect
0x41d1c0 FillRect
0x41d1c4 GetFocus
0x41d1c8 DrawFocusRect
Library GDI32.dll:
0x41d000 SetTextColor
0x41d004 DeleteObject
0x41d008 GetStockObject
0x41d00c GetObjectW
0x41d010 CreateFontIndirectW
0x41d014 SetBkMode
0x41d018 SelectObject
Library comdlg32.dll:
0x41d1d0 GetOpenFileNameW
Library SHELL32.dll:
0x41d124 ShellExecuteW

Exports

Ordinal Address Name
1 0x402000 ERWQSDASQWAFASASWW

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
52.218.97.124 80 192.168.56.101 49180

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 65005 239.255.255.250 3702
192.168.56.101 65007 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.