8.0
高危
56 个模型检测该样本为恶意!
重新分析
更多

dfeb4e7e2a1a0fd599e6196bd91b89ec266e34f92ecb18f4700abcffad014bbe

ae7ba206e16396ee1367922616c5d2f5.exe

分析耗时

94s

最近分析

文件大小

567.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=83 ATTRIBUTE BUAERV CONFIDENCE ELDORADO ENCODED EPNV FAREIT GDSDA GENERICKDZ GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HPCZOQ IGENT KCLOUD KRYPTIK LOKIBOT LPLJ MALICIOUS PE MALWARE@#2RUQ6NYG2JGBL MSILKRYPT NEGASTEAL NVWCA PZSV QVM03 R346182 RATX SCORE SIGGEN2 SMAUJ STATIC AI TSCOPE UNSAFE YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXU!AE7BA206E163 20201211 6.0.6.653
Avast Win32:RATX-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:MSIL/AgentTesla.0f74b76a 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
Tencent Msil.Trojan.Crypt.Lplj 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619843791.76125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (36 个事件)
Time & API Arguments Status Return Repeated
1619843714.526125
IsDebuggerPresent
failed 0 0
1619843714.526125
IsDebuggerPresent
failed 0 0
1619843762.604125
IsDebuggerPresent
failed 0 0
1619843763.120125
IsDebuggerPresent
failed 0 0
1619843763.620125
IsDebuggerPresent
failed 0 0
1619843764.120125
IsDebuggerPresent
failed 0 0
1619843764.620125
IsDebuggerPresent
failed 0 0
1619843765.120125
IsDebuggerPresent
failed 0 0
1619843765.620125
IsDebuggerPresent
failed 0 0
1619843766.120125
IsDebuggerPresent
failed 0 0
1619843766.620125
IsDebuggerPresent
failed 0 0
1619843767.120125
IsDebuggerPresent
failed 0 0
1619843767.620125
IsDebuggerPresent
failed 0 0
1619843768.120125
IsDebuggerPresent
failed 0 0
1619843768.620125
IsDebuggerPresent
failed 0 0
1619843769.120125
IsDebuggerPresent
failed 0 0
1619843769.620125
IsDebuggerPresent
failed 0 0
1619843770.120125
IsDebuggerPresent
failed 0 0
1619843770.620125
IsDebuggerPresent
failed 0 0
1619843771.120125
IsDebuggerPresent
failed 0 0
1619843771.620125
IsDebuggerPresent
failed 0 0
1619843772.120125
IsDebuggerPresent
failed 0 0
1619843772.620125
IsDebuggerPresent
failed 0 0
1619843773.120125
IsDebuggerPresent
failed 0 0
1619843773.620125
IsDebuggerPresent
failed 0 0
1619843774.120125
IsDebuggerPresent
failed 0 0
1619843774.636125
IsDebuggerPresent
failed 0 0
1619843775.120125
IsDebuggerPresent
failed 0 0
1619843775.636125
IsDebuggerPresent
failed 0 0
1619843776.120125
IsDebuggerPresent
failed 0 0
1619843776.636125
IsDebuggerPresent
failed 0 0
1619843777.120125
IsDebuggerPresent
failed 0 0
1619843777.636125
IsDebuggerPresent
failed 0 0
1619843778.120125
IsDebuggerPresent
failed 0 0
1619843778.72925
IsDebuggerPresent
failed 0 0
1619843778.72925
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619843714.573125
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 个事件)
Time & API Arguments Status Return Repeated
1619843714.151125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00750000
success 0 0
1619843714.151125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00820000
success 0 0
1619843714.354125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619843714.354125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a0000
success 0 0
1619843714.432125
NtProtectVirtualMemory
process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619843714.526125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b80000
success 0 0
1619843714.526125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cc0000
success 0 0
1619843714.542125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619843714.542125
NtProtectVirtualMemory
process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619843714.542125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619843714.776125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00442000
success 0 0
1619843714.870125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00465000
success 0 0
1619843714.870125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0046b000
success 0 0
1619843714.870125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00467000
success 0 0
1619843714.979125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00443000
success 0 0
1619843715.026125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044c000
success 0 0
1619843715.417125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00444000
success 0 0
1619843715.432125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00446000
success 0 0
1619843715.526125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619843715.542125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619843715.698125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045a000
success 0 0
1619843715.698125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619843715.839125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00456000
success 0 0
1619843715.917125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00771000
success 0 0
1619843716.417125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044a000
success 0 0
1619843716.620125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00448000
success 0 0
1619843716.823125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00449000
success 0 0
1619843716.901125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc0000
success 0 0
1619843716.901125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00773000
success 0 0
1619843716.964125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc1000
success 0 0
1619843716.995125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00774000
success 0 0
1619843717.011125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00777000
success 0 0
1619843755.042125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a1000
success 0 0
1619843755.261125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042c000
success 0 0
1619843755.354125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc2000
success 0 0
1619843755.354125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044d000
success 0 0
1619843755.370125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00778000
success 0 0
1619843755.495125
NtProtectVirtualMemory
process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 335872
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04f30400
failed 3221225550 0
1619843761.886125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00779000
success 0 0
1619843761.886125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc3000
success 0 0
1619843761.886125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077a000
success 0 0
1619843761.901125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077b000
success 0 0
1619843761.917125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077c000
success 0 0
1619843762.011125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077d000
success 0 0
1619843762.292125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077e000
success 0 0
1619843762.401125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00610000
success 0 0
1619843762.401125
NtAllocateVirtualMemory
process_identifier: 152
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00611000
success 0 0
1619843762.401125
NtProtectVirtualMemory
process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04f30178
failed 3221225550 0
1619843762.417125
NtProtectVirtualMemory
process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04f301a0
failed 3221225550 0
1619843762.417125
NtProtectVirtualMemory
process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04f301c8
failed 3221225550 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.717827853369296 section {'size_of_data': '0x0008d200', 'virtual_address': '0x00002000', 'entropy': 7.717827853369296, 'name': '.text', 'virtual_size': '0x0008d0a0'} description A section with a high entropy has been found
entropy 0.9964695498676082 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619843755.464125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619843791.26125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619843777.901125
NtAllocateVirtualMemory
process_identifier: 1664
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000e6cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619843777.901125
WriteProcessMemory
process_identifier: 1664
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõˆæ^à Po €@ À@…ÈnS€   H.text$O P `.rsrc€R@@.reloc  V@B
process_handle: 0x0000e6cc
base_address: 0x00400000
success 1 0
1619843777.917125
WriteProcessMemory
process_identifier: 1664
buffer: €0€HX€´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNameBXHvLEuvRzUddWnqWCBodkcWAIecsSUmSj.exe(LegalCopyright x'OriginalFilenameBXHvLEuvRzUddWnqWCBodkcWAIecsSUmSj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000e6cc
base_address: 0x00448000
success 1 0
1619843777.917125
WriteProcessMemory
process_identifier: 1664
buffer: ` ?
process_handle: 0x0000e6cc
base_address: 0x0044a000
success 1 0
1619843777.917125
WriteProcessMemory
process_identifier: 1664
buffer: @
process_handle: 0x0000e6cc
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619843777.901125
WriteProcessMemory
process_identifier: 1664
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõˆæ^à Po €@ À@…ÈnS€   H.text$O P `.rsrc€R@@.reloc  V@B
process_handle: 0x0000e6cc
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 152 called NtSetContextThread to modify thread in remote process 1664
Time & API Arguments Status Return Repeated
1619843777.917125
NtSetContextThread
thread_handle: 0x00000e40
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4484894
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1664
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 152 resumed a thread in remote process 1664
Time & API Arguments Status Return Repeated
1619843778.339125
NtResumeThread
thread_handle: 0x00000e40
suspend_count: 1
process_identifier: 1664
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619843714.526125
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 152
success 0 0
1619843714.542125
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 152
success 0 0
1619843714.667125
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 152
success 0 0
1619843762.573125
NtResumeThread
thread_handle: 0x00007cd4
suspend_count: 1
process_identifier: 152
success 0 0
1619843762.589125
NtResumeThread
thread_handle: 0x0000f324
suspend_count: 1
process_identifier: 152
success 0 0
1619843777.901125
CreateProcessInternalW
thread_identifier: 176
thread_handle: 0x00000e40
process_identifier: 1664
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ae7ba206e16396ee1367922616c5d2f5.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ae7ba206e16396ee1367922616c5d2f5.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000e6cc
inherit_handles: 0
success 1 0
1619843777.901125
NtGetContextThread
thread_handle: 0x00000e40
success 0 0
1619843777.901125
NtAllocateVirtualMemory
process_identifier: 1664
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000e6cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619843777.901125
WriteProcessMemory
process_identifier: 1664
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõˆæ^à Po €@ À@…ÈnS€   H.text$O P `.rsrc€R@@.reloc  V@B
process_handle: 0x0000e6cc
base_address: 0x00400000
success 1 0
1619843777.901125
WriteProcessMemory
process_identifier: 1664
buffer:
process_handle: 0x0000e6cc
base_address: 0x00402000
success 1 0
1619843777.917125
WriteProcessMemory
process_identifier: 1664
buffer: €0€HX€´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNameBXHvLEuvRzUddWnqWCBodkcWAIecsSUmSj.exe(LegalCopyright x'OriginalFilenameBXHvLEuvRzUddWnqWCBodkcWAIecsSUmSj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000e6cc
base_address: 0x00448000
success 1 0
1619843777.917125
WriteProcessMemory
process_identifier: 1664
buffer: ` ?
process_handle: 0x0000e6cc
base_address: 0x0044a000
success 1 0
1619843777.917125
WriteProcessMemory
process_identifier: 1664
buffer: @
process_handle: 0x0000e6cc
base_address: 0x7efde008
success 1 0
1619843777.917125
NtSetContextThread
thread_handle: 0x00000e40
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4484894
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1664
success 0 0
1619843778.339125
NtResumeThread
thread_handle: 0x00000e40
suspend_count: 1
process_identifier: 1664
success 0 0
1619843778.354125
NtResumeThread
thread_handle: 0x0000e838
suspend_count: 1
process_identifier: 152
success 0 0
1619843778.72925
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1664
success 0 0
1619843778.72925
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1664
success 0 0
1619843778.80725
NtResumeThread
thread_handle: 0x0000019c
suspend_count: 1
process_identifier: 1664
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Siggen2.52692
MicroWorld-eScan Trojan.GenericKDZ.69068
FireEye Generic.mg.ae7ba206e16396ee
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FXU!AE7BA206E163
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.MSIL.Crypt.4!c
Sangfor Malware
K7AntiVirus Trojan ( 0056b5be1 )
BitDefender Trojan.GenericKDZ.69068
K7GW Trojan ( 0056b5be1 )
Cybereason malicious.6326fb
Cyren W32/MSIL_Kryptik.BFY.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.SMAUJ
Avast Win32:RATX-gen [Trj]
ClamAV Win.Dropper.LokiBot-9157380-0
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
Alibaba Trojan:MSIL/AgentTesla.0f74b76a
NANO-Antivirus Trojan.Win32.Crypt.hpczoq
Ad-Aware Trojan.GenericKDZ.69068
Sophos Mal/Generic-S
Comodo Malware@#2ruq6nyg2jgbl
F-Secure Trojan.TR/Kryptik.nvwca
Zillya Trojan.Kryptik.Win32.2317427
TrendMicro TrojanSpy.MSIL.NEGASTEAL.SMAUJ
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Emsisoft Trojan.GenericKDZ.69068 (B)
SentinelOne Static AI - Malicious PE
GData Trojan.GenericKDZ.69068
Jiangmin Trojan.MSIL.pzsv
Webroot W32.Trojan.Gen
Avira TR/Kryptik.nvwca
MAX malware (ai score=83)
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft SUSP.Encoded_EXE.bot!yf
Arcabit Trojan.Generic.D10DCC
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
Microsoft Trojan:MSIL/AgentTesla.VN!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSILKrypt.R346182
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
Panda Trj/GdSda.A
APEX Malicious
ESET-NOD32 a variant of MSIL/Kryptik.XCV
Tencent Msil.Trojan.Crypt.Lplj
Yandex Trojan.Igent.bUaERV.5
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-28 14:23:52

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.