6.2
高危
58 个模型检测该样本为恶意!
重新分析
更多

d164a96bef7f5762ed9e75ddb21cfd312cad76d5116a125e4d8790118375846b

aef0256c176fab55d972c41e659a1bbb.exe

分析耗时

22s

最近分析

文件大小

650.5KB
静态报毒 动态报毒 A + MAL AI SCORE=87 AIDETECTVM ATTRIBUTE AUTO BDQK BITIAOKWXES CONFIDENCE DELF DELPHILESS ELYL ELZG EQXY FAREIT GDSDA HIGH CONFIDENCE HIGHCONFIDENCE HKEWSQ KRYPTIK LOKI LOKIBOT MALWARE2 MALWARE@#LW2T1RSEQHHR NEXDEUUVKQR OGX@ACJCLDNI QMTOO SCORE SMAD1 SPYBOTNET SUSPICIOUS PE TSCOPE UNSAFE X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTB!AEF0256C176F 20200921 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Alibaba Trojan:Win32/Lokibot.c44f7d06 20190527 0.3.0.5
Kingsoft 20200922 2013.8.14.323
Tencent Win32.Trojan.Inject.Auto 20200922 1.0.0.1
Avast Win32:Trojan-gen 20200921 18.4.3895.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619826879.717008
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49610296
registers.edi: 0
registers.eax: 0
registers.ebp: 49610632
registers.edx: 36
registers.ebx: 0
registers.esi: 0
registers.ecx: 853
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 e5 62 00 00 e9
exception.symbol: aef0256c176fab55d972c41e659a1bbb+0x57e17
exception.instruction: div eax
exception.module: aef0256c176fab55d972c41e659a1bbb.exe
exception.exception_code: 0xc0000094
exception.offset: 359959
exception.address: 0x457e17
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1619826879.498008
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619826879.717008
NtProtectVirtualMemory
process_identifier: 2120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00457000
success 0 0
1619826879.748008
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619828186.728
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00970000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.21141632721132 section {'size_of_data': '0x0003b000', 'virtual_address': '0x0006e000', 'entropy': 7.21141632721132, 'name': '.rsrc', 'virtual_size': '0x0003af84'} description A section with a high entropy has been found
entropy 0.36363636363636365 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2536
Time & API Arguments Status Return Repeated
1619826880.030008
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2536
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2120 resumed a thread in remote process 2536
Time & API Arguments Status Return Repeated
1619826880.326008
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2536
success 0 0
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1619826880.014008
CreateProcessInternalW
thread_identifier: 2404
thread_handle: 0x000000ec
process_identifier: 2536
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aef0256c176fab55d972c41e659a1bbb.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619826880.014008
NtUnmapViewOfSection
process_identifier: 2536
region_size: 4096
process_handle: 0x000000f0
base_address: 0x00400000
success 0 0
1619826880.030008
NtMapViewOfSection
section_handle: 0x000000f8
process_identifier: 2536
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f0
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619826880.030008
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619826880.030008
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2536
success 0 0
1619826880.326008
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2536
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.EQXY
CAT-QuickHeal Trojan.Kryptik
McAfee Fareit-FTB!AEF0256C176F
Malwarebytes Trojan.MalPack.DLF
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 00566bd51 )
BitDefender Trojan.Agent.EQXY
K7GW Trojan ( 00566bd51 )
CrowdStrike win/malicious_confidence_90% (W)
TrendMicro TrojanSpy.Win32.LOKI.SMAD1.hp
Cyren W32/Injector.BDQK-0964
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
Alibaba Trojan:Win32/Lokibot.c44f7d06
NANO-Antivirus Trojan.Win32.SpyBotNET.hkewsq
Rising Trojan.Injector!8.C4 (TFE:5:NEXdeUuVKQR)
Ad-Aware Trojan.Agent.EQXY
Emsisoft Trojan.Agent.EQXY (B)
Comodo Malware@#lw2t1rseqhhr
F-Secure Trojan.TR/Injector.qmtoo
DrWeb BackDoor.SpyBotNET.17
Zillya Trojan.Injector.Win32.737678
Invincea ML/PE-A + Mal/Fareit-AA
FireEye Generic.mg.aef0256c176fab55
Sophos Mal/Fareit-AA
Ikarus Trojan.Inject
GData Win32.Trojan.Injector.PA
Jiangmin Trojan.Kryptik.bho
Webroot W32.Adware.Gen
Avira TR/Injector.qmtoo
Antiy-AVL Trojan/Win32.Kryptik
Arcabit Trojan.Agent.EQXY
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
Microsoft Trojan:Win32/Lokibot.V!MTB
AhnLab-V3 Suspicious/Win.Delphiless.X2066
VBA32 TScope.Trojan.Delf
ALYac Trojan.Agent.EQXY
MAX malware (ai score=87)
Cylance Unsafe
Panda Trj/GdSda.A
Zoner Trojan.Win32.91887
ESET-NOD32 a variant of Win32/Injector.ELYL
TrendMicro-HouseCall TrojanSpy.Win32.LOKI.SMAD1.hp
Tencent Win32.Trojan.Inject.Auto
Yandex Trojan.Injector!bItIaOkwxes
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x462128 VirtualFree
0x46212c VirtualAlloc
0x462130 LocalFree
0x462134 LocalAlloc
0x462138 GetVersion
0x46213c GetCurrentThreadId
0x462148 VirtualQuery
0x46214c WideCharToMultiByte
0x462154 MultiByteToWideChar
0x462158 lstrlenA
0x46215c lstrcpynA
0x462160 LoadLibraryExA
0x462164 GetThreadLocale
0x462168 GetStartupInfoA
0x46216c GetProcAddress
0x462170 GetModuleHandleA
0x462174 GetModuleFileNameA
0x462178 GetLocaleInfoA
0x46217c GetLastError
0x462184 GetCommandLineA
0x462188 FreeLibrary
0x46218c FindFirstFileA
0x462190 FindClose
0x462194 ExitProcess
0x462198 WriteFile
0x4621a0 RtlUnwind
0x4621a4 RaiseException
0x4621a8 GetStdHandle
Library user32.dll:
0x4621b0 GetKeyboardType
0x4621b4 LoadStringA
0x4621b8 MessageBoxA
0x4621bc CharNextA
Library advapi32.dll:
0x4621c4 RegQueryValueExA
0x4621c8 RegOpenKeyExA
0x4621cc RegCloseKey
Library oleaut32.dll:
0x4621d4 SysFreeString
0x4621d8 SysReAllocStringLen
0x4621dc SysAllocStringLen
Library kernel32.dll:
0x4621e4 TlsSetValue
0x4621e8 TlsGetValue
0x4621ec LocalAlloc
0x4621f0 GetModuleHandleA
Library advapi32.dll:
0x4621f8 RegQueryValueExA
0x4621fc RegOpenKeyExA
0x462200 RegCloseKey
Library kernel32.dll:
0x462208 lstrcpyA
0x46220c WriteFile
0x462210 WaitForSingleObject
0x462214 VirtualQuery
0x462218 VirtualProtect
0x46221c VirtualAlloc
0x462220 Sleep
0x462224 SizeofResource
0x462228 SetThreadLocale
0x46222c SetFilePointer
0x462230 SetEvent
0x462234 SetErrorMode
0x462238 SetEndOfFile
0x46223c ResetEvent
0x462240 ReadFile
0x462244 MulDiv
0x462248 LockResource
0x46224c LoadResource
0x462250 LoadLibraryA
0x46225c GlobalUnlock
0x462260 GlobalReAlloc
0x462264 GlobalHandle
0x462268 GlobalLock
0x46226c GlobalFree
0x462270 GlobalFindAtomA
0x462274 GlobalDeleteAtom
0x462278 GlobalAlloc
0x46227c GlobalAddAtomA
0x462280 GetVersionExA
0x462284 GetVersion
0x462288 GetTickCount
0x46228c GetThreadLocale
0x462294 GetSystemTime
0x462298 GetSystemInfo
0x46229c GetStringTypeExA
0x4622a0 GetStdHandle
0x4622a4 GetProcAddress
0x4622a8 GetModuleHandleA
0x4622ac GetModuleFileNameA
0x4622b0 GetLocaleInfoA
0x4622b4 GetLocalTime
0x4622b8 GetLastError
0x4622bc GetFullPathNameA
0x4622c0 GetFileAttributesA
0x4622c4 GetDiskFreeSpaceA
0x4622c8 GetDateFormatA
0x4622cc GetCurrentThreadId
0x4622d0 GetCurrentProcessId
0x4622d4 GetCPInfo
0x4622d8 GetACP
0x4622dc FreeResource
0x4622e0 InterlockedExchange
0x4622e4 FreeLibrary
0x4622e8 FormatMessageA
0x4622ec FindResourceA
0x4622f0 FindNextFileA
0x4622f4 FindFirstFileA
0x4622f8 FindClose
0x462308 ExitThread
0x46230c EnumCalendarInfoA
0x462318 CreateThread
0x46231c CreateFileA
0x462320 CreateEventA
0x462324 CompareStringA
0x462328 CloseHandle
Library version.dll:
0x462330 VerQueryValueA
0x462338 GetFileVersionInfoA
Library gdi32.dll:
0x462340 UnrealizeObject
0x462344 StretchBlt
0x462348 SetWindowOrgEx
0x46234c SetViewportOrgEx
0x462350 SetTextColor
0x462354 SetStretchBltMode
0x462358 SetROP2
0x46235c SetPixel
0x462360 SetDIBColorTable
0x462364 SetBrushOrgEx
0x462368 SetBkMode
0x46236c SetBkColor
0x462370 SelectPalette
0x462374 SelectObject
0x462378 SaveDC
0x46237c RestoreDC
0x462380 Rectangle
0x462384 RectVisible
0x462388 RealizePalette
0x46238c PatBlt
0x462390 MoveToEx
0x462394 MaskBlt
0x462398 LineTo
0x46239c IntersectClipRect
0x4623a0 GetWindowOrgEx
0x4623a4 GetTextMetricsA
0x4623b0 GetStockObject
0x4623b4 GetPixel
0x4623b8 GetPaletteEntries
0x4623bc GetObjectA
0x4623c0 GetDeviceCaps
0x4623c4 GetDIBits
0x4623c8 GetDIBColorTable
0x4623cc GetDCOrgEx
0x4623d4 GetClipBox
0x4623d8 GetBrushOrgEx
0x4623dc GetBitmapBits
0x4623e0 ExtTextOutA
0x4623e4 ExcludeClipRect
0x4623e8 DeleteObject
0x4623ec DeleteDC
0x4623f0 CreateSolidBrush
0x4623f4 CreatePenIndirect
0x4623f8 CreatePen
0x4623fc CreatePalette
0x462404 CreateFontIndirectA
0x462408 CreateDIBitmap
0x46240c CreateDIBSection
0x462410 CreateCompatibleDC
0x462418 CreateBrushIndirect
0x46241c CreateBitmap
0x462420 BitBlt
Library user32.dll:
0x462428 CreateWindowExA
0x46242c WindowFromPoint
0x462430 WinHelpA
0x462434 WaitMessage
0x462438 ValidateRect
0x46243c UpdateWindow
0x462440 UnregisterClassA
0x462444 UnhookWindowsHookEx
0x462448 TranslateMessage
0x462450 TrackPopupMenu
0x462458 ShowWindow
0x46245c ShowScrollBar
0x462460 ShowOwnedPopups
0x462464 ShowCursor
0x462468 SetWindowsHookExA
0x46246c SetWindowTextA
0x462470 SetWindowPos
0x462474 SetWindowPlacement
0x462478 SetWindowLongA
0x46247c SetTimer
0x462480 SetScrollRange
0x462484 SetScrollPos
0x462488 SetScrollInfo
0x46248c SetRect
0x462490 SetPropA
0x462494 SetParent
0x462498 SetMenuItemInfoA
0x46249c SetMenu
0x4624a0 SetForegroundWindow
0x4624a4 SetFocus
0x4624a8 SetCursor
0x4624ac SetClassLongA
0x4624b0 SetCapture
0x4624b4 SetActiveWindow
0x4624b8 SendMessageA
0x4624bc ScrollWindow
0x4624c0 ScreenToClient
0x4624c4 RemovePropA
0x4624c8 RemoveMenu
0x4624cc ReleaseDC
0x4624d0 ReleaseCapture
0x4624dc RegisterClassA
0x4624e0 RedrawWindow
0x4624e4 PtInRect
0x4624e8 PostQuitMessage
0x4624ec PostMessageA
0x4624f0 PeekMessageA
0x4624f4 OffsetRect
0x4624f8 OemToCharA
0x4624fc MessageBoxA
0x462500 MapWindowPoints
0x462504 MapVirtualKeyA
0x462508 LoadStringA
0x46250c LoadKeyboardLayoutA
0x462510 LoadIconA
0x462514 LoadCursorA
0x462518 LoadBitmapA
0x46251c KillTimer
0x462520 IsZoomed
0x462524 IsWindowVisible
0x462528 IsWindowEnabled
0x46252c IsWindow
0x462530 IsRectEmpty
0x462534 IsIconic
0x462538 IsDialogMessageA
0x46253c IsChild
0x462540 InvalidateRect
0x462544 IntersectRect
0x462548 InsertMenuItemA
0x46254c InsertMenuA
0x462550 InflateRect
0x462558 GetWindowTextA
0x46255c GetWindowRect
0x462560 GetWindowPlacement
0x462564 GetWindowLongA
0x462568 GetWindowDC
0x46256c GetTopWindow
0x462570 GetSystemMetrics
0x462574 GetSystemMenu
0x462578 GetSysColorBrush
0x46257c GetSysColor
0x462580 GetSubMenu
0x462584 GetScrollRange
0x462588 GetScrollPos
0x46258c GetScrollInfo
0x462590 GetPropA
0x462594 GetParent
0x462598 GetWindow
0x46259c GetMenuStringA
0x4625a0 GetMenuState
0x4625a4 GetMenuItemInfoA
0x4625a8 GetMenuItemID
0x4625ac GetMenuItemCount
0x4625b0 GetMenu
0x4625b4 GetLastActivePopup
0x4625b8 GetKeyboardState
0x4625c0 GetKeyboardLayout
0x4625c4 GetKeyState
0x4625c8 GetKeyNameTextA
0x4625cc GetIconInfo
0x4625d0 GetForegroundWindow
0x4625d4 GetFocus
0x4625d8 GetDesktopWindow
0x4625dc GetDCEx
0x4625e0 GetDC
0x4625e4 GetCursorPos
0x4625e8 GetCursor
0x4625ec GetClientRect
0x4625f0 GetClassNameA
0x4625f4 GetClassInfoA
0x4625f8 GetCapture
0x4625fc GetActiveWindow
0x462600 FrameRect
0x462604 FindWindowA
0x462608 FillRect
0x46260c EqualRect
0x462610 EnumWindows
0x462614 EnumThreadWindows
0x462618 EndPaint
0x46261c EnableWindow
0x462620 EnableScrollBar
0x462624 EnableMenuItem
0x462628 DrawTextA
0x46262c DrawMenuBar
0x462630 DrawIconEx
0x462634 DrawIcon
0x462638 DrawFrameControl
0x46263c DrawFocusRect
0x462640 DrawEdge
0x462644 DispatchMessageA
0x462648 DestroyWindow
0x46264c DestroyMenu
0x462650 DestroyIcon
0x462654 DestroyCursor
0x462658 DeleteMenu
0x46265c DefWindowProcA
0x462660 DefMDIChildProcA
0x462664 DefFrameProcA
0x462668 CreatePopupMenu
0x46266c CreateMenu
0x462670 CreateIcon
0x462674 ClientToScreen
0x462678 CheckMenuItem
0x46267c CallWindowProcA
0x462680 CallNextHookEx
0x462684 BeginPaint
0x462688 CharNextA
0x46268c CharLowerBuffA
0x462690 CharLowerA
0x462694 CharToOemA
0x462698 AdjustWindowRectEx
Library kernel32.dll:
0x4626a4 Sleep
Library oleaut32.dll:
0x4626ac SafeArrayPtrOfIndex
0x4626b0 SafeArrayGetUBound
0x4626b4 SafeArrayGetLBound
0x4626b8 SafeArrayCreate
0x4626bc VariantChangeType
0x4626c0 VariantCopy
0x4626c4 VariantClear
0x4626c8 VariantInit
Library comctl32.dll:
0x4626d8 ImageList_Write
0x4626dc ImageList_Read
0x4626ec ImageList_DragMove
0x4626f0 ImageList_DragLeave
0x4626f4 ImageList_DragEnter
0x4626f8 ImageList_EndDrag
0x4626fc ImageList_BeginDrag
0x462700 ImageList_Remove
0x462704 ImageList_DrawEx
0x462708 ImageList_Draw
0x462718 ImageList_Add
0x462720 ImageList_Destroy
0x462724 ImageList_Create
0x462728 InitCommonControls

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.