11.8
0-day
47 个模型检测该样本为恶意!
重新分析
更多

6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f

af0dcc7be12b7d64330063fd54f51626.exe

分析耗时

79s

最近分析

文件大小

906.5KB
静态报毒 动态报毒 AI SCORE=82 AKNC ALI1000123 ARTEMIS BUHK8Q CONFIDENCE F3PM7UN0A4KGYX86FXMBXG FORMBOOK GENERIC@ML GENERICKD HIGH CONFIDENCE HTFSHG IGENT JQTBG LNEJ MALWARE@#161B7EU4TMA9G ODRX PROBABLY HEUR R350523 RARAUTORUN RDML RUNNER SCORE SUSPICIOUSTROJAN TIGGRE UNSAFE VASAL WACATAC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!AF0DCC7BE12B 20201023 6.0.6.653
Alibaba Trojan:Win32/runner.ali1000123 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201023 18.4.3895.0
Tencent Win32.Trojan.Crypt.Lnej 20201023 1.0.0.1
Kingsoft 20201023 2013.8.14.323
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619846547.066
IsDebuggerPresent
failed 0 0
1619846547.082
IsDebuggerPresent
failed 0 0
This executable has a PDB path (1 个事件)
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619846547.16
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .gfids
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name PNG
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619846552.941
__exception__
stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77d5e003
GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x778f3e88
efmtxu+0x10ccd @ 0x3d0ccd
efmtxu+0x7536e @ 0x43536e
efmtxu+0x7557a @ 0x43557a
efmtxu+0x3fa6 @ 0x3c3fa6
efmtxu+0x8f8d @ 0x3c8f8d
efmtxu+0x96f5 @ 0x3c96f5
efmtxu+0xa2f7 @ 0x3ca2f7
efmtxu+0x962c @ 0x3c962c
efmtxu+0xa2f7 @ 0x3ca2f7
efmtxu+0x962c @ 0x3c962c
efmtxu+0xa2f7 @ 0x3ca2f7
efmtxu+0x962c @ 0x3c962c
efmtxu+0xa2f7 @ 0x3ca2f7
efmtxu+0x962c @ 0x3c962c
efmtxu+0xd87e @ 0x3cd87e
efmtxu+0xd967 @ 0x3cd967
efmtxu+0x1648e @ 0x3d648e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 8972752
registers.edi: 68600256
registers.eax: 1334676920
registers.ebp: 8972804
registers.edx: 68600264
registers.ebx: 68600264
registers.esi: 37728496
registers.ecx: 9175040
exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x77d5e39e
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain alhabib4rec.ddns.net
A process attempted to delay the analysis task. (1 个事件)
description RegSvcs.exe tried to sleep 206 seconds, actually delayed analysis time by 206 seconds
Creates (office) documents on the filesystem (12 个事件)
file C:\99168878\rvwldwxv.ppt
file C:\99168878\obkrdsv.xls
file C:\Users\Administrator.Oskar-PC\temp\hhddb.docx
file C:\99168878\lmngdras.docx
file C:\99168878\sgww.xls
file C:\99168878\antinbtvn.xls
file C:\99168878\igjxxvtch.docx
file C:\99168878\gbuenbv.docx
file C:\99168878\xsvsnhsd.ppt
file C:\99168878\nnxrk.pdf
file C:\99168878\hhddb.docx
file C:\99168878\ghehlgrsm.xls
Creates executable files on the filesystem (8 个事件)
file C:\99168878\wtbtpcvopt.cpl
file C:\99168878\rvnudbluvd.dll
file C:\99168878\qjigvekmf.dll
file C:\99168878\avhlvofkk.dll
file C:\99168878\xoam.dll
file C:\99168878\lixuxtvq.dll
file C:\99168878\efmtxu.pif
file C:\99168878\xvkqgfwviw.exe
Drops a binary and executes it (1 个事件)
file C:\99168878\efmtxu.pif
Expresses interest in specific running processes (1 个事件)
process regsvcs.exe
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 28960a3b556c267bb1aab14eb18259acf765349e
buffer Buffer with sha1: 2ed1a153b27e22b8f70f97beec38fe99253901de
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619846552.941
NtAllocateVirtualMemory
process_identifier: 3056
region_size: 6373376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000190
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00330000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate reg_value c:\99168878\efmtxu.pif c:\99168878\dbahroos.tin
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619846555.379
WriteProcessMemory
process_identifier: 3056
buffer: ÿÿÿÿ3ú~ú~(ý~€›mèÿÿ jHâý~±
process_handle: 0x00000190
base_address: 0x7efde000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619846556.066125
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x0033519b
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 131511 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2344 called NtSetContextThread to modify thread in remote process 3056
Time & API Arguments Status Return Repeated
1619846555.394
NtSetContextThread
thread_handle: 0x0000018c
registers.eip: 2010382788
registers.esp: 3341688
registers.edi: 0
registers.eax: 3423092
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3056
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2344 resumed a thread in remote process 3056
Time & API Arguments Status Return Repeated
1619846555.754
NtResumeThread
thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 3056
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (9 个事件)
Time & API Arguments Status Return Repeated
1619826885.837671
CreateProcessInternalW
thread_identifier: 2292
thread_handle: 0x000001c8
process_identifier: 2344
current_directory: C:\99168878
filepath: C:\99168878\efmtxu.pif
track: 1
command_line: "C:\99168878\efmtxu.pif" dbahroos.tin
filepath_r: C:\99168878\efmtxu.pif
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000001e0
inherit_handles: 0
success 1 0
1619846551.582
NtResumeThread
thread_handle: 0x00000180
suspend_count: 1
process_identifier: 2344
success 0 0
1619846552.926
CreateProcessInternalW
thread_identifier: 2852
thread_handle: 0x0000018c
process_identifier: 3056
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RegSvcs.exe
track: 1
command_line:
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000190
inherit_handles: 0
success 1 0
1619846552.941
NtGetContextThread
thread_handle: 0x0000018c
success 0 0
1619846552.941
NtAllocateVirtualMemory
process_identifier: 3056
region_size: 6373376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000190
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00330000
success 0 0
1619846555.254
WriteProcessMemory
process_identifier: 3056
buffer:
process_handle: 0x00000190
base_address: 0x00330000
success 1 0
1619846555.379
WriteProcessMemory
process_identifier: 3056
buffer: ÿÿÿÿ3ú~ú~(ý~€›mèÿÿ jHâý~±
process_handle: 0x00000190
base_address: 0x7efde000
success 1 0
1619846555.394
NtSetContextThread
thread_handle: 0x0000018c
registers.eip: 2010382788
registers.esp: 3341688
registers.edi: 0
registers.eax: 3423092
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3056
success 0 0
1619846555.754
NtResumeThread
thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 3056
success 0 0
File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43679310
FireEye Generic.mg.af0dcc7be12b7d64
CAT-QuickHeal Trojan.Multi
McAfee Artemis!AF0DCC7BE12B
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056c32d1 )
Alibaba Trojan:Win32/runner.ali1000123
K7GW Trojan ( 0056c32d1 )
Cybereason malicious.00c008
Arcabit Trojan.Generic.D29A7E4E
Cyren W32/Trojan.ODRX-0142
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Malware.Vasal-9406011-0
Kaspersky Trojan.Win32.Crypt.aknc
BitDefender Trojan.GenericKD.43679310
NANO-Antivirus Trojan.Win32.Crypt.htfshg
Paloalto generic.ml
Tencent Win32.Trojan.Crypt.Lnej
Ad-Aware Trojan.GenericKD.43679310
Comodo Malware@#161b7eu4tma9g
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Suspicioustrojan.dc
Sophos Mal/Generic-S
Avira TR/Agent.jqtbg
Microsoft Trojan:Win32/Tiggre!rfn
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm Trojan.Win32.Crypt.aknc
GData Trojan.GenericKD.43679310
AhnLab-V3 Malware/Win32.RL_Generic.R350523
ALYac Trojan.GenericKD.43679310
MAX malware (ai score=82)
VBA32 Trojan.Wacatac
Zoner Probably Heur.RARAutorun
ESET-NOD32 RAR/Agent.DF
Rising Trojan.Generic@ML.99 (RDML:f3pM7un0A4kgyx86FXMBxg)
Yandex Trojan.Igent.bUhK8q.2
Ikarus Trojan-Spy.FormBook
eGambit Unsafe.AI_Score_93%
Webroot W32.Trojan.Gen
AVG Win32:Trojan-gen
CrowdStrike win/malicious_confidence_70% (W)
Qihoo-360 Win32/Trojan.f1b
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-26 18:02:47

Imports

Library KERNEL32.dll:
0x432000 GetLastError
0x432004 SetLastError
0x432008 FormatMessageW
0x43200c GetCurrentProcess
0x432010 DeviceIoControl
0x432014 SetFileTime
0x432018 CloseHandle
0x43201c CreateDirectoryW
0x432020 RemoveDirectoryW
0x432024 CreateFileW
0x432028 DeleteFileW
0x43202c CreateHardLinkW
0x432030 GetShortPathNameW
0x432034 GetLongPathNameW
0x432038 MoveFileW
0x43203c GetFileType
0x432040 GetStdHandle
0x432044 WriteFile
0x432048 ReadFile
0x43204c FlushFileBuffers
0x432050 SetEndOfFile
0x432054 SetFilePointer
0x432058 SetFileAttributesW
0x43205c GetFileAttributesW
0x432060 FindClose
0x432064 FindFirstFileW
0x432068 FindNextFileW
0x43206c GetVersionExW
0x432074 GetFullPathNameW
0x432078 FoldStringW
0x43207c GetModuleFileNameW
0x432080 GetModuleHandleW
0x432084 FindResourceW
0x432088 FreeLibrary
0x43208c GetProcAddress
0x432090 GetCurrentProcessId
0x432094 ExitProcess
0x43209c Sleep
0x4320a0 LoadLibraryW
0x4320a4 GetSystemDirectoryW
0x4320a8 CompareStringW
0x4320ac AllocConsole
0x4320b0 FreeConsole
0x4320b4 AttachConsole
0x4320b8 WriteConsoleW
0x4320c0 CreateThread
0x4320c4 SetThreadPriority
0x4320d8 SetEvent
0x4320dc ResetEvent
0x4320e0 ReleaseSemaphore
0x4320e4 WaitForSingleObject
0x4320e8 CreateEventW
0x4320ec CreateSemaphoreW
0x4320f0 GetSystemTime
0x43210c GetCPInfo
0x432110 IsDBCSLeadByte
0x432114 MultiByteToWideChar
0x432118 WideCharToMultiByte
0x43211c GlobalAlloc
0x432120 LockResource
0x432124 GlobalLock
0x432128 GlobalUnlock
0x43212c GlobalFree
0x432130 LoadResource
0x432134 SizeofResource
0x43213c GetExitCodeProcess
0x432140 GetLocalTime
0x432144 GetTickCount
0x432148 MapViewOfFile
0x43214c UnmapViewOfFile
0x432150 CreateFileMappingW
0x432154 OpenFileMappingW
0x432158 GetCommandLineW
0x432164 GetTempPathW
0x432168 MoveFileExW
0x43216c GetLocaleInfoW
0x432170 GetTimeFormatW
0x432174 GetDateFormatW
0x432178 GetNumberFormatW
0x43217c SetFilePointerEx
0x432180 GetConsoleMode
0x432184 GetConsoleCP
0x432188 HeapSize
0x43218c SetStdHandle
0x432190 GetProcessHeap
0x432194 RaiseException
0x432198 GetSystemInfo
0x43219c VirtualProtect
0x4321a0 VirtualQuery
0x4321a4 LoadLibraryExA
0x4321ac IsDebuggerPresent
0x4321b8 GetStartupInfoW
0x4321c0 GetCurrentThreadId
0x4321c8 InitializeSListHead
0x4321cc TerminateProcess
0x4321d0 RtlUnwind
0x4321d4 EncodePointer
0x4321dc TlsAlloc
0x4321e0 TlsGetValue
0x4321e4 TlsSetValue
0x4321e8 TlsFree
0x4321ec LoadLibraryExW
0x4321f4 GetModuleHandleExW
0x4321f8 GetModuleFileNameA
0x4321fc GetACP
0x432200 HeapFree
0x432204 HeapAlloc
0x432208 HeapReAlloc
0x43220c GetStringTypeW
0x432210 LCMapStringW
0x432214 FindFirstFileExA
0x432218 FindNextFileA
0x43221c IsValidCodePage
0x432220 GetOEMCP
0x432224 GetCommandLineA
0x432230 DecodePointer
Library gdiplus.dll:
0x432238 GdiplusShutdown
0x43223c GdiplusStartup
0x43224c GdipDisposeImage
0x432250 GdipCloneImage
0x432254 GdipFree
0x432258 GdipAlloc

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 51808 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.