5.6
高危
56 个模型检测该样本为恶意!
重新分析
更多

8b013f7d0015d773fb1bd83c18bfd34180dbc1e10beb848fd699420f9f7278ca

af14656fa99bb12bbfc5d35f43e3dfe6.exe

分析耗时

21s

最近分析

文件大小

801.0KB
静态报毒 动态报毒 8R1IYS AGENTTESLA AI SCORE=86 AIDETECTVM CLASSIC CONFIDENCE DELF DELPHI DELPHILESS EMZL ENAI FAREIT GENERICKDZ HIGH CONFIDENCE HRMDCV KRYPTIK LNNW LOKIBOT MALWARE2 NAFEA ORWQ R002C0DHI20 SCORE SUSPICIOUS PE TSCOPE UNCLASSIFIEDMALWARE@0 UNSAFE X2091 YGX@AQLFM9FI ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Kryptik.7144b0a1 20190527 0.3.0.5
Avast Win32:Trojan-gen 20200908 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200908 2013.8.14.323
McAfee Fareit-FPQ!AF14656FA99B 20200908 6.0.6.653
Tencent Win32.Trojan.Kryptik.Lnnw 20200908 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1619826884.797886
NtAllocateVirtualMemory
process_identifier: 420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619826884.969886
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 77824
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00472000
success 0 0
1619826884.969886
NtAllocateVirtualMemory
process_identifier: 420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619855729.361249
NtAllocateVirtualMemory
process_identifier: 2256
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00870000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.640203347112213 section {'size_of_data': '0x00037e00', 'virtual_address': '0x00096000', 'entropy': 7.640203347112213, 'name': '.rsrc', 'virtual_size': '0x00037d2c'} description A section with a high entropy has been found
entropy 0.2795497185741088 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 420 called NtSetContextThread to modify thread in remote process 2256
Time & API Arguments Status Return Repeated
1619826885.125886
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4320464
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2256
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 420 resumed a thread in remote process 2256
Time & API Arguments Status Return Repeated
1619826886.032886
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2256
success 0 0
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1619826885.110886
CreateProcessInternalW
thread_identifier: 2996
thread_handle: 0x000000f8
process_identifier: 2256
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\af14656fa99bb12bbfc5d35f43e3dfe6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619826885.110886
NtUnmapViewOfSection
process_identifier: 2256
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619826885.110886
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 2256
commit_size: 188416
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 188416
base_address: 0x00400000
success 0 0
1619826885.125886
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619826885.125886
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4320464
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2256
success 0 0
1619826886.032886
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2256
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Stealer.29093
MicroWorld-eScan Trojan.GenericKDZ.69509
FireEye Generic.mg.af14656fa99bb12b
CAT-QuickHeal Trojan.Kryptik
ALYac Trojan.GenericKDZ.69509
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 0056c99c1 )
Alibaba Trojan:Win32/Kryptik.7144b0a1
K7GW Trojan ( 0056c99c1 )
Cybereason malicious.24bd91
Arcabit Trojan.Generic.D10F85
TrendMicro TROJ_GEN.R002C0DHI20
BitDefenderTheta Gen:NN.ZelphiF.34216.YGX@aqLfm9fi
Cyren W32/Injector.ORWQ-3620
Symantec Infostealer.Lokibot!43
ESET-NOD32 a variant of Win32/Injector.ENAI
TrendMicro-HouseCall TROJ_GEN.R002C0DHI20
Avast Win32:Trojan-gen
ClamAV Win.Keylogger.AgentTesla-9372622-1
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKDZ.69509
NANO-Antivirus Trojan.Win32.Kryptik.hrmdcv
Paloalto generic.ml
Rising Trojan.Kryptik!1.CAC0 (CLASSIC)
Ad-Aware Trojan.GenericKDZ.69509
Emsisoft Trojan.GenericKDZ.69509 (B)
Comodo .UnclassifiedMalware@0
F-Secure Dropper.DR/Delphi.nafea
Zillya Trojan.Injector.Win32.762513
Invincea Mal/Generic-S
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.Kryptik.cbz
Avira DR/Delphi.nafea
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/Fareit.VD!MTB
AegisLab Trojan.Win32.Kryptik.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Win32.Trojan.PSE.8R1IYS
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2091
McAfee Fareit-FPQ!AF14656FA99B
MAX malware (ai score=86)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack
APEX Malicious
Tencent Win32.Trojan.Kryptik.Lnnw
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x488164 VirtualFree
0x488168 VirtualAlloc
0x48816c LocalFree
0x488170 LocalAlloc
0x488174 GetVersion
0x488178 GetCurrentThreadId
0x488184 VirtualQuery
0x488188 WideCharToMultiByte
0x488190 MultiByteToWideChar
0x488194 lstrlenA
0x488198 lstrcpynA
0x48819c LoadLibraryExA
0x4881a0 GetThreadLocale
0x4881a4 GetStartupInfoA
0x4881a8 GetProcAddress
0x4881ac GetModuleHandleA
0x4881b0 GetModuleFileNameA
0x4881b4 GetLocaleInfoA
0x4881b8 GetLastError
0x4881c0 GetCommandLineA
0x4881c4 FreeLibrary
0x4881c8 FindFirstFileA
0x4881cc FindClose
0x4881d0 ExitProcess
0x4881d4 WriteFile
0x4881dc RtlUnwind
0x4881e0 RaiseException
0x4881e4 GetStdHandle
Library user32.dll:
0x4881ec GetKeyboardType
0x4881f0 LoadStringA
0x4881f4 MessageBoxA
0x4881f8 CharNextA
Library advapi32.dll:
0x488200 RegQueryValueExA
0x488204 RegOpenKeyExA
0x488208 RegCloseKey
Library oleaut32.dll:
0x488210 SysFreeString
0x488214 SysReAllocStringLen
0x488218 SysAllocStringLen
Library kernel32.dll:
0x488220 TlsSetValue
0x488224 TlsGetValue
0x488228 LocalAlloc
0x48822c GetModuleHandleA
Library advapi32.dll:
0x488234 RegQueryValueExA
0x488238 RegOpenKeyExA
0x48823c RegCloseKey
Library kernel32.dll:
0x488244 lstrcpyA
0x488248 WriteFile
0x48824c WaitForSingleObject
0x488250 VirtualQuery
0x488254 VirtualProtect
0x488258 VirtualAlloc
0x48825c Sleep
0x488260 SizeofResource
0x488264 SetThreadLocale
0x488268 SetFilePointer
0x48826c SetEvent
0x488270 SetErrorMode
0x488274 SetEndOfFile
0x488278 ResetEvent
0x48827c ReadFile
0x488280 MultiByteToWideChar
0x488284 MulDiv
0x488288 LockResource
0x48828c LoadResource
0x488290 LoadLibraryA
0x48829c GlobalUnlock
0x4882a0 GlobalReAlloc
0x4882a4 GlobalHandle
0x4882a8 GlobalLock
0x4882ac GlobalFree
0x4882b0 GlobalFindAtomA
0x4882b4 GlobalDeleteAtom
0x4882b8 GlobalAlloc
0x4882bc GlobalAddAtomA
0x4882c0 GetVersionExA
0x4882c4 GetVersion
0x4882c8 GetTickCount
0x4882cc GetThreadLocale
0x4882d4 GetSystemInfo
0x4882d8 GetStringTypeExA
0x4882dc GetStdHandle
0x4882e0 GetProcAddress
0x4882e4 GetModuleHandleA
0x4882e8 GetModuleFileNameA
0x4882ec GetLocaleInfoA
0x4882f0 GetLocalTime
0x4882f4 GetLastError
0x4882f8 GetFullPathNameA
0x4882fc GetFileAttributesA
0x488300 GetDiskFreeSpaceA
0x488304 GetDateFormatA
0x488308 GetCurrentThreadId
0x48830c GetCurrentProcessId
0x488310 GetCPInfo
0x488314 GetACP
0x488318 FreeResource
0x488320 InterlockedExchange
0x488328 FreeLibrary
0x48832c FormatMessageA
0x488330 FindResourceA
0x488334 FindNextFileA
0x488338 FindFirstFileA
0x48833c FindClose
0x48834c EnumCalendarInfoA
0x488358 CreateThread
0x48835c CreateFileA
0x488360 CreateEventA
0x488364 CompareStringA
0x488368 CloseHandle
Library version.dll:
0x488370 VerQueryValueA
0x488378 GetFileVersionInfoA
Library gdi32.dll:
0x488380 UnrealizeObject
0x488384 StretchBlt
0x488388 SetWindowOrgEx
0x48838c SetViewportOrgEx
0x488390 SetTextColor
0x488394 SetStretchBltMode
0x488398 SetROP2
0x48839c SetPixel
0x4883a0 SetDIBColorTable
0x4883a4 SetBrushOrgEx
0x4883a8 SetBkMode
0x4883ac SetBkColor
0x4883b0 SelectPalette
0x4883b4 SelectObject
0x4883b8 SaveDC
0x4883bc RestoreDC
0x4883c0 RectVisible
0x4883c4 RealizePalette
0x4883c8 PatBlt
0x4883cc MoveToEx
0x4883d0 MaskBlt
0x4883d4 LineTo
0x4883d8 IntersectClipRect
0x4883dc GetWindowOrgEx
0x4883e0 GetTextMetricsA
0x4883ec GetStockObject
0x4883f0 GetPixel
0x4883f4 GetPaletteEntries
0x4883f8 GetObjectA
0x4883fc GetDeviceCaps
0x488400 GetDIBits
0x488404 GetDIBColorTable
0x488408 GetDCOrgEx
0x488410 GetClipBox
0x488414 GetBrushOrgEx
0x488418 GetBitmapBits
0x48841c ExtTextOutA
0x488420 ExcludeClipRect
0x488424 DeleteObject
0x488428 DeleteDC
0x48842c CreateSolidBrush
0x488430 CreatePenIndirect
0x488434 CreatePalette
0x48843c CreateFontIndirectA
0x488440 CreateDIBitmap
0x488444 CreateDIBSection
0x488448 CreateCompatibleDC
0x488450 CreateBrushIndirect
0x488454 CreateBitmap
0x488458 BitBlt
Library user32.dll:
0x488460 CreateWindowExA
0x488464 WindowFromPoint
0x488468 WinHelpA
0x48846c WaitMessage
0x488470 UpdateWindow
0x488474 UnregisterClassA
0x488478 UnhookWindowsHookEx
0x48847c TranslateMessage
0x488484 TrackPopupMenu
0x48848c ShowWindow
0x488490 ShowScrollBar
0x488494 ShowOwnedPopups
0x488498 ShowCursor
0x48849c SetWindowsHookExA
0x4884a0 SetWindowTextA
0x4884a4 SetWindowPos
0x4884a8 SetWindowPlacement
0x4884ac SetWindowLongA
0x4884b0 SetTimer
0x4884b4 SetScrollRange
0x4884b8 SetScrollPos
0x4884bc SetScrollInfo
0x4884c0 SetRect
0x4884c4 SetPropA
0x4884c8 SetParent
0x4884cc SetMenuItemInfoA
0x4884d0 SetMenu
0x4884d4 SetForegroundWindow
0x4884d8 SetFocus
0x4884dc SetCursor
0x4884e0 SetClassLongA
0x4884e4 SetCapture
0x4884e8 SetActiveWindow
0x4884ec SendMessageA
0x4884f0 ScrollWindow
0x4884f4 ScreenToClient
0x4884f8 RemovePropA
0x4884fc RemoveMenu
0x488500 ReleaseDC
0x488504 ReleaseCapture
0x488510 RegisterClassA
0x488514 RedrawWindow
0x488518 PtInRect
0x48851c PostQuitMessage
0x488520 PostMessageA
0x488524 PeekMessageA
0x488528 OffsetRect
0x48852c OemToCharA
0x488530 MessageBoxA
0x488534 MapWindowPoints
0x488538 MapVirtualKeyA
0x48853c LoadStringA
0x488540 LoadKeyboardLayoutA
0x488544 LoadIconA
0x488548 LoadCursorA
0x48854c LoadBitmapA
0x488550 KillTimer
0x488554 IsZoomed
0x488558 IsWindowVisible
0x48855c IsWindowEnabled
0x488560 IsWindow
0x488564 IsRectEmpty
0x488568 IsIconic
0x48856c IsDialogMessageA
0x488570 IsChild
0x488574 InvalidateRect
0x488578 IntersectRect
0x48857c InsertMenuItemA
0x488580 InsertMenuA
0x488584 InflateRect
0x48858c GetWindowTextA
0x488590 GetWindowRect
0x488594 GetWindowPlacement
0x488598 GetWindowLongA
0x48859c GetWindowDC
0x4885a0 GetTopWindow
0x4885a4 GetSystemMetrics
0x4885a8 GetSystemMenu
0x4885ac GetSysColorBrush
0x4885b0 GetSysColor
0x4885b4 GetSubMenu
0x4885b8 GetScrollRange
0x4885bc GetScrollPos
0x4885c0 GetScrollInfo
0x4885c4 GetPropA
0x4885c8 GetParent
0x4885cc GetWindow
0x4885d0 GetMenuStringA
0x4885d4 GetMenuState
0x4885d8 GetMenuItemInfoA
0x4885dc GetMenuItemID
0x4885e0 GetMenuItemCount
0x4885e4 GetMenu
0x4885e8 GetLastActivePopup
0x4885ec GetKeyboardState
0x4885f4 GetKeyboardLayout
0x4885f8 GetKeyState
0x4885fc GetKeyNameTextA
0x488600 GetInputState
0x488604 GetIconInfo
0x488608 GetForegroundWindow
0x48860c GetFocus
0x488610 GetDlgItem
0x488614 GetDesktopWindow
0x488618 GetDCEx
0x48861c GetDC
0x488620 GetCursorPos
0x488624 GetCursor
0x488628 GetClientRect
0x48862c GetClassNameA
0x488630 GetClassInfoA
0x488634 GetCapture
0x488638 GetActiveWindow
0x48863c FrameRect
0x488640 FindWindowA
0x488644 FillRect
0x488648 EqualRect
0x48864c EnumWindows
0x488650 EnumThreadWindows
0x488654 EndPaint
0x488658 EnableWindow
0x48865c EnableScrollBar
0x488660 EnableMenuItem
0x488664 DrawTextA
0x488668 DrawMenuBar
0x48866c DrawIconEx
0x488670 DrawIcon
0x488674 DrawFrameControl
0x488678 DrawFocusRect
0x48867c DrawEdge
0x488680 DispatchMessageA
0x488684 DestroyWindow
0x488688 DestroyMenu
0x48868c DestroyIcon
0x488690 DestroyCursor
0x488694 DeleteMenu
0x488698 DefWindowProcA
0x48869c DefMDIChildProcA
0x4886a0 DefFrameProcA
0x4886a4 CreatePopupMenu
0x4886a8 CreateMenu
0x4886ac CreateIcon
0x4886b0 ClientToScreen
0x4886b4 CheckMenuItem
0x4886b8 CallWindowProcA
0x4886bc CallNextHookEx
0x4886c0 BeginPaint
0x4886c4 CharNextA
0x4886c8 CharLowerBuffA
0x4886cc CharLowerA
0x4886d0 CharToOemA
0x4886d4 AdjustWindowRectEx
Library kernel32.dll:
0x4886e0 Sleep
Library oleaut32.dll:
0x4886e8 SafeArrayPtrOfIndex
0x4886ec SafeArrayGetUBound
0x4886f0 SafeArrayGetLBound
0x4886f4 SafeArrayCreate
0x4886f8 VariantChangeType
0x4886fc VariantCopy
0x488700 VariantClear
0x488704 VariantInit
Library ole32.dll:
0x48870c CoCreateInstance
0x488710 CoUninitialize
0x488714 CoInitialize
Library oleaut32.dll:
0x48871c CreateErrorInfo
0x488720 GetErrorInfo
0x488724 SetErrorInfo
0x488728 SysFreeString
Library comctl32.dll:
0x488738 ImageList_Write
0x48873c ImageList_Read
0x48874c ImageList_DragMove
0x488750 ImageList_DragLeave
0x488754 ImageList_DragEnter
0x488758 ImageList_EndDrag
0x48875c ImageList_BeginDrag
0x488760 ImageList_Remove
0x488764 ImageList_DrawEx
0x488768 ImageList_Replace
0x48876c ImageList_Draw
0x48877c ImageList_Add
0x488784 ImageList_Destroy
0x488788 ImageList_Create
Library comdlg32.dll:
0x488790 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 51811 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.