SmartHawk

6.0

高危

43 个模型检测该样本为恶意！

重新分析

下载样本

f847c4abf2105e997260161da48567968b7be870ae8e92e2ec6e5959e556bb5e

aff3a4ce7643f274aaa725c69982b39a.exe

分析耗时

83s

最近分析

文件大小

1.5MB

静态报毒动态报毒 AGENTTESLA AI SCORE=86 AVSARHER BSIDR7 CONFIDENCE ELDORADO EN0@AWEMYOK EQGF FAREIT GDSDA GENERICKD GENKRYPTIK HSCGAD INJECT3 KRYPTIK LSVR MALWARE@#1S25QGCSQGT8V MALWAREX MXRESICN NJECT R348104 TASKUN TSCOPE UCITJ ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Agenttesla.1df9948e	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201023	18.4.3895.0
Kingsoft		20201023	2013.8.14.323
McAfee	Fareit-FYI!AFF3A4CE7643	20201023	6.0.6.653
Tencent	Msil.Trojan.Taskun.Lsvr	20201023	1.0.0.1

Checks if process is being debugged by a debugger (8 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826882.349279 IsDebuggerPresent		failed	0	0
1619826882.365279 IsDebuggerPresent		failed	0	0
1619826949.427279 IsDebuggerPresent		failed	0	0
1619826949.927279 IsDebuggerPresent		failed	0	0
1619826950.443279 IsDebuggerPresent		failed	0	0
1619826950.990279 IsDebuggerPresent		failed	0	0
1619826951.458279 IsDebuggerPresent		failed	0	0
1619826952.068279 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826882.411279 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 92 个事件)

Time & API	Arguments	Status	Return
1619826881.552279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004b0000	success	0
1619826881.552279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00500000	success	0
1619826881.865279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005c0000	success	0
1619826881.865279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00660000	success	0
1619826882.052279 NtProtectVirtualMemory	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619826882.349279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02290000	success	0
1619826882.349279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02480000	success	0
1619826882.365279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ea000	success	0
1619826882.365279 NtProtectVirtualMemory	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619826882.365279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e2000	success	0
1619826882.880279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f2000	success	0
1619826882.974279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00615000	success	0
1619826882.974279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0061b000	success	0
1619826882.974279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00617000	success	0
1619826883.068279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f3000	success	0
1619826883.099279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fc000	success	0
1619826883.443279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f4000	success	0
1619826883.458279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f6000	success	0
1619826883.568279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00920000	success	0
1619826883.693279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f7000	success	0
1619826883.708279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00606000	success	0
1619826883.708279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060a000	success	0
1619826883.708279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00607000	success	0
1619826883.771279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f8000	success	0
1619826884.161279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00921000	success	0
1619826884.318279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00924000	success	0
1619826884.318279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00925000	success	0
1619826884.380279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f9000	success	0
1619826884.411279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c0000	success	0
1619826925.974279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00926000	success	0
1619826926.005279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00661000	success	0
1619826926.083279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00927000	success	0
1619826926.365279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c1000	success	0
1619826926.365279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ec000	success	0
1619826926.583279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00928000	success	0
1619826926.583279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c2000	success	0
1619826926.599279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00929000	success	0
1619826926.693279 NtProtectVirtualMemory	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1155072 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05c10400	failed	3221225550
1619826948.786279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0092a000	success	0
1619826948.974279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0092b000	success	0
1619826948.974279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0092c000	success	0
1619826949.005279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0092d000	success	0
1619826949.005279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0092e000	success	0
1619826949.161279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c3000	success	0
1619826949.161279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0092f000	success	0
1619826949.208279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a0000	success	0
1619826949.208279 NtAllocateVirtualMemory	process_identifier: 2404 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a1000	success	0
1619826949.208279 NtProtectVirtualMemory	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05c10178	failed	3221225550
1619826949.208279 NtProtectVirtualMemory	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05c101a0	failed	3221225550
1619826949.208279 NtProtectVirtualMemory	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05c101c8	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.975635198337871

section

{'size_of_data': '0x0015e000', 'virtual_address': '0x00002000', 'entropy': 7.975635198337871, 'name': '.text', 'virtual_size': '0x0015defc'}

description

A section with a high entropy has been found

entropy

0.9299236134174693

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826926.677279 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (6 个事件)

Time & API	Arguments	Status
1619826949.865279 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2576 process_handle: 0x000081c0	failed
1619826949.865279 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2576 process_handle: 0x000081c0	success
1619826950.505279 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1416 process_handle: 0x0000f374	failed
1619826950.505279 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1416 process_handle: 0x0000f374	success
1619826951.661279 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1056 process_handle: 0x0000e2cc	failed
1619826951.661279 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1056 process_handle: 0x0000e2cc	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (4 个事件)

Time & API	Arguments	Status	Return
1619826949.552279 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008acc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619826949.974279 NtAllocateVirtualMemory	process_identifier: 1416 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000840c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619826951.099279 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000e64 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619826952.208279 NtAllocateVirtualMemory	process_identifier: 1652 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d640 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Manipulates memory of a non-child process indicative of process injection (8 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2404 manipulating memory of non-child process 2576
Process injection	Process 2404 manipulating memory of non-child process 1416
Process injection	Process 2404 manipulating memory of non-child process 1056
Process injection	Process 2404 manipulating memory of non-child process 1652
1619826949.552279 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008acc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619826949.974279 NtAllocateVirtualMemory	process_identifier: 1416 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000840c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619826951.099279 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000e64 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619826952.208279 NtAllocateVirtualMemory	process_identifier: 1652 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d640 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Executed a process and injected code into it, probably while unpacking (17 个事件)

Time & API	Arguments	Status	Return
1619826882.365279 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2404	success	0
1619826882.396279 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2404	success	0
1619826882.521279 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2404	success	0
1619826949.271279 NtResumeThread	thread_handle: 0x0000dfe4 suspend_count: 1 process_identifier: 2404	success	0
1619826949.380279 NtResumeThread	thread_handle: 0x0000b184 suspend_count: 1 process_identifier: 2404	success	0
1619826949.536279 CreateProcessInternalW	thread_identifier: 2840 thread_handle: 0x00007fb4 process_identifier: 2576 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00008acc inherit_handles: 0	success	1
1619826949.536279 NtGetContextThread	thread_handle: 0x00007fb4	success	0
1619826949.552279 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008acc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619826949.974279 CreateProcessInternalW	thread_identifier: 2560 thread_handle: 0x000081c0 process_identifier: 1416 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000840c inherit_handles: 0	success	1
1619826949.974279 NtGetContextThread	thread_handle: 0x000081c0	success	0
1619826949.974279 NtAllocateVirtualMemory	process_identifier: 1416 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000840c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619826951.068279 CreateProcessInternalW	thread_identifier: 624 thread_handle: 0x0000f374 process_identifier: 1056 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000e64 inherit_handles: 0	success	1
1619826951.099279 NtGetContextThread	thread_handle: 0x0000f374	success	0
1619826951.099279 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000e64 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619826952.208279 CreateProcessInternalW	thread_identifier: 2844 thread_handle: 0x0000e2cc process_identifier: 1652 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\aff3a4ce7643f274aaa725c69982b39a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000d640 inherit_handles: 0	success	1
1619826952.208279 NtGetContextThread	thread_handle: 0x0000e2cc	success	0
1619826952.208279 NtAllocateVirtualMemory	process_identifier: 1652 region_size: 1122304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d640 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 个事件)

MicroWorld-eScan	Trojan.GenericKD.34364518
FireEye	Generic.mg.aff3a4ce7643f274
ALYac	Trojan.GenericKD.34364518
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c91f1 )
Alibaba	Trojan:Win32/Agenttesla.1df9948e
K7GW	Trojan ( 0056c91f1 )
CrowdStrike	win/malicious_confidence_80% (W)
Arcabit	Trojan.Generic.D20C5C66
Cyren	W32/MSIL_Kryptik.BKT.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKD.34364518
NANO-Antivirus	Trojan.Win32.Taskun.hscgad
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Taskun.4!c
Ad-Aware	Trojan.GenericKD.34364518
Comodo	Malware@#1s25qgcsqgt8v
DrWeb	Trojan.Inject3.50805
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-S
McAfee-GW-Edition	Fareit-FYI!AFF3A4CE7643
Sophos	Mal/Generic-S
Avira	TR/Kryptik.ucitj
MAX	malware (ai score=86)
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
GData	Trojan.GenericKD.34364518
AhnLab-V3	Trojan/Win32.AgentTesla.R348104
McAfee	Fareit-FYI!AFF3A4CE7643
VBA32	TScope.Trojan.MSIL
ESET-NOD32	a variant of MSIL/Kryptik.XIR
Tencent	Msil.Trojan.Taskun.Lsvr
Yandex	Trojan.AvsArher.bSIdr7
Ikarus	Trojan.MSIL.nject
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	MSIL/GenKryptik.EQGF!tr
BitDefenderTheta	Gen:NN.ZemsilF.34570.En0@aWEmyOk
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Generic/Trojan.477

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2050-01-10 12:15:48

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.