5.0
中危
57 个模型检测该样本为恶意!
重新分析
更多

a3f763c730e23fab3523b4a501f4590abcc4fd20306cba116c3b726a0d198367

b1253684096a6ab41d9017d3d02b265a.exe

分析耗时

79s

最近分析

文件大小

500.4KB
静态报毒 动态报毒 AI SCORE=80 ATTRIBUTE CLASSIC CONFIDENCE DSSDYI9 EMOTET FSTZ FYX@AMSCDHGI GENCIRC GENERICKD GENETIC HEPK HIGH CONFIDENCE HIGHCONFIDENCE HMKRSR KCLOUD KRYPTIK MALICIOUS PE MALWARE@#RSW0DNZO1XEW MALWAREX R342615 SCORE STATIC AI SUSGEN TRICKBOT UNSAFE WACATAC YGCWF ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/TrickBot.098729b8 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10cddb68 20201211 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Trickbot-FSTZ!B1253684096A 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619890901.28175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619890902.49975
__exception__
stacktrace: 
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
hook_in_monitor+0x45 lde-0x133 @ 0x756142ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7562f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefdc54190
SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef9efeb99
SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef9efec23
WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef9ef3fe7

registers.r14: 0
registers.r9: 1970001920
registers.rcx: 0
registers.rsi: 3597456
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 0
registers.r8: 5
registers.rdx: 2
registers.rbp: 0
registers.r15: 2007313264
registers.r12: 3436816
registers.rsp: 2287792
registers.rax: 1
registers.r13: 443
exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77b69a5a
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (8 个事件)
Time & API Arguments Status Return Repeated
1619861122.86156
NtAllocateVirtualMemory
process_identifier: 784
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00480000
success 0 0
1619861128.86156
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 204800
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e11000
success 0 0
1619861155.00156
NtAllocateVirtualMemory
process_identifier: 784
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01eb0000
success 0 0
1619861155.00156
NtAllocateVirtualMemory
process_identifier: 784
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x10000000
success 0 0
1619861155.00156
NtAllocateVirtualMemory
process_identifier: 784
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x10001000
success 0 0
1619861155.17356
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ec0000
success 0 0
1619861155.17356
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619861155.17356
NtAllocateVirtualMemory
process_identifier: 784
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.997417095359395 section {'size_of_data': '0x00032000', 'virtual_address': '0x00045000', 'entropy': 7.997417095359395, 'name': '.rsrc', 'virtual_size': '0x00031da8'} description A section with a high entropy has been found
entropy 0.4032258064516129 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1619890887.92175
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619890890.99975
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619890896.03175
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 181.129.134.18
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 181.129.134.18:449
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43417789
CAT-QuickHeal Trojan.Zenpak
Qihoo-360 Win32/Trojan.ffa
ALYac Trojan.GenericKD.43417789
Cylance Unsafe
Zillya Trojan.Zenpak.Win32.2318
Sangfor Malware
K7AntiVirus Trojan ( 00569d211 )
Alibaba Trojan:Win32/TrickBot.098729b8
K7GW Trojan ( 00569d211 )
Cybereason malicious.a0a4dd
Arcabit Trojan.Generic.D29680BD
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Zenpak.pef
BitDefender Trojan.GenericKD.43417789
NANO-Antivirus Trojan.Win32.Kryptik.hmkrsr
Avast Win32:MalwareX-gen [Trj]
Tencent Malware.Win32.Gencirc.10cddb68
Ad-Aware Trojan.GenericKD.43417789
Sophos Mal/Generic-S
Comodo Malware@#rsw0dnzo1xew
F-Secure Trojan.TR/AD.TrickBot.ygcwf
DrWeb Trojan.Packed.140
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.SMV.hp
McAfee-GW-Edition BehavesLike.Win32.Generic.hh
FireEye Generic.mg.b1253684096a6ab4
Emsisoft Trojan.GenericKD.43417789 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Zenpak.cly
Avira TR/AD.TrickBot.ygcwf
Antiy-AVL Trojan/Win32.Zenpak
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/TrickBot.ARJ!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Zenpak.pef
GData Trojan.GenericKD.43417789
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Trickbot.R342615
McAfee Trickbot-FSTZ!B1253684096A
MAX malware (ai score=80)
VBA32 Trojan.Wacatac
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 a variant of Win32/Kryptik.HEPK
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMV.hp
Rising Trojan.Kryptik!1.C89F (CLASSIC)
Yandex Trojan.Kryptik!DssdyI9/mjM
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-30 18:52:43

Imports

Library KERNEL32.dll:
0x44416c LoadLibraryExW
0x444170 GetProcAddress
0x444174 LoadLibraryExA
0x444178 ExitProcess
0x44417c FreeConsole
0x44418c GetStdHandle
0x444190 LCMapStringW
0x444194 LCMapStringA
0x444198 GetStringTypeW
0x44419c GetStringTypeA
0x4441a0 SetStdHandle
0x4441a4 ReadFile
0x4441a8 LoadLibraryA
0x4441ac IsBadCodePtr
0x4441b0 IsBadReadPtr
0x4441b8 WideCharToMultiByte
0x4441bc FlushFileBuffers
0x4441c0 SetFilePointer
0x4441c4 MultiByteToWideChar
0x4441c8 RtlUnwind
0x4441cc TerminateProcess
0x4441d0 GetCurrentProcess
0x4441d4 HeapFree
0x4441d8 ReadConsoleInputA
0x4441dc SetConsoleMode
0x4441e0 GetConsoleMode
0x4441e4 HeapAlloc
0x4441e8 GetVersion
0x4441ec RaiseException
0x4441f0 HeapReAlloc
0x4441f4 HeapSize
0x4441f8 GetModuleHandleA
0x4441fc SetHandleCount
0x444200 GetFileType
0x444204 GetStartupInfoA
0x444208 HeapDestroy
0x44420c HeapCreate
0x444210 VirtualFree
0x444214 VirtualAlloc
0x444218 IsBadWritePtr
0x44421c CreateFileA
0x444220 CloseHandle
0x444228 GetModuleFileNameW
0x44423c GetCommandLineW
0x444240 GetCommandLineA
0x444244 WriteFile
0x444248 GetModuleFileNameA
0x44424c GetLastError
Library USER32.dll:
0x444280 GetDesktopWindow
Library ODBC32.dll:
0x444254
0x444258
0x44425c
0x444260
0x444264
0x444268
0x44426c
0x444270
0x444274
0x444278

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.