3.8
中危
44 个模型检测该样本为恶意!
重新分析
更多

308307a97d51128d0ab44c3cf4bcab7025669f7c86b78acf527dceb3cc142a50

b1f945adec2ada064e28641c8e4008fb.exe

分析耗时

34s

最近分析

文件大小

186.5KB
静态报毒 动态报毒 AI SCORE=100 ATTRIBUTE BOBIK CONFIDENCE FOMTHU GENERICRXHN HIGH CONFIDENCE HIGHCONFIDENCE LQ0@AAJWYFOI MALICIOUS PE MALWARE@#23B73R33C0VZ0 PASSWORDSTEALER RAZY SIGGEN2 TIGGRE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXHN-RY!B1F945ADEC2A 20191113 6.0.6.653
Alibaba TrojanSpy:MSIL/Bobik.9f98f332 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20191116 18.4.3895.0
Tencent 20191116 1.0.0.1
Kingsoft 20191116 2013.8.14.323
CrowdStrike win/malicious_confidence_80% (D) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620985085.952446
IsDebuggerPresent
failed 0 0
1620985085.968446
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable has a PDB path (1 个事件)
pdb_path file.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620985086.031446
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sdata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620985104.140446
__exception__
stacktrace: 
RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40 @ 0x77c17a40
RtlGetUserInfoHeap+0x66 RtlCompactHeap-0x31a ntdll+0xed316 @ 0x77c3d316
GlobalSize+0x58 GlobalUnlock-0x118 kernel32+0x4e458 @ 0x77a7e458
OleCreateFromData+0x1f5 CoGetInstanceFromIStorage-0x535b ole32+0x1667d5 @ 0x7feffdb67d5
OleCreateFromData+0x4cc CoGetInstanceFromIStorage-0x5084 ole32+0x166aac @ 0x7feffdb6aac
DllRegisterServerInternal-0x1da9 clr+0x1f37 @ 0x7fef1a91f37
system+0x711edb @ 0x7fef0231edb
0x7ff00159b79
0x7ff00158aa1
0x7ff00158945
0x7ff001574a7
0x7ff0015703d
0x7ff0014cc05
CoUninitializeEE+0x3d374 CreateAssemblyNameObject-0x2d7dc clr+0x410b4 @ 0x7fef1ad10b4
CoUninitializeEE+0x3d489 CreateAssemblyNameObject-0x2d6c7 clr+0x411c9 @ 0x7fef1ad11c9
CoUninitializeEE+0x3f574 CreateAssemblyNameObject-0x2b5dc clr+0x432b4 @ 0x7fef1ad32b4
CoUninitializeEE+0x4729f CreateAssemblyNameObject-0x238b1 clr+0x4afdf @ 0x7fef1adafdf
CoUninitializeEE+0x46f68 CreateAssemblyNameObject-0x23be8 clr+0x4aca8 @ 0x7fef1adaca8
CoUninitializeEE+0x3f730 CreateAssemblyNameObject-0x2b420 clr+0x43470 @ 0x7fef1ad3470
CompareAssemblyIdentityWithConfig+0x124a0 GetMetaDataInternalInterfaceFromPublic-0x42f4 clr+0x16b848 @ 0x7fef1bfb848
CoUninitializeEE+0x3e6b3 CreateAssemblyNameObject-0x2c49d clr+0x423f3 @ 0x7fef1ad23f3
DllRegisterServerInternal-0xfd9 clr+0x2d07 @ 0x7fef1a92d07
CoUninitializeEE+0x3d374 CreateAssemblyNameObject-0x2d7dc clr+0x410b4 @ 0x7fef1ad10b4
CoUninitializeEE+0x3d489 CreateAssemblyNameObject-0x2d6c7 clr+0x411c9 @ 0x7fef1ad11c9
CoUninitializeEE+0x3d505 CreateAssemblyNameObject-0x2d64b clr+0x41245 @ 0x7fef1ad1245
ClrCreateManagedInstance+0x68fd MetaDataGetDispenser-0x6837 clr+0x141675 @ 0x7fef1bd1675
ClrCreateManagedInstance+0x6a34 MetaDataGetDispenser-0x6700 clr+0x1417ac @ 0x7fef1bd17ac
ClrCreateManagedInstance+0x67ea MetaDataGetDispenser-0x694a clr+0x141562 @ 0x7fef1bd1562
ClrCreateManagedInstance+0x905e MetaDataGetDispenser-0x40d6 clr+0x143dd6 @ 0x7fef1bd3dd6
ClrCreateManagedInstance+0x8f7b MetaDataGetDispenser-0x41b9 clr+0x143cf3 @ 0x7fef1bd3cf3
_CorExeMain+0x15 NGenCreateNGenWorker-0x17623 clr+0x1c7365 @ 0x7fef1c57365
_CorExeMain+0x49 CreateConfigStream-0x307 mscoreei+0x3309 @ 0x7fef4133309
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef41c5b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 39395912
registers.rsi: 0
registers.r10: 8791798216200
registers.rbx: 0
registers.rdi: 0
registers.r11: 514
registers.r8: 2813936
registers.rdx: 2814352
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 2817840
registers.rax: 2808168
registers.r13: 0
exception.instruction_r: 80 7a 0f 05 75 0b 0f b6 42 0e 48 c1 e0 04 48 2b
exception.symbol: RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40
exception.instruction: cmp byte ptr [rdx + 0xf], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 817728
exception.address: 0x77c17a40
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 个事件)
Time & API Arguments Status Return Repeated
1620985084.359446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 2490368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000009d0000
success 0 0
1620985084.359446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000bb0000
success 0 0
1620985085.031446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000680000
success 0 0
1620985085.031446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000690000
success 0 0
1620985085.202446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a91000
success 0 0
1620985085.202446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a91000
success 0 0
1620985085.249446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef2110000
success 0 0
1620985085.952446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000008d0000
success 0 0
1620985085.952446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000900000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.984446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a93000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a91000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985085.999446
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a92000
success 0 0
1620985086.484446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1620985086.531446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00012000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007ffffef0000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ffffef0000
success 0 0
1620985086.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0001a000
success 0 0
1620985086.827446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00023000
success 0 0
1620985086.827446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000cc000
success 0 0
1620985086.843446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000f6000
success 0 0
1620985086.843446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000d0000
success 0 0
1620985087.093446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00024000
success 0 0
1620985087.140446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002c000
success 0 0
1620985087.343446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00025000
success 0 0
1620985087.374446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00140000
success 0 0
1620985088.781446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0001b000
success 0 0
1620985091.749446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00026000
success 0 0
1620985092.702446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00141000
success 0 0
1620985093.999446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00027000
success 0 0
1620985094.202446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0014c000
success 0 0
1620985094.265446
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002a000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620985094.593446
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 13.227.250.143
host 172.217.24.14
File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 个事件)
MicroWorld-eScan Gen:Variant.Razy.506926
FireEye Generic.mg.b1f945adec2ada06
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee GenericRXHN-RY!B1F945ADEC2A
Cylance Unsafe
K7AntiVirus Spyware ( 005489ea1 )
Alibaba TrojanSpy:MSIL/Bobik.9f98f332
K7GW Spyware ( 005489ea1 )
Cybereason malicious.dec2ad
Invincea heuristic
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan-Spy.MSIL.Bobik.gen
BitDefender Gen:Variant.Razy.506926
NANO-Antivirus Trojan.Win32.Bobik.fomthu
AegisLab Trojan.MSIL.Bobik.4!c
Endgame malicious (high confidence)
Emsisoft Gen:Variant.Razy.506926 (B)
Comodo Malware@#23b73r33c0vz0
F-Secure Trojan.TR/Dropper.Gen
DrWeb Trojan.PWS.Siggen2.10779
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Generic.ch
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Avira TR/Dropper.Gen
Antiy-AVL Trojan[Spy]/MSIL.Bobik
Microsoft Trojan:Win32/Tiggre!rfn
Arcabit Trojan.Razy.D7BC2E
ZoneAlarm HEUR:Trojan-Spy.MSIL.Bobik.gen
GData Gen:Variant.Razy.506926
AhnLab-V3 Trojan/Win32.Agent.C2926564
ALYac Gen:Variant.Razy.506926
MAX malware (ai score=100)
Ad-Aware Gen:Variant.Razy.506926
Malwarebytes Spyware.PasswordStealer
ESET-NOD32 a variant of MSIL/Spy.Agent.CEI
Ikarus Trojan.MSIL.Spy
Fortinet MSIL/Agent.RCD!tr.pws
BitDefenderTheta Gen:NN.ZemsilF.32250.lq0@aaJWyFoi
AVG Win32:Trojan-gen
CrowdStrike win/malicious_confidence_80% (D)
Qihoo-360 Win32/Trojan.2a7
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-03-22 23:17:44

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.