5.8
高危
59 个模型检测该样本为恶意!
重新分析
更多

32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f

b30a21f2b58357e6fe9b409693072179.exe

分析耗时

34s

最近分析

文件大小

2.3MB
静态报毒 动态报毒 6S6VOWXAHYK AGEN AI SCORE=80 AIDETECTVM CLASSIC CONFIDENCE CRIDEX DELF DELPHILESS ELWH ELZG FAREIT GENERICKDZ HIGH CONFIDENCE HKBSJN HPLOKI KRYPTIK LOKIBOT MALWARE1 MALWARE@#O0KZ4M2N4U2C R + MAL SCORE SMBD SPYBOTNET SUSGEN TSCOPE TSPY UIW@AUZJ5MMI UNSAFE WACATAC X2066 ZELPHIF ZPUP 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Cridex.b96cce6d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
McAfee Fareit-FTB!B30A21F2B583 20201211 6.0.6.653
Tencent 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1619861120.996176
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 36109880
registers.edi: 0
registers.eax: 0
registers.ebp: 36110216
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 9e 92 00 00 e9
exception.symbol: b30a21f2b58357e6fe9b409693072179+0x58eeb
exception.instruction: div eax
exception.module: b30a21f2b58357e6fe9b409693072179.exe
exception.exception_code: 0xc0000094
exception.offset: 364267
exception.address: 0x458eeb
success 0 0
1619890936.110375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 50724676
registers.edi: 0
registers.eax: 0
registers.ebp: 50724744
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 4e 6e 00 00 e9
exception.symbol: b30a21f2b58357e6fe9b409693072179+0x54809
exception.instruction: div eax
exception.module: b30a21f2b58357e6fe9b409693072179.exe
exception.exception_code: 0xc0000094
exception.offset: 346121
exception.address: 0x454809
success 0 0
1619890938.016625
__exception__
stacktrace: 
b30a21f2b58357e6fe9b409693072179+0x4364 @ 0x404364
b30a21f2b58357e6fe9b409693072179+0x43cb @ 0x4043cb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1638176
registers.edi: 4894440
registers.eax: 0
registers.ebp: 1638212
registers.edx: 44
registers.ebx: 0
registers.esi: 103
registers.ecx: 0
exception.instruction_r: f7 f0 90 90 90 90 90 33 c0 5a 59 59 64 89 10 eb
exception.symbol: b30a21f2b58357e6fe9b409693072179+0xaad41
exception.instruction: div eax
exception.module: b30a21f2b58357e6fe9b409693072179.exe
exception.exception_code: 0xc0000094
exception.offset: 699713
exception.address: 0x4aad41
success 0 0
1619890946.578375
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
b30a21f2b58357e6fe9b409693072179+0x62a4d @ 0x462a4d
b30a21f2b58357e6fe9b409693072179+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3e14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (35 个事件)
Time & API Arguments Status Return Repeated
1619861120.809176
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619861120.996176
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619861121.012176
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00a20000
success 0 0
1619890936.094375
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619890936.125375
NtProtectVirtualMemory
process_identifier: 2988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00454000
success 0 0
1619890936.125375
NtAllocateVirtualMemory
process_identifier: 2988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02040000
success 0 0
1619890937.453625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619890939.563625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619890942.188375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619890942.344375
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01dc0000
success 0 0
1619890942.344375
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01dc0000
success 0 0
1619890942.360375
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e00000
success 0 0
1619890942.360375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 339968
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619890943.157375
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f30000
success 0 0
1619890943.157375
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd0000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.500375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e82000
success 0 0
1619890946.516375
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.385507929111727 section {'size_of_data': '0x001e4e00', 'virtual_address': '0x00072000', 'entropy': 7.385507929111727, 'name': '.rsrc', 'virtual_size': '0x001e4cb0'} description A section with a high entropy has been found
entropy 0.8185271154251952 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 个事件)
Process injection Process 2620 called NtSetContextThread to modify thread in remote process 2988
Process injection Process 2988 called NtSetContextThread to modify thread in remote process 732
Process injection Process 732 called NtSetContextThread to modify thread in remote process 2420
Time & API Arguments Status Return Repeated
1619861121.371176
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4569440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2988
success 0 0
1619890936.594375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4895264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 732
success 0 0
1619890940.438625
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4973232
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2420
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (6 个事件)
Process injection Process 2620 resumed a thread in remote process 2988
Process injection Process 2988 resumed a thread in remote process 732
Process injection Process 732 resumed a thread in remote process 2420
Time & API Arguments Status Return Repeated
1619861122.090176
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2988
success 0 0
1619890937.063375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 732
success 0 0
1619890941.578625
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2420
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619861121.293176
CreateProcessInternalW
thread_identifier: 2764
thread_handle: 0x000000fc
process_identifier: 2988
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b30a21f2b58357e6fe9b409693072179.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619861121.293176
NtUnmapViewOfSection
process_identifier: 2988
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619861121.293176
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2988
commit_size: 1679360
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1679360
base_address: 0x00400000
success 0 0
1619861121.371176
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619861121.371176
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4569440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2988
success 0 0
1619861122.090176
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2988
success 0 0
1619890936.438375
CreateProcessInternalW
thread_identifier: 2636
thread_handle: 0x000000fc
process_identifier: 732
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b30a21f2b58357e6fe9b409693072179.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619890936.438375
NtUnmapViewOfSection
process_identifier: 732
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619890936.453375
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 732
commit_size: 1150976
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1150976
base_address: 0x00400000
success 0 0
1619890936.594375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619890936.594375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4895264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 732
success 0 0
1619890937.063375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 732
success 0 0
1619890940.313625
CreateProcessInternalW
thread_identifier: 2272
thread_handle: 0x000000ec
process_identifier: 2420
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b30a21f2b58357e6fe9b409693072179.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619890940.313625
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619890940.313625
NtUnmapViewOfSection
process_identifier: 2420
region_size: 4096
process_handle: 0x000000f0
base_address: 0x00400000
success 0 0
1619890940.313625
NtMapViewOfSection
section_handle: 0x000000f8
process_identifier: 2420
commit_size: 786432
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f0
allocation_type: 0 ()
section_offset: 0
view_size: 786432
base_address: 0x00400000
success 0 0
1619890940.391625
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 2420
commit_size: 4096
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f0
allocation_type: 0 ()
section_offset: 0
view_size: 4096
base_address: 0x001e0000
success 0 0
1619890940.438625
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4973232
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2420
success 0 0
1619890941.578625
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2420
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.67077
FireEye Generic.mg.b30a21f2b58357e6
ALYac Trojan.GenericKDZ.67077
Cylance Unsafe
Zillya Trojan.Injector.Win32.731991
Sangfor Malware
K7AntiVirus Trojan ( 005667651 )
Alibaba Trojan:Win32/Cridex.b96cce6d
K7GW Trojan ( 005667651 )
Cybereason malicious.e1c182
Arcabit Trojan.Generic.D10605
Cyren W32/Injector.ZPUP-1501
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Dropper.LokiBot-7787977-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKDZ.67077
NANO-Antivirus Trojan.Win32.SpyBotNET.hkbsjn
Paloalto generic.ml
Rising Trojan.Injector!1.C65C (CLASSIC)
Ad-Aware Trojan.GenericKDZ.67077
Emsisoft Trojan.GenericKDZ.67077 (B)
Comodo Malware@#o0kz4m2n4u2c
F-Secure Heuristic.HEUR/AGEN.1133569
DrWeb BackDoor.SpyBotNET.17
VIPRE Trojan.Win32.Generic!BT
TrendMicro TSPY_HPLOKI.SMBD
McAfee-GW-Edition BehavesLike.Win32.Fareit.vc
Sophos Mal/Generic-R + Mal/Fareit-AA
Ikarus Trojan.Inject
Jiangmin Trojan.Kryptik.bfi
Avira HEUR/AGEN.1133569
eGambit Unsafe.AI_Score_99%
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Kryptik.ba!s1
Microsoft Trojan:Win32/Cridex.VD!MTB
AegisLab Trojan.Win32.Kryptik.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Win32.Trojan.Injector.PA
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
McAfee Fareit-FTB!B30A21F2B583
MAX malware (ai score=80)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Zoner Trojan.Win32.89664
ESET-NOD32 a variant of Win32/Injector.ELWH
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x466150 VirtualFree
0x466154 VirtualAlloc
0x466158 LocalFree
0x46615c LocalAlloc
0x466160 GetVersion
0x466164 GetCurrentThreadId
0x466170 VirtualQuery
0x466174 WideCharToMultiByte
0x466178 MultiByteToWideChar
0x46617c lstrlenA
0x466180 lstrcpynA
0x466184 LoadLibraryExA
0x466188 GetThreadLocale
0x46618c GetStartupInfoA
0x466190 GetProcAddress
0x466194 GetModuleHandleA
0x466198 GetModuleFileNameA
0x46619c GetLocaleInfoA
0x4661a0 GetCommandLineA
0x4661a4 FreeLibrary
0x4661a8 FindFirstFileA
0x4661ac FindClose
0x4661b0 ExitProcess
0x4661b4 WriteFile
0x4661bc RtlUnwind
0x4661c0 RaiseException
0x4661c4 GetStdHandle
Library user32.dll:
0x4661cc GetKeyboardType
0x4661d0 LoadStringA
0x4661d4 MessageBoxA
0x4661d8 CharNextA
Library advapi32.dll:
0x4661e0 RegQueryValueExA
0x4661e4 RegOpenKeyExA
0x4661e8 RegCloseKey
Library oleaut32.dll:
0x4661f0 SysFreeString
0x4661f4 SysReAllocStringLen
0x4661f8 SysAllocStringLen
Library kernel32.dll:
0x466200 TlsSetValue
0x466204 TlsGetValue
0x466208 LocalAlloc
0x46620c GetModuleHandleA
Library advapi32.dll:
0x466214 RegQueryValueExA
0x466218 RegOpenKeyExA
0x46621c RegCloseKey
Library kernel32.dll:
0x466224 lstrcpyA
0x466228 lstrcmpA
0x46622c WriteFile
0x466230 WaitForSingleObject
0x466234 VirtualQuery
0x466238 VirtualProtect
0x46623c VirtualAlloc
0x466240 Sleep
0x466244 SizeofResource
0x466248 SetThreadLocale
0x46624c SetFilePointer
0x466250 SetEvent
0x466254 SetErrorMode
0x466258 SetEndOfFile
0x46625c ResetEvent
0x466260 ReadFile
0x466264 MulDiv
0x466268 LockResource
0x46626c LoadResource
0x466270 LoadLibraryA
0x46627c GlobalUnlock
0x466280 GlobalReAlloc
0x466284 GlobalHandle
0x466288 GlobalLock
0x46628c GlobalFree
0x466290 GlobalFindAtomA
0x466294 GlobalDeleteAtom
0x466298 GlobalAlloc
0x46629c GlobalAddAtomA
0x4662a0 GetVersionExA
0x4662a4 GetVersion
0x4662a8 GetTickCount
0x4662ac GetThreadLocale
0x4662b4 GetSystemTime
0x4662b8 GetSystemInfo
0x4662bc GetStringTypeExA
0x4662c0 GetStdHandle
0x4662c4 GetProcAddress
0x4662c8 GetModuleHandleA
0x4662cc GetModuleFileNameA
0x4662d0 GetLocaleInfoA
0x4662d4 GetLocalTime
0x4662d8 GetLastError
0x4662dc GetFullPathNameA
0x4662e0 GetDiskFreeSpaceA
0x4662e4 GetDateFormatA
0x4662e8 GetCurrentThreadId
0x4662ec GetCurrentProcessId
0x4662f0 GetCPInfo
0x4662f4 GetACP
0x4662f8 FreeResource
0x4662fc InterlockedExchange
0x466300 FreeLibrary
0x466304 FormatMessageA
0x466308 FindResourceA
0x466310 ExitThread
0x466314 EnumCalendarInfoA
0x466320 CreateThread
0x466324 CreateFileA
0x466328 CreateEventA
0x46632c CompareStringA
0x466330 CloseHandle
Library version.dll:
0x466338 VerQueryValueA
0x466340 GetFileVersionInfoA
Library gdi32.dll:
0x466348 UnrealizeObject
0x46634c StretchBlt
0x466350 SetWindowOrgEx
0x466354 SetViewportOrgEx
0x466358 SetTextColor
0x46635c SetStretchBltMode
0x466360 SetROP2
0x466364 SetPixel
0x466368 SetDIBColorTable
0x46636c SetBrushOrgEx
0x466370 SetBkMode
0x466374 SetBkColor
0x466378 SelectPalette
0x46637c SelectObject
0x466380 SaveDC
0x466384 RestoreDC
0x466388 RectVisible
0x46638c RealizePalette
0x466390 PatBlt
0x466394 MoveToEx
0x466398 MaskBlt
0x46639c LineTo
0x4663a0 IntersectClipRect
0x4663a4 GetWindowOrgEx
0x4663a8 GetTextMetricsA
0x4663b4 GetStockObject
0x4663b8 GetPixel
0x4663bc GetPaletteEntries
0x4663c0 GetObjectA
0x4663c4 GetDeviceCaps
0x4663c8 GetDIBits
0x4663cc GetDIBColorTable
0x4663d0 GetDCOrgEx
0x4663d8 GetClipBox
0x4663dc GetBrushOrgEx
0x4663e0 GetBitmapBits
0x4663e4 ExcludeClipRect
0x4663e8 DeleteObject
0x4663ec DeleteDC
0x4663f0 CreateSolidBrush
0x4663f4 CreatePenIndirect
0x4663f8 CreatePalette
0x466400 CreateFontIndirectA
0x466404 CreateDIBitmap
0x466408 CreateDIBSection
0x46640c CreateCompatibleDC
0x466414 CreateBrushIndirect
0x466418 CreateBitmap
0x46641c BitBlt
Library user32.dll:
0x466424 CreateWindowExA
0x466428 WindowFromPoint
0x46642c WinHelpA
0x466430 WaitMessage
0x466434 UpdateWindow
0x466438 UnregisterClassA
0x46643c UnhookWindowsHookEx
0x466440 TranslateMessage
0x466448 TrackPopupMenu
0x466450 ShowWindow
0x466454 ShowScrollBar
0x466458 ShowOwnedPopups
0x46645c ShowCursor
0x466460 SetWindowsHookExA
0x466464 SetWindowTextA
0x466468 SetWindowPos
0x46646c SetWindowPlacement
0x466470 SetWindowLongA
0x466474 SetTimer
0x466478 SetScrollRange
0x46647c SetScrollPos
0x466480 SetScrollInfo
0x466484 SetRect
0x466488 SetPropA
0x46648c SetParent
0x466490 SetMenuItemInfoA
0x466494 SetMenu
0x466498 SetForegroundWindow
0x46649c SetFocus
0x4664a0 SetCursor
0x4664a4 SetClassLongA
0x4664a8 SetCapture
0x4664ac SetActiveWindow
0x4664b0 SendMessageA
0x4664b4 ScrollWindow
0x4664b8 ScreenToClient
0x4664bc RemovePropA
0x4664c0 RemoveMenu
0x4664c4 ReleaseDC
0x4664c8 ReleaseCapture
0x4664d4 RegisterClassA
0x4664d8 RedrawWindow
0x4664dc PtInRect
0x4664e0 PostQuitMessage
0x4664e4 PostMessageA
0x4664e8 PeekMessageA
0x4664ec OffsetRect
0x4664f0 OemToCharA
0x4664f4 MessageBoxA
0x4664f8 MapWindowPoints
0x4664fc MapVirtualKeyA
0x466500 LoadStringA
0x466504 LoadKeyboardLayoutA
0x466508 LoadIconA
0x46650c LoadCursorA
0x466510 LoadBitmapA
0x466514 KillTimer
0x466518 IsZoomed
0x46651c IsWindowVisible
0x466520 IsWindowEnabled
0x466524 IsWindow
0x466528 IsRectEmpty
0x46652c IsIconic
0x466530 IsDialogMessageA
0x466534 IsChild
0x466538 InvalidateRect
0x46653c IntersectRect
0x466540 InsertMenuItemA
0x466544 InsertMenuA
0x466548 InflateRect
0x466550 GetWindowTextA
0x466554 GetWindowRect
0x466558 GetWindowPlacement
0x46655c GetWindowLongA
0x466560 GetWindowDC
0x466564 GetTopWindow
0x466568 GetSystemMetrics
0x46656c GetSystemMenu
0x466570 GetSysColorBrush
0x466574 GetSysColor
0x466578 GetSubMenu
0x46657c GetScrollRange
0x466580 GetScrollPos
0x466584 GetScrollInfo
0x466588 GetPropA
0x46658c GetParent
0x466590 GetWindow
0x466594 GetMenuStringA
0x466598 GetMenuState
0x46659c GetMenuItemInfoA
0x4665a0 GetMenuItemID
0x4665a4 GetMenuItemCount
0x4665a8 GetMenu
0x4665ac GetLastActivePopup
0x4665b0 GetKeyboardState
0x4665b8 GetKeyboardLayout
0x4665bc GetKeyState
0x4665c0 GetKeyNameTextA
0x4665c4 GetIconInfo
0x4665c8 GetForegroundWindow
0x4665cc GetFocus
0x4665d0 GetDlgItem
0x4665d4 GetDesktopWindow
0x4665d8 GetDCEx
0x4665dc GetDC
0x4665e0 GetCursorPos
0x4665e4 GetCursor
0x4665e8 GetClientRect
0x4665ec GetClassNameA
0x4665f0 GetClassInfoA
0x4665f4 GetCapture
0x4665f8 GetActiveWindow
0x4665fc FrameRect
0x466600 FindWindowA
0x466604 FillRect
0x466608 EqualRect
0x46660c EnumWindows
0x466610 EnumThreadWindows
0x466614 EndPaint
0x466618 EnableWindow
0x46661c EnableScrollBar
0x466620 EnableMenuItem
0x466624 DrawTextA
0x466628 DrawMenuBar
0x46662c DrawIconEx
0x466630 DrawIcon
0x466634 DrawFrameControl
0x466638 DrawEdge
0x46663c DispatchMessageA
0x466640 DestroyWindow
0x466644 DestroyMenu
0x466648 DestroyIcon
0x46664c DestroyCursor
0x466650 DeleteMenu
0x466654 DefWindowProcA
0x466658 DefMDIChildProcA
0x46665c DefFrameProcA
0x466660 CreatePopupMenu
0x466664 CreateMenu
0x466668 CreateIcon
0x46666c ClientToScreen
0x466670 CheckMenuItem
0x466674 CallWindowProcA
0x466678 CallNextHookEx
0x46667c BeginPaint
0x466680 CharNextA
0x466684 CharLowerA
0x466688 CharToOemA
0x46668c AdjustWindowRectEx
Library kernel32.dll:
0x466698 Sleep
Library oleaut32.dll:
0x4666a0 SafeArrayPtrOfIndex
0x4666a4 SafeArrayGetUBound
0x4666a8 SafeArrayGetLBound
0x4666ac SafeArrayCreate
0x4666b0 VariantChangeType
0x4666b4 VariantCopy
0x4666b8 VariantClear
0x4666bc VariantInit
Library ole32.dll:
0x4666c4 CoTaskMemAlloc
0x4666c8 CoCreateInstance
0x4666cc CoUninitialize
0x4666d0 CoInitialize
Library comctl32.dll:
0x4666e0 ImageList_Write
0x4666e4 ImageList_Read
0x4666f4 ImageList_DragMove
0x4666f8 ImageList_DragLeave
0x4666fc ImageList_DragEnter
0x466700 ImageList_EndDrag
0x466704 ImageList_BeginDrag
0x466708 ImageList_Remove
0x46670c ImageList_DrawEx
0x466710 ImageList_Draw
0x466720 ImageList_Add
0x466728 ImageList_Destroy
0x46672c ImageList_Create
0x466730 InitCommonControls
Library comdlg32.dll:
0x466738 GetSaveFileNameA
0x46673c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.