5.8
高危
55 个模型检测该样本为恶意!
重新分析
更多

278593e60722d691fe1b23b22cab15294662bbd2ef8ca1ba8e80ca78e872a813

b3c71fca1351df0d352fe022db1a38dc.exe

分析耗时

74s

最近分析

文件大小

376.5KB
静态报毒 动态报毒 100% 83NZWJ7BJZC AI SCORE=84 AIDETECTVM ATTRIBUTE CONFIDENCE DRIDEX EIPH EMOTET GENERICRXKF GENKRYPTIK HFIV HIGH CONFIDENCE HIGHCONFIDENCE JAIK KRYPTIK LIGOOC MALWARE1 MZZDT NAPOLAR PGCT QVM20 R066C0DHL20 R335133 SCORE SMTHD STRICTOR SUSGEN TRICKBOT TROJANX UNSAFE X80@AYWMCBMO ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Trickbot.ec9014c8 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201228 21.1.5827.0
Tencent Win32.Trojan.Ligooc.Pgct 20201228 1.0.0.1
Kingsoft 20201228 2017.9.26.565
McAfee GenericRXKF-WA!B3C71FCA1351 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619861122.025822
IsDebuggerPresent
failed 0 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name CXDMIO
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (3 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET https://support.microsoft.com/
request GET https://support.microsoft.com/socbundles/jsll
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619861117.744822
NtProtectVirtualMemory
process_identifier: 2868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 114688
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619861117.744822
NtProtectVirtualMemory
process_identifier: 2868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 114688
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619861122.103822
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d90000
success 0 0
Creates hidden or system file (8 个事件)
Time & API Arguments Status Return Repeated
1619861122.212822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.212822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.212822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.212822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.259822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.259822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.259822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619861122.259822
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619861130.103822
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates known Napolar files, registry keys and/or mutexes (3 个事件)
mutex gcc-shmem-tdm2-use_fc_key
mutex gcc-shmem-tdm2-sjlj_once
mutex gcc-shmem-tdm2-fc_key
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 198.27.124.186:443
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Strictor.243884
Qihoo-360 Generic/HEUR/QVM20.1.9BEB.Malware.Gen
ALYac Gen:Variant.Strictor.243884
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 00564c1d1 )
Alibaba Trojan:Win32/Trickbot.ec9014c8
K7GW Trojan ( 00564c1d1 )
Cybereason malicious.a1351d
Arcabit Trojan.Strictor.D3B8AC
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
ClamAV Win.Packed.Jaik-9752331-0
Kaspersky HEUR:Trojan.Win32.Zenpak.vho
BitDefender Gen:Variant.Strictor.243884
Paloalto generic.ml
AegisLab Trojan.Win32.Ligooc.4!c
Tencent Win32.Trojan.Ligooc.Pgct
Ad-Aware Gen:Variant.Strictor.243884
TACHYON Trojan/W32.Ligooc.385536
Sophos Mal/Generic-S
F-Secure Trojan.TR/Dropper.mzzdt
DrWeb Trojan.Dridex.681
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R066C0DHL20
McAfee-GW-Edition GenericRXKF-WA!B3C71FCA1351
FireEye Generic.mg.b3c71fca1351df0d
Emsisoft Gen:Variant.Strictor.243884 (B)
Jiangmin Trojan.Ligooc.b
Webroot W32.Trojan.Emotet
Avira TR/Dropper.mzzdt
Gridinsoft Trojan.Win32.Kryptik.ba
Microsoft Trojan:Win32/Trickbot!MSR
ZoneAlarm HEUR:Trojan.Win32.Zenpak.vho
GData Gen:Variant.Strictor.243884
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.RL_Generic.R335133
McAfee GenericRXKF-WA!B3C71FCA1351
MAX malware (ai score=84)
VBA32 Trojan.Ligooc
Malwarebytes Trojan.Crypt
ESET-NOD32 a variant of Win32/Kryptik.HFIV
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMTHD.hp
Yandex Trojan.Agent!83nZwJ7bJzc
Ikarus Trojan.SuspectCRC
eGambit Unsafe.AI_Score_70%
Fortinet W32/GenKryptik.EIPH!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-16 19:33:00

Imports

Library GDI32.dll:
0x427278 GetStockObject
Library KERNEL32.dll:
0x427280 AddAtomA
0x427284 CloseHandle
0x427288 CreateEventA
0x42728c CreateMutexA
0x427290 CreateSemaphoreA
0x427298 DuplicateHandle
0x4272a0 FindAtomA
0x4272a4 FindResourceA
0x4272a8 GetAtomNameA
0x4272ac GetCurrentProcess
0x4272b0 GetCurrentProcessId
0x4272b4 GetCurrentThread
0x4272b8 GetCurrentThreadId
0x4272c0 GetLastError
0x4272c4 GetProcAddress
0x4272cc GetStartupInfoA
0x4272d4 GetThreadContext
0x4272d8 GetThreadPriority
0x4272dc GetTickCount
0x4272ec InterlockedExchange
0x4272fc LoadLibraryW
0x427300 LoadResource
0x427304 LocalFree
0x427308 LockResource
0x427314 ReleaseMutex
0x427318 ReleaseSemaphore
0x42731c ResetEvent
0x427320 ResumeThread
0x427324 SetEvent
0x427328 SetLastError
0x427334 SetThreadContext
0x427338 SetThreadPriority
0x427340 SizeofResource
0x427344 Sleep
0x427348 SuspendThread
0x42734c TerminateProcess
0x427350 TlsAlloc
0x427354 TlsGetValue
0x427358 TlsSetValue
0x427364 VirtualProtect
0x427368 VirtualQuery
0x427370 WaitForSingleObject
Library msvcrt.dll:
0x427378 __dllonexit
0x42737c __getmainargs
0x427380 __initenv
0x427384 __lconv_init
0x427388 __set_app_type
0x42738c __setusermatherr
0x427390 _acmdln
0x427394 _amsg_exit
0x427398 _beginthreadex
0x42739c _cexit
0x4273a0 _endthreadex
0x4273a4 _fmode
0x4273a8 _ftime
0x4273ac _initterm
0x4273b0 _iob
0x4273b4 _lock
0x4273b8 _onexit
0x4273bc _setjmp3
0x4273c0 _unlock
0x4273c4 _vsnwprintf
0x4273c8 _write
0x4273cc abort
0x4273d0 calloc
0x4273d4 exit
0x4273d8 fprintf
0x4273dc fputc
0x4273e0 fputs
0x4273e4 free
0x4273e8 fwrite
0x4273ec longjmp
0x4273f0 malloc
0x4273f4 memchr
0x4273f8 memcmp
0x4273fc memcpy
0x427400 memmove
0x427404 memset
0x427408 printf
0x42740c rand
0x427410 realloc
0x427414 signal
0x427418 sprintf
0x42741c srand
0x427420 strcmp
0x427424 strerror
0x427428 strlen
0x42742c strncmp
0x427430 time
0x427434 vfprintf
Library USER32.dll:
0x42743c BeginPaint
0x427440 CreateWindowExW
0x427444 DefWindowProcW
0x427448 DispatchMessageW
0x42744c DrawTextW
0x427450 EndPaint
0x427454 FillRect
0x427458 GetDesktopWindow
0x42745c GetMessageW
0x427460 InvalidateRect
0x427464 KillTimer
0x427468 LoadCursorW
0x42746c LoadIconW
0x427470 PostQuitMessage
0x427474 RegisterClassExW
0x427478 SetTimer
0x42747c ShowWindow
0x427480 TranslateMessage
0x427484 UpdateWindow

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49172 104.84.227.66 support.microsoft.com 443
192.168.56.101 49173 113.16.209.193 support.apple.com 443
192.168.56.101 49176 114.80.30.35 www.download.windowsupdate.com 80
192.168.56.101 49177 23.219.212.6 www.intel.com 443
192.168.56.101 49178 23.219.212.6 www.intel.com 443
192.168.56.101 49179 23.74.35.78 support.oracle.com 443
192.168.56.101 49180 23.74.35.78 support.oracle.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.