4.8
中危
56 个模型检测该样本为恶意!
重新分析
更多

fa2a05a0ed211b5d4187515358800556626b73c28a50706448ec1a3da329f917

b7d7f131260a315550863f175fb4fff0.exe

分析耗时

72s

最近分析

文件大小

620.0KB
静态报毒 动态报毒 AI SCORE=80 AIDETECTVM BANKERX BSCOPE BUNITU CLASSIC CONFIDENCE ELDORADO ELJF ENCPK GA@8SFC92 GENETIC GENKRYPTIK HEZT HIGH CONFIDENCE HKIFET INJECT3 KRYPTIK MALICIOUS PE MALWARE1 MINT MM0@A4VBDNLP PFQFU PINKSBOT QAKBOT QBOT QVM20 R + MAL R337768 REGOTET SCORE SMTHA STATIC AI TROJANBANKER UNSAFE ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanBanker:Win32/Bunitu.92d97794 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201215 21.1.5827.0
Kingsoft 20201215 2017.9.26.565
McAfee W32/PinkSbot-GS!B7D7F131260A 20201215 6.0.6.653
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619861116.033089
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619861116.988703
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619861117.659703
__exception__
stacktrace: 
b7d7f131260a315550863f175fb4fff0+0x3f07 @ 0x403f07
b7d7f131260a315550863f175fb4fff0+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5658576
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: b7d7f131260a315550863f175fb4fff0+0x3449
exception.instruction: in eax, dx
exception.module: b7d7f131260a315550863f175fb4fff0.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619861117.659703
__exception__
stacktrace: 
b7d7f131260a315550863f175fb4fff0+0x3f10 @ 0x403f10
b7d7f131260a315550863f175fb4fff0+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5658576
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: b7d7f131260a315550863f175fb4fff0+0x34e2
exception.instruction: in eax, dx
exception.module: b7d7f131260a315550863f175fb4fff0.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619861115.924089
NtAllocateVirtualMemory
process_identifier: 196
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619861115.924089
NtAllocateVirtualMemory
process_identifier: 196
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f10000
success 0 0
1619861115.940089
NtProtectVirtualMemory
process_identifier: 196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619861116.941703
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619861116.941703
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619861116.941703
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Foreign language identified in PE resource (15 个事件)
name RT_ICON language LANG_CHINESE offset 0x0009aa48 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0009aa48 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0009aa48 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0009aa48 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0009aa48 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_DIALOG language LANG_CHINESE offset 0x0009af88 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000042
name RT_DIALOG language LANG_CHINESE offset 0x0009af88 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000042
name RT_DIALOG language LANG_CHINESE offset 0x0009af88 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000042
name RT_DIALOG language LANG_CHINESE offset 0x0009af88 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000042
name RT_GROUP_ICON language LANG_CHINESE offset 0x0009b24c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_VERSION language LANG_CHINESE offset 0x0009bd68 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002b4
name RT_VERSION language LANG_CHINESE offset 0x0009bd68 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002b4
name RT_VERSION language LANG_CHINESE offset 0x0009bd68 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002b4
name RT_VERSION language LANG_CHINESE offset 0x0009bd68 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002b4
name RT_VERSION language LANG_CHINESE offset 0x0009bd68 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002b4
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619861116.893089
CreateProcessInternalW
thread_identifier: 2732
thread_handle: 0x00000164
process_identifier: 1068
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b7d7f131260a315550863f175fb4fff0.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000168
inherit_handles: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.34
host 203.208.41.65
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619861117.659703
__exception__
stacktrace: 
b7d7f131260a315550863f175fb4fff0+0x3f07 @ 0x403f07
b7d7f131260a315550863f175fb4fff0+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5658576
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: b7d7f131260a315550863f175fb4fff0+0x3449
exception.instruction: in eax, dx
exception.module: b7d7f131260a315550863f175fb4fff0.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Heur.Mint.Regotet.1
ALYac Gen:Heur.Mint.Regotet.1
Cylance Unsafe
Zillya Trojan.Qbot.Win32.8212
Sangfor Malware
K7AntiVirus Trojan ( 0056715d1 )
Alibaba TrojanBanker:Win32/Bunitu.92d97794
K7GW Trojan ( 005670121 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Mint.Regotet.1
BitDefenderTheta Gen:NN.ZexaF.34700.Mm0@a4VBDnlP
Cyren W32/Kryptik.BVL.gen!Eldorado
Symantec Packed.Generic.459
APEX Malicious
Avast Win32:BankerX-gen [Trj]
Kaspersky HEUR:Trojan-Banker.Win32.Qbot.pef
BitDefender Gen:Heur.Mint.Regotet.1
NANO-Antivirus Trojan.Win32.Inject3.hkifet
Paloalto generic.ml
AegisLab Trojan.Win32.Malicious.4!c
Ad-Aware Gen:Heur.Mint.Regotet.1
Sophos Mal/Generic-R + Mal/EncPk-APV
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/Crypt.Agent.pfqfu
DrWeb Trojan.Inject3.40169
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.QAKBOT.SMTHA.hp
McAfee-GW-Edition BehavesLike.Win32.Generic.jm
FireEye Generic.mg.b7d7f131260a3155
Emsisoft Gen:Heur.Mint.Regotet.1 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Zenpak.bsq
Avira TR/Crypt.Agent.pfqfu
MAX malware (ai score=80)
Antiy-AVL Trojan/Win32.Qakbot
Gridinsoft Trojan.Win32.Kryptik.ba
Microsoft Trojan:Win32/Bunitu.PVI!MTB
ZoneAlarm HEUR:Trojan-Banker.Win32.Qbot.pef
GData Gen:Heur.Mint.Regotet.1
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R337768
McAfee W32/PinkSbot-GS!B7D7F131260A
VBA32 BScope.Trojan.Inject
Malwarebytes Trojan.Qbot
ESET-NOD32 a variant of Win32/Kryptik.HEZT
TrendMicro-HouseCall TrojanSpy.Win32.QAKBOT.SMTHA.hp
Rising Trojan.Kryptik!1.C697 (CLASSIC)
Ikarus Backdoor.QBot
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-19 16:06:05

Imports

Library KERNEL32.dll:
0x490b60 GetModuleHandleA
0x490b64 GetStartupInfoA
0x490b68 GetCommandLineA
0x490b6c GetVersionExA
0x490b70 ExitProcess
0x490b74 GetProcAddress
0x490b78 WriteFile
0x490b7c GetStdHandle
0x490b80 GetModuleFileNameA
0x490b94 WideCharToMultiByte
0x490b98 GetLastError
0x490ba0 SetHandleCount
0x490ba4 GetFileType
0x490bac TlsFree
0x490bb0 SetLastError
0x490bb4 GetCurrentThreadId
0x490bb8 TlsSetValue
0x490bbc TlsGetValue
0x490bc0 TlsAlloc
0x490bc4 HeapDestroy
0x490bc8 HeapCreate
0x490bcc VirtualFree
0x490bd0 HeapFree
0x490bdc LoadLibraryA
0x490be0 GetACP
0x490be4 GetOEMCP
0x490be8 GetCPInfo
0x490bec HeapAlloc
0x490bf4 VirtualAlloc
0x490bf8 HeapReAlloc
0x490bfc LCMapStringA
0x490c00 MultiByteToWideChar
0x490c04 LCMapStringW
0x490c08 GetStringTypeA
0x490c0c GetStringTypeW
0x490c10 GetLocaleInfoA
0x490c14 RtlUnwind
0x490c18 VirtualProtect
0x490c1c GetSystemInfo
0x490c20 VirtualQuery
0x490c24 GetModuleHandleW
Library USER32.dll:
0x490c2c GetDC
0x490c30 SetDeskWallpaper
0x490c40 CharToOemBuffW
0x490c44 InsertMenuA
0x490c48 SetShellWindow
0x490c4c DefFrameProcW
0x490c50 DefMDIChildProcW
0x490c54 LoadCursorFromFileA
0x490c60 CreateMDIWindowA
0x490c64 LoadCursorA
0x490c68 SendMessageA
0x490c6c LoadImageW
0x490c70 ReleaseDC
0x490c74 SetMenuItemInfoW
0x490c78 DrawTextA
0x490c7c GetKeyboardState
0x490c80 ShowCursor
0x490c8c DefDlgProcW
0x490c90 ToUnicodeEx
0x490c94 mouse_event
0x490c98 GetDlgItemTextA
0x490c9c RemoveMenu
0x490ca0 GetClipboardData
0x490ca4 IMPGetIMEA
0x490ca8 CreateMDIWindowW
0x490cac CreatePopupMenu
0x490cb0 CallWindowProcA
0x490cb4 OemKeyScan
0x490cb8 SetWinEventHook
0x490cbc IsCharLowerW
0x490cc0 LoadMenuA
0x490cc4 DefDlgProcA
0x490cc8 EnumWindowStationsW
0x490ccc DrawIcon
0x490cd0 DdeAddData
0x490cd4 GetDoubleClickTime
0x490cd8 LoadIconA
0x490cdc GetCapture
0x490ce0 GetShellWindow
0x490ce4 GetMenuItemCount
0x490ce8 IsCharAlphaNumericW
0x490cec GetAsyncKeyState
0x490cf0 CharUpperW
0x490cf4 GetMenu
0x490cf8 DestroyIcon
0x490cfc GetTopWindow
0x490d00 GetSystemMetrics
0x490d0c GetSysColor
0x490d10 GetInputState
0x490d18 VkKeyScanW
0x490d1c GetDlgCtrlID
0x490d20 CharNextA
Library GDI32.dll:
0x490d28 SelectPalette
0x490d2c GetStringBitmapA
0x490d34 GdiResetDCEMF
0x490d38 DeleteObject
0x490d3c IntersectClipRect
0x490d44 GetCharWidthA
0x490d48 GetCharWidthW
0x490d4c GdiSetPixelFormat
0x490d50 GetWinMetaFileBits
0x490d54 EngFindResource
0x490d5c GetTextFaceW
0x490d64 CreateEnhMetaFileW
0x490d68 CLIPOBJ_cEnumStart
0x490d70 EngQueryEMFInfo
0x490d74 GetGlyphIndicesA
0x490d78 GetCharABCWidthsA
0x490d7c GdiAlphaBlend
0x490d80 EnumObjects
0x490d84 GetGlyphOutline
0x490d88 ScaleViewportExtEx
0x490d90 EndDoc
0x490d94 CreateICA
0x490da0 ExtEscape
0x490da8 GdiPrinterThunk
0x490dac SetGraphicsMode
0x490db4 GdiGetSpoolMessage
0x490dc4 EnableEUDC
0x490dc8 CreateEllipticRgn
0x490dcc RealizePalette
0x490dd0 BitBlt
0x490dd4 FONTOBJ_pfdg
0x490dd8 UpdateColors
0x490ddc GetStockObject
0x490de0 CreateMetaFileA
0x490de4 SetMetaRgn
0x490de8 UnrealizeObject
0x490dec SwapBuffers
0x490df0 StrokePath
0x490df4 CancelDC
0x490df8 EndPage
0x490dfc CreatePatternBrush
0x490e00 WidenPath
0x490e04 GetPolyFillMode
0x490e08 GetEnhMetaFileW
Library COMDLG32.dll:
0x490e10 GetFileTitleW
Library ADVAPI32.dll:
0x490e18 RegCloseKey
0x490e1c RegOpenKeyA
0x490e20 RegQueryValueExA
Library SHELL32.dll:
0x490e28 DragFinish
0x490e2c ShellExecuteExW
0x490e30 CheckEscapesW
0x490e34 DoEnvironmentSubstW
0x490e3c FindExecutableW
0x490e40 SHBindToParent
0x490e48 Shell_NotifyIcon
0x490e50 SHGetMalloc
0x490e58 SHGetFileInfo
0x490e5c DuplicateIcon
0x490e64 SHFileOperation
0x490e68 SHGetFileInfoA
0x490e74 SHFormatDrive
0x490e78 SHGetFolderLocation
0x490e7c SHBrowseForFolderA
0x490e80 ShellHookProc
0x490e84 SHBrowseForFolderW
0x490e88 DragQueryFile
0x490e8c SHAppBarMessage
0x490e90 SHFreeNameMappings
Library ole32.dll:
0x490e9c OleRun
0x490ea0 CoUninitialize
0x490ea4 CoInitializeEx
0x490ea8 CoCreateInstance
Library SHLWAPI.dll:
0x490eb0 PathIsUNCW
0x490eb4 StrChrA
0x490eb8 StrChrIA
0x490ebc StrStrA
Library COMCTL32.dll:
Library IMM32.dll:
0x490ecc ImmGetContext

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.