SmartHawk

10.0

0-day

53 个模型检测该样本为恶意！

重新分析

下载样本

e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b

b9c6aad2753d835eefeeae486fac18ba.exe

分析耗时

41s

最近分析

文件大小

395.5KB

静态报毒动态报毒 100% AGENTESLA AI SCORE=81 ATTRIBUTE AUTO AVSARHER BTHTOV CONFIDENCE ELDORADO FORMBOOK GDSDA HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE IZPIE KRYPTIK MALICIOUS PE MALWARE@#DVOL26D9LEA1 NOON PWSX QVM03 R002C0PE720 RAZY SIGGEN9 SUSGEN TROJANPSW UNSAFE YU0@AKOQ9AE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Packed-FJS!B9C6AAD2753D	20200520	6.0.6.653
Alibaba	TrojanPSW:MSIL/Agentesla.4f36e042	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200520	18.4.3895.0
Kingsoft		20200520	2013.8.14.323
Tencent	Win32.Trojan.Inject.Auto	20200520	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861122.066915 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861126.159915 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	~+S5fg!O
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 63 个事件)

Time & API	Arguments	Status
1619861121.081915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00650000	success
1619861121.081915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f0000	success
1619861121.988915 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619861122.066915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success
1619861122.066915 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619861122.066915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00582000	success
1619861122.488915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00592000	success
1619861122.800915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00593000	success
1619861122.831915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005cb000	success
1619861122.831915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c7000	success
1619861122.863915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059c000	success
1619861123.081915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f60000	success
1619861123.300915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f61000	success
1619861123.331915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059a000	success
1619861123.394915 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 294912 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00a32000	success
1619861130.909915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00594000	success
1619861130.925915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f62000	success
1619861131.019915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f63000	success
1619861131.034915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f64000	success
1619861131.097915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f65000	success
1619861131.488915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success
1619861131.519915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00596000	success
1619861131.581915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success
1619861131.581915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f66000	success
1619861131.691915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success
1619861131.691915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a7000	success
1619861131.691915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ba000	success
1619861131.706915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058b000	success
1619861131.847915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f67000	success
1619861131.894915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a6000	success
1619861132.253915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f1000	success
1619861132.253915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f2000	success
1619861132.269915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04730000	success
1619861132.534915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f3000	success
1619861132.550915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f4000	success
1619861132.566915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04731000	success
1619861134.550915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f68000	success
1619861134.566915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00598000	success
1619861134.613915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b2000	success
1619861134.659915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c5000	success
1619861134.800915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f5000	success
1619861134.800915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f9000	success
1619861134.894915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00599000	success
1619861135.034915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f69000	success
1619861135.050915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x06940000	success
1619861135.050915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x06a90000	success
1619861135.050915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x06a91000	success
1619861135.081915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x06a92000	success
1619861135.097915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x06a93000	success
1619861135.097915 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x06a94000	success

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861134.503915 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.9992500634062065

section

{'size_of_data': '0x00047200', 'virtual_address': '0x00002000', 'entropy': 7.9992500634062065, 'name': '~+S5fg!O', 'virtual_size': '0x000470cc'}

description

A section with a high entropy has been found

entropy

0.7211660329531052

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861123.378915 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861135.863915 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3064 process_handle: 0x00007cdc	failed	0	0
1619861135.863915 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3064 process_handle: 0x00007cdc	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861135.488915 NtAllocateVirtualMemory	process_identifier: 3064 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001d80 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619861135.956915 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000115e0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861133.909915 RegSetValueExA	key_handle: 0x0000d0a8 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 manipulating memory of non-child process 3064
1619861135.488915 NtAllocateVirtualMemory	process_identifier: 3064 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001d80 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861135.956915 WriteProcessMemory	process_identifier: 2668 buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $ßªCÂË-Ë-Ë-VÙË-V³Ë-V°Ë-RichË-PELi²{Ià ¶ @ @.text$ ` process_handle: 0x000115e0 base_address: 0x00400000	success	1	0
1619861135.972915 WriteProcessMemory	process_identifier: 2668 buffer: @ process_handle: 0x000115e0 base_address: 0x7efde008	success	1	0

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861135.956915 WriteProcessMemory	process_identifier: 2668 buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $ßªCÂË-Ë-Ë-VÙË-V³Ë-V°Ë-RichË-PELi²{Ià ¶ @ @.text$ ` process_handle: 0x000115e0 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 called NtSetContextThread to modify thread in remote process 2668
1619861135.972915 NtSetContextThread	thread_handle: 0x00007cdc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4306560 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2668	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 resumed a thread in remote process 2668
1619861136.191915 NtResumeThread	thread_handle: 0x00007cdc suspend_count: 1 process_identifier: 2668	success	0	0

Executed a process and injected code into it, probably while unpacking (14 个事件)

Time & API	Arguments	Status	Return
1619861122.066915 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2128	success	0
1619861122.128915 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2128	success	0
1619861133.988915 NtResumeThread	thread_handle: 0x00011538 suspend_count: 1 process_identifier: 2128	success	0
1619861135.472915 CreateProcessInternalW	thread_identifier: 2996 thread_handle: 0x000115dc process_identifier: 3064 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9c6aad2753d835eefeeae486fac18ba.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9c6aad2753d835eefeeae486fac18ba.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00001d80 inherit_handles: 0	success	1
1619861135.488915 NtGetContextThread	thread_handle: 0x000115dc	success	0
1619861135.488915 NtAllocateVirtualMemory	process_identifier: 3064 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001d80 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861135.956915 CreateProcessInternalW	thread_identifier: 2732 thread_handle: 0x00007cdc process_identifier: 2668 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9c6aad2753d835eefeeae486fac18ba.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9c6aad2753d835eefeeae486fac18ba.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000115e0 inherit_handles: 0	success	1
1619861135.956915 NtGetContextThread	thread_handle: 0x00007cdc	success	0
1619861135.956915 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000115e0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619861135.956915 WriteProcessMemory	process_identifier: 2668 buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $ßªCÂË-Ë-Ë-VÙË-V³Ë-V°Ë-RichË-PELi²{Ià ¶ @ @.text$ ` process_handle: 0x000115e0 base_address: 0x00400000	success	1
1619861135.956915 WriteProcessMemory	process_identifier: 2668 buffer: process_handle: 0x000115e0 base_address: 0x00401000	success	1
1619861135.972915 WriteProcessMemory	process_identifier: 2668 buffer: @ process_handle: 0x000115e0 base_address: 0x7efde008	success	1
1619861135.972915 NtSetContextThread	thread_handle: 0x00007cdc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4306560 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2668	success	0
1619861136.191915 NtResumeThread	thread_handle: 0x00007cdc suspend_count: 1 process_identifier: 2668	success	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

MicroWorld-eScan	Gen:Variant.Razy.552185
FireEye	Generic.mg.b9c6aad2753d835e
CAT-QuickHeal	Trojan.Multi
McAfee	Packed-FJS!B9C6AAD2753D
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2014439
Sangfor	Malware
K7AntiVirus	Trojan ( 0056635c1 )
Alibaba	TrojanPSW:MSIL/Agentesla.4f36e042
K7GW	Trojan ( 0056635c1 )
Cybereason	malicious.5e692c
TrendMicro	TROJ_GEN.R002C0PE720
F-Prot	W32/MSIL_Kryptik.ARI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Gen:Variant.Razy.552185
Paloalto	generic.ml
AegisLab	Trojan.Multi.Generic.4!c
Endgame	malicious (high confidence)
Emsisoft	Trojan.Crypt (A)
Comodo	Malware@#dvol26d9lea1
F-Secure	Trojan.TR/Kryptik.izpie
DrWeb	Trojan.Siggen9.44821
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.fc
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Cyren	W32/MSIL_Kryptik.ARI.gen!Eldorado
Avira	TR/Kryptik.izpie
Antiy-AVL	Trojan[Spy]/MSIL.Noon
Microsoft	PWS:MSIL/Agentesla!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Gen:Variant.Razy.552185
Acronis	suspicious
VBA32	CIL.HeapOverride.Heur
ALYac	Trojan.Agent.FormBook
Ad-Aware	Gen:Variant.Razy.552185
Malwarebytes	Trojan.MalPack.DFD.Generic
ESET-NOD32	a variant of MSIL/Kryptik.VUD
TrendMicro-HouseCall	TROJ_GEN.R002C0PE720
Tencent	Win32.Trojan.Inject.Auto
Yandex	Trojan.AvsArher.bTHtOv
MAX	malware (ai score=81)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.3A7D!tr
BitDefenderTheta	Gen:NN.ZemsilF.34110.yu0@aKoq9Ae
AVG	Win32:PWSX-gen [Trj]

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-07 08:31:54

Imports

Library mscoree.dll:

• 0x46a000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702
192.168.56.101	65005	239.255.255.250	3702
192.168.56.101	65007	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.