SmartHawk

9.2

极危

45 个模型检测该样本为恶意！

重新分析

下载样本

7662b95c8a34a134787fc3242b8b82059416f582103965a8da7457769e2739f1

be225ec01cc3c8f2d7b840a9c20a6a56.exe

分析耗时

92s

最近分析

文件大小

476.5KB

静态报毒动态报毒 AI SCORE=89 ATTRIBUTE CONFIDENCE ELDORADO EPVU FAREIT FVTN GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HRLLVH KRYPTIK MALICIOUS PE MASSLOGGER PACKEDNET PWSX QEXC R002C0DH820 R347089 SCORE UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXH!BE225EC01CC3	20200828	6.0.6.653
Alibaba	TrojanSpy:MSIL/Masslogger.dcea0b22	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200828	18.4.3895.0
Kingsoft		20200829	2013.8.14.323
Tencent		20200829	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619863515.65425 IsDebuggerPresent		failed	0	0
1619863568.06025 IsDebuggerPresent		failed	0	0
1619863568.420125 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619863564.23225 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 113 个事件)

Time & API	Arguments	Status	Return
1619863514.67025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00780000	success	0
1619863514.67025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00860000	success	0
1619863515.59225 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success	0
1619863515.65425 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success	0
1619863515.65425 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success	0
1619863515.65425 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a2000	success	0
1619863515.95125 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c2000	success	0
1619863516.02925 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c3000	success	0
1619863516.04525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060b000	success	0
1619863516.04525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00607000	success	0
1619863516.07625 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005cc000	success	0
1619863520.88825 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c4000	success	0
1619863520.88825 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c5000	success	0
1619863520.95125 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c6000	success	0
1619863520.96725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00730000	success	0
1619863521.10725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ea000	success	0
1619863521.10725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e7000	success	0
1619863521.10725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fa000	success	0
1619863521.17025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ab000	success	0
1619863521.27925 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00731000	success	0
1619863521.54525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e6000	success	0
1619863521.81025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00850000	success	0
1619863521.82625 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success	0
1619863521.92025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00861000	success	0
1619863522.21725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f2000	success	0
1619863522.27925 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00605000	success	0
1619863522.52925 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00735000	success	0
1619863522.84225 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c7000	success	0
1619863522.92025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00736000	success	0
1619863563.93525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00737000	success	0
1619863564.10725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00738000	success	0
1619863564.27925 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fc000	success	0
1619863564.37325 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00739000	success	0
1619863564.40425 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c8000	success	0
1619863564.43525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0073a000	success	0
1619863564.60725 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00851000	success	0
1619863564.62325 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 291328 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05550400	failed	3221225550
1619863567.59225 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0073b000	success	0
1619863567.62325 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c9000	success	0
1619863567.62325 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0073c000	success	0
1619863567.63825 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0073d000	success	0
1619863567.68525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0073e000	success	0
1619863567.68525 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0073f000	success	0
1619863567.81025 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ac0000	success	0
1619863567.82625 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ac1000	success	0
1619863567.82625 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05550178	failed	3221225550
1619863567.82625 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x055501a0	failed	3221225550
1619863567.82625 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x055501c8	failed	3221225550
1619863567.82625 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x055501f0	failed	3221225550
1619863567.82625 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05550218	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.808892035826932

section

{'size_of_data': '0x00076800', 'virtual_address': '0x00002000', 'entropy': 7.808892035826932, 'name': '.text', 'virtual_size': '0x0007664c'}

description

A section with a high entropy has been found

entropy

0.9957983193277311

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619863564.62325 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.41.98

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619863568.17025 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000021c8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619863568.17025 WriteProcessMemory	process_identifier: 1880 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¦'_àP.o @ À@ÜnO H.text4O P `.rsrcR@@.reloc V@B process_handle: 0x000021c8 base_address: 0x00400000	success	1
1619863568.18525 WriteProcessMemory	process_identifier: 1880 buffer: 0HX¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNametoHSvdoBrhEAteBmjhfWzDqRDUHwoCoIxxTA.exe(LegalCopyright \|)OriginalFilenametoHSvdoBrhEAteBmjhfWzDqRDUHwoCoIxxTA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000021c8 base_address: 0x00448000	success	1
1619863568.18525 WriteProcessMemory	process_identifier: 1880 buffer: `0? process_handle: 0x000021c8 base_address: 0x0044a000	success	1
1619863568.18525 WriteProcessMemory	process_identifier: 1880 buffer: @ process_handle: 0x000021c8 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619863568.17025 WriteProcessMemory	process_identifier: 1880 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¦'_àP.o @ À@ÜnO H.text4O P `.rsrcR@@.reloc V@B process_handle: 0x000021c8 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 called NtSetContextThread to modify thread in remote process 1880
1619863568.18525 NtSetContextThread	thread_handle: 0x0000afac registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4484910 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1880	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 resumed a thread in remote process 1880
1619863568.24825 NtResumeThread	thread_handle: 0x0000afac suspend_count: 1 process_identifier: 1880	success	0	0

Executed a process and injected code into it, probably while unpacking (16 个事件)

Time & API	Arguments	Status	Return
1619863515.65425 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1948	success	0
1619863515.71725 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1948	success	0
1619863567.99825 NtResumeThread	thread_handle: 0x0000c470 suspend_count: 1 process_identifier: 1948	success	0
1619863568.02925 NtResumeThread	thread_handle: 0x0000a310 suspend_count: 1 process_identifier: 1948	success	0
1619863568.17025 CreateProcessInternalW	thread_identifier: 912 thread_handle: 0x0000afac process_identifier: 1880 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\be225ec01cc3c8f2d7b840a9c20a6a56.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\be225ec01cc3c8f2d7b840a9c20a6a56.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000021c8 inherit_handles: 0	success	1
1619863568.17025 NtGetContextThread	thread_handle: 0x0000afac	success	0
1619863568.17025 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000021c8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619863568.17025 WriteProcessMemory	process_identifier: 1880 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¦'_àP.o @ À@ÜnO H.text4O P `.rsrcR@@.reloc V@B process_handle: 0x000021c8 base_address: 0x00400000	success	1
1619863568.17025 WriteProcessMemory	process_identifier: 1880 buffer: process_handle: 0x000021c8 base_address: 0x00402000	success	1
1619863568.18525 WriteProcessMemory	process_identifier: 1880 buffer: 0HX¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNametoHSvdoBrhEAteBmjhfWzDqRDUHwoCoIxxTA.exe(LegalCopyright \|)OriginalFilenametoHSvdoBrhEAteBmjhfWzDqRDUHwoCoIxxTA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000021c8 base_address: 0x00448000	success	1
1619863568.18525 WriteProcessMemory	process_identifier: 1880 buffer: `0? process_handle: 0x000021c8 base_address: 0x0044a000	success	1
1619863568.18525 WriteProcessMemory	process_identifier: 1880 buffer: @ process_handle: 0x000021c8 base_address: 0x7efde008	success	1
1619863568.18525 NtSetContextThread	thread_handle: 0x0000afac registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4484910 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1880	success	0
1619863568.24825 NtResumeThread	thread_handle: 0x0000afac suspend_count: 1 process_identifier: 1880	success	0
1619863568.420125 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1880	success	0
1619863568.435125 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1880	success	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34303208
FireEye	Generic.mg.be225ec01cc3c8f2
CAT-QuickHeal	Trojan.MSIL
McAfee	Fareit-FXH!BE225EC01CC3
Malwarebytes	Trojan.MalPack.FVTN
Zillya	Trojan.Agent.Win32.1364985
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanSpy:MSIL/Masslogger.dcea0b22
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.fdd53f
TrendMicro	TROJ_GEN.R002C0DH820
Cyren	W32/MSIL_Kryptik.BIY.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Agent.gen
BitDefender	Trojan.GenericKD.34303208
NANO-Antivirus	Trojan.Win32.PackedNET.hrllvh
Paloalto	generic.ml
AegisLab	Trojan.Win32.Malicious.4!c
Ad-Aware	Trojan.GenericKD.34303208
Emsisoft	Trojan.GenericKD.34303208 (B)
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.MSIL.qexc
MAX	malware (ai score=89)
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	TrojanSpy:MSIL/Masslogger.AR!MTB
Arcabit	Trojan.Generic.D20B6CE8
ViRobot	Trojan.Win32.Z.Masslogger.487936.B
ZoneAlarm	HEUR:Trojan.MSIL.Agent.gen
GData	Trojan.GenericKD.34303208
AhnLab-V3	Trojan/Win32.Agent.R347089
ESET-NOD32	a variant of MSIL/Kryptik.XGR
TrendMicro-HouseCall	TROJ_GEN.R002C0DH820
Ikarus	Trojan-Spy.MassLogger
eGambit	Unsafe.AI_Score_68%
Fortinet	MSIL/GenKryptik.EPVU!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-06 21:48:40

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.