6.8
高危
59 个模型检测该样本为恶意!
重新分析
更多

3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150

be7ee52206a42e631960e3b64deda005.exe

分析耗时

41s

最近分析

文件大小

674.0KB
静态报毒 动态报毒 100% AGEN AI SCORE=86 AIDETECTVM AUTO AUTOG AVSARHER BTOMTW CLASSIC CONFIDENCE DELF DELPHILESS EMHC FAREIT GENERICKD HIGH CONFIDENCE HLAMTA KRYPT MALWARE2 MALWARE@#12R54GR6SO2BJ ODRK QGX@AU1IWSOI R011C0DF420 S + TROJ SCORE SIGGEN2 STRICTOR SUSGEN SUSPICIOUS PE TROJANX TSCOPE UNSAFE X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTB!BE7EE52206A4 20201018 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Trojan:Win32/Obfuscator.28a4bd42 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201018 18.4.3895.0
Kingsoft 20201018 2013.8.14.323
Tencent Win32.Trojan.Inject.Auto 20201018 1.0.0.1
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619875597.606999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34143796
registers.edi: 0
registers.eax: 0
registers.ebp: 34144136
registers.edx: 6
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 2e 6d 00 00 e9
exception.symbol: be7ee52206a42e631960e3b64deda005+0x5c46a
exception.instruction: div eax
exception.module: be7ee52206a42e631960e3b64deda005.exe
exception.exception_code: 0xc0000094
exception.offset: 377962
exception.address: 0x45c46a
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1619875597.372999
NtAllocateVirtualMemory
process_identifier: 192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ea0000
success 0 0
1619875597.606999
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 28672
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045c000
success 0 0
1619875597.606999
NtAllocateVirtualMemory
process_identifier: 192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020a0000
success 0 0
1619875598.387874
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008b0000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.369961281432709 section {'size_of_data': '0x0003b800', 'virtual_address': '0x00073000', 'entropy': 7.369961281432709, 'name': '.rsrc', 'virtual_size': '0x0003b770'} description A section with a high entropy has been found
entropy 0.35390334572490706 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 192 called NtSetContextThread to modify thread in remote process 1916
Time & API Arguments Status Return Repeated
1619875597.934999
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4317856
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1916
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 192 resumed a thread in remote process 1916
Time & API Arguments Status Return Repeated
1619875598.153999
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1916
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1619875597.934999
CreateProcessInternalW
thread_identifier: 1940
thread_handle: 0x000000fc
process_identifier: 1916
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\be7ee52206a42e631960e3b64deda005.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619875597.934999
NtUnmapViewOfSection
process_identifier: 1916
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619875597.934999
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 1916
commit_size: 184320
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 184320
base_address: 0x00400000
success 0 0
1619875597.934999
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619875597.934999
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4317856
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1916
success 0 0
1619875598.153999
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1916
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43278623
FireEye Generic.mg.be7ee52206a42e63
McAfee Fareit-FTB!BE7EE52206A4
Zillya Trojan.Crypt.Win32.62526
SUPERAntiSpyware Trojan.Agent/Gen-Injector
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Obfuscator.28a4bd42
K7GW Trojan ( 005680341 )
K7AntiVirus Trojan ( 005680341 )
Arcabit Trojan.Generic.D294611F
Invincea Mal/Generic-S + Troj/AutoG-IC
Cyren W32/Injector.ODRK-1096
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
ClamAV Win.Dropper.Fareit-7997346-0
Kaspersky HEUR:Trojan.Win32.Crypt.gen
BitDefender Trojan.GenericKD.43278623
NANO-Antivirus Riskware.Win32.Strictor.hlamta
Paloalto generic.ml
Rising Trojan.Injector!1.C77F (CLASSIC)
Ad-Aware Trojan.GenericKD.43278623
Sophos Troj/AutoG-IC
Comodo Malware@#12r54gr6so2bj
F-Secure Heuristic.HEUR/AGEN.1137421
DrWeb Trojan.PWS.Siggen2.49782
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R011C0DF420
McAfee-GW-Edition BehavesLike.Win32.Fareit.jc
Emsisoft Trojan.GenericKD.43278623 (B)
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.Crypt.dhu
Avira HEUR/AGEN.1137421
eGambit Unsafe.AI_Score_100%
MAX malware (ai score=86)
Antiy-AVL Trojan/Win32.Crypt
Microsoft PWS:Win32/Fareit.SM!MTB
ZoneAlarm HEUR:Trojan.Win32.Crypt.gen
GData Trojan.GenericKD.43278623
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
VBA32 TScope.Trojan.Delf
ALYac Trojan.GenericKD.43278623
TACHYON Trojan/W32.DP-Agent.690176.I
Malwarebytes Trojan.MalPack.DLF
ESET-NOD32 a variant of Win32/Injector.EMHC
TrendMicro-HouseCall TROJ_GEN.R011C0DF420
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46713c VirtualFree
0x467140 VirtualAlloc
0x467144 LocalFree
0x467148 LocalAlloc
0x46714c GetVersion
0x467150 GetCurrentThreadId
0x46715c VirtualQuery
0x467160 WideCharToMultiByte
0x467164 MultiByteToWideChar
0x467168 lstrlenA
0x46716c lstrcpynA
0x467170 LoadLibraryExA
0x467174 GetThreadLocale
0x467178 GetStartupInfoA
0x46717c GetProcAddress
0x467180 GetModuleHandleA
0x467184 GetModuleFileNameA
0x467188 GetLocaleInfoA
0x46718c GetCommandLineA
0x467190 FreeLibrary
0x467194 FindFirstFileA
0x467198 FindClose
0x46719c ExitProcess
0x4671a0 WriteFile
0x4671a8 RtlUnwind
0x4671ac RaiseException
0x4671b0 GetStdHandle
Library user32.dll:
0x4671b8 GetKeyboardType
0x4671bc LoadStringA
0x4671c0 MessageBoxA
0x4671c4 CharNextA
Library advapi32.dll:
0x4671cc RegQueryValueExA
0x4671d0 RegOpenKeyExA
0x4671d4 RegCloseKey
Library oleaut32.dll:
0x4671dc SysFreeString
0x4671e0 SysReAllocStringLen
0x4671e4 SysAllocStringLen
Library kernel32.dll:
0x4671ec TlsSetValue
0x4671f0 TlsGetValue
0x4671f4 LocalAlloc
0x4671f8 GetModuleHandleA
Library advapi32.dll:
0x467200 RegQueryValueExA
0x467204 RegOpenKeyExA
0x467208 RegCloseKey
Library kernel32.dll:
0x467210 lstrcpyA
0x467214 WriteFile
0x46721c WaitForSingleObject
0x467220 VirtualQuery
0x467224 VirtualAlloc
0x467228 Sleep
0x46722c SizeofResource
0x467230 SetThreadLocale
0x467234 SetFilePointer
0x467238 SetEvent
0x46723c SetErrorMode
0x467240 SetEndOfFile
0x467244 ResetEvent
0x467248 ReadFile
0x46724c MulDiv
0x467250 LockResource
0x467254 LoadResource
0x467258 LoadLibraryA
0x467264 GlobalUnlock
0x467268 GlobalReAlloc
0x46726c GlobalHandle
0x467270 GlobalLock
0x467274 GlobalFree
0x467278 GlobalFindAtomA
0x46727c GlobalDeleteAtom
0x467280 GlobalAlloc
0x467284 GlobalAddAtomA
0x467288 GetVersionExA
0x46728c GetVersion
0x467290 GetTickCount
0x467294 GetThreadLocale
0x46729c GetSystemTime
0x4672a0 GetSystemInfo
0x4672a4 GetStringTypeExA
0x4672a8 GetStdHandle
0x4672ac GetProcAddress
0x4672b0 GetModuleHandleA
0x4672b4 GetModuleFileNameA
0x4672b8 GetLocaleInfoA
0x4672bc GetLocalTime
0x4672c0 GetLastError
0x4672c4 GetFullPathNameA
0x4672c8 GetFileAttributesA
0x4672cc GetDiskFreeSpaceA
0x4672d0 GetDateFormatA
0x4672d4 GetCurrentThreadId
0x4672d8 GetCurrentProcessId
0x4672dc GetCPInfo
0x4672e0 GetACP
0x4672e4 FreeResource
0x4672e8 InterlockedExchange
0x4672ec FreeLibrary
0x4672f0 FormatMessageA
0x4672f4 FindResourceA
0x4672f8 FindFirstFileA
0x4672fc FindClose
0x467308 ExitThread
0x46730c EnumCalendarInfoA
0x467318 CreateThread
0x46731c CreateFileA
0x467320 CreateEventA
0x467324 CompareStringA
0x467328 CloseHandle
Library version.dll:
0x467330 VerQueryValueA
0x467338 GetFileVersionInfoA
Library gdi32.dll:
0x467340 UnrealizeObject
0x467344 StretchBlt
0x467348 SetWindowOrgEx
0x46734c SetWinMetaFileBits
0x467350 SetViewportOrgEx
0x467354 SetTextColor
0x467358 SetStretchBltMode
0x46735c SetROP2
0x467360 SetPixel
0x467364 SetEnhMetaFileBits
0x467368 SetDIBColorTable
0x46736c SetBrushOrgEx
0x467370 SetBkMode
0x467374 SetBkColor
0x467378 SelectPalette
0x46737c SelectObject
0x467380 SaveDC
0x467384 RestoreDC
0x467388 Rectangle
0x46738c RectVisible
0x467390 RealizePalette
0x467394 Polyline
0x467398 PlayEnhMetaFile
0x46739c PatBlt
0x4673a0 MoveToEx
0x4673a4 MaskBlt
0x4673a8 LineTo
0x4673ac IntersectClipRect
0x4673b0 GetWindowOrgEx
0x4673b4 GetWinMetaFileBits
0x4673b8 GetTextMetricsA
0x4673c4 GetStockObject
0x4673c8 GetPixel
0x4673cc GetPaletteEntries
0x4673d0 GetObjectA
0x4673dc GetEnhMetaFileBits
0x4673e0 GetDeviceCaps
0x4673e4 GetDIBits
0x4673e8 GetDIBColorTable
0x4673ec GetDCOrgEx
0x4673f4 GetClipBox
0x4673f8 GetBrushOrgEx
0x4673fc GetBitmapBits
0x467400 ExtTextOutA
0x467404 ExcludeClipRect
0x467408 DeleteObject
0x46740c DeleteEnhMetaFile
0x467410 DeleteDC
0x467414 CreateSolidBrush
0x467418 CreatePenIndirect
0x46741c CreatePalette
0x467424 CreateFontIndirectA
0x467428 CreateDIBitmap
0x46742c CreateDIBSection
0x467430 CreateCompatibleDC
0x467438 CreateBrushIndirect
0x46743c CreateBitmap
0x467440 CopyEnhMetaFileA
0x467444 BitBlt
Library user32.dll:
0x46744c CreateWindowExA
0x467450 WindowFromPoint
0x467454 WinHelpA
0x467458 WaitMessage
0x46745c UpdateWindow
0x467460 UnregisterClassA
0x467464 UnhookWindowsHookEx
0x467468 TranslateMessage
0x467470 TrackPopupMenu
0x467478 ShowWindow
0x46747c ShowScrollBar
0x467480 ShowOwnedPopups
0x467484 ShowCursor
0x467488 SetWindowsHookExA
0x46748c SetWindowTextA
0x467490 SetWindowPos
0x467494 SetWindowPlacement
0x467498 SetWindowLongA
0x46749c SetTimer
0x4674a0 SetScrollRange
0x4674a4 SetScrollPos
0x4674a8 SetScrollInfo
0x4674ac SetRect
0x4674b0 SetPropA
0x4674b4 SetParent
0x4674b8 SetMenuItemInfoA
0x4674bc SetMenu
0x4674c0 SetForegroundWindow
0x4674c4 SetFocus
0x4674c8 SetCursor
0x4674cc SetClassLongA
0x4674d0 SetCapture
0x4674d4 SetActiveWindow
0x4674d8 SendMessageA
0x4674dc ScrollWindow
0x4674e0 ScreenToClient
0x4674e4 RemovePropA
0x4674e8 RemoveMenu
0x4674ec ReleaseDC
0x4674f0 ReleaseCapture
0x4674fc RegisterClassA
0x467500 RedrawWindow
0x467504 PtInRect
0x467508 PostQuitMessage
0x46750c PostMessageA
0x467510 PeekMessageA
0x467514 OffsetRect
0x467518 OemToCharA
0x46751c MessageBoxA
0x467520 MapWindowPoints
0x467524 MapVirtualKeyA
0x467528 LoadStringA
0x46752c LoadKeyboardLayoutA
0x467530 LoadIconA
0x467534 LoadCursorA
0x467538 LoadBitmapA
0x46753c KillTimer
0x467540 IsZoomed
0x467544 IsWindowVisible
0x467548 IsWindowEnabled
0x46754c IsWindow
0x467550 IsRectEmpty
0x467554 IsIconic
0x467558 IsDialogMessageA
0x46755c IsChild
0x467560 InvalidateRect
0x467564 IntersectRect
0x467568 InsertMenuItemA
0x46756c InsertMenuA
0x467570 InflateRect
0x467578 GetWindowTextA
0x46757c GetWindowRect
0x467580 GetWindowPlacement
0x467584 GetWindowLongA
0x467588 GetWindowDC
0x46758c GetTopWindow
0x467590 GetSystemMetrics
0x467594 GetSystemMenu
0x467598 GetSysColorBrush
0x46759c GetSysColor
0x4675a0 GetSubMenu
0x4675a4 GetScrollRange
0x4675a8 GetScrollPos
0x4675ac GetScrollInfo
0x4675b0 GetPropA
0x4675b4 GetParent
0x4675b8 GetWindow
0x4675bc GetMenuStringA
0x4675c0 GetMenuState
0x4675c4 GetMenuItemInfoA
0x4675c8 GetMenuItemID
0x4675cc GetMenuItemCount
0x4675d0 GetMenu
0x4675d4 GetLastActivePopup
0x4675d8 GetKeyboardState
0x4675e0 GetKeyboardLayout
0x4675e4 GetKeyState
0x4675e8 GetKeyNameTextA
0x4675ec GetIconInfo
0x4675f0 GetForegroundWindow
0x4675f4 GetFocus
0x4675f8 GetDlgItem
0x4675fc GetDesktopWindow
0x467600 GetDCEx
0x467604 GetDC
0x467608 GetCursorPos
0x46760c GetCursor
0x467610 GetClipboardData
0x467614 GetClientRect
0x467618 GetClassNameA
0x46761c GetClassInfoA
0x467620 GetCapture
0x467624 GetActiveWindow
0x467628 FrameRect
0x46762c FindWindowA
0x467630 FillRect
0x467634 EqualRect
0x467638 EnumWindows
0x46763c EnumThreadWindows
0x467640 EndPaint
0x467644 EnableWindow
0x467648 EnableScrollBar
0x46764c EnableMenuItem
0x467650 DrawTextA
0x467654 DrawMenuBar
0x467658 DrawIconEx
0x46765c DrawIcon
0x467660 DrawFrameControl
0x467664 DrawFocusRect
0x467668 DrawEdge
0x46766c DispatchMessageA
0x467670 DestroyWindow
0x467674 DestroyMenu
0x467678 DestroyIcon
0x46767c DestroyCursor
0x467680 DeleteMenu
0x467684 DefWindowProcA
0x467688 DefMDIChildProcA
0x46768c DefFrameProcA
0x467690 CreatePopupMenu
0x467694 CreateMenu
0x467698 CreateIcon
0x46769c ClientToScreen
0x4676a0 CheckMenuItem
0x4676a4 CallWindowProcA
0x4676a8 CallNextHookEx
0x4676ac BeginPaint
0x4676b0 CharNextA
0x4676b4 CharLowerBuffA
0x4676b8 CharLowerA
0x4676bc CharToOemA
0x4676c0 AdjustWindowRectEx
Library kernel32.dll:
0x4676cc Sleep
Library oleaut32.dll:
0x4676d4 SafeArrayPtrOfIndex
0x4676d8 SafeArrayGetUBound
0x4676dc SafeArrayGetLBound
0x4676e0 SafeArrayCreate
0x4676e4 VariantChangeType
0x4676e8 VariantCopy
0x4676ec VariantClear
0x4676f0 VariantInit
Library comctl32.dll:
0x467700 ImageList_Write
0x467704 ImageList_Read
0x467714 ImageList_DragMove
0x467718 ImageList_DragLeave
0x46771c ImageList_DragEnter
0x467720 ImageList_EndDrag
0x467724 ImageList_BeginDrag
0x467728 ImageList_Remove
0x46772c ImageList_DrawEx
0x467730 ImageList_Replace
0x467734 ImageList_Draw
0x467744 ImageList_Add
0x46774c ImageList_Destroy
0x467750 ImageList_Create
0x467754 InitCommonControls
Library comdlg32.dll:
0x46775c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.