SmartHawk

11.0

0-day

53 个模型检测该样本为恶意！

重新分析

下载样本

9712dff3b6fa45fc67392d63381d89f975fa09cf553d8ed69bad81cd61b8ff65

cb11ecf7241a48ebe88b231b933255b0.exe

分析耗时

106s

最近分析

文件大小

720.5KB

静态报毒动态报毒 AGENTTESLA AI SCORE=86 ATTRIBUTE CONFIDENCE ELDORADO FAREIT FORMBOOK GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MALICIOUS PE MALWARE@#2DGPEEQWR001K NQYPS PACKEDNET QFRR R002C0DHA20 RATX SCORE SUSGEN SXXP TM0@AGUV9K UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXH!CB11ECF7241A	20201023	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.5f482da2	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RATX-gen [Trj]	20201023	18.4.3895.0
Tencent	Msil.Trojan.Crypt.Sxxp	20201023	1.0.0.1
Kingsoft		20201023	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619932495.20825 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619932496.30225 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619932498.02125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619932498.19225 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (50 out of 96 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906612.406625 IsDebuggerPresent		failed	0	0
1619906613.765625 IsDebuggerPresent		failed	0	0
1619906614.265625 IsDebuggerPresent		failed	0	0
1619906614.765625 IsDebuggerPresent		failed	0	0
1619906615.265625 IsDebuggerPresent		failed	0	0
1619906615.765625 IsDebuggerPresent		failed	0	0
1619906616.265625 IsDebuggerPresent		failed	0	0
1619906616.765625 IsDebuggerPresent		failed	0	0
1619906617.265625 IsDebuggerPresent		failed	0	0
1619906617.765625 IsDebuggerPresent		failed	0	0
1619906618.265625 IsDebuggerPresent		failed	0	0
1619906618.765625 IsDebuggerPresent		failed	0	0
1619906619.265625 IsDebuggerPresent		failed	0	0
1619906619.765625 IsDebuggerPresent		failed	0	0
1619906620.265625 IsDebuggerPresent		failed	0	0
1619906620.765625 IsDebuggerPresent		failed	0	0
1619906621.265625 IsDebuggerPresent		failed	0	0
1619906621.765625 IsDebuggerPresent		failed	0	0
1619906622.265625 IsDebuggerPresent		failed	0	0
1619906622.765625 IsDebuggerPresent		failed	0	0
1619906623.265625 IsDebuggerPresent		failed	0	0
1619906623.765625 IsDebuggerPresent		failed	0	0
1619906624.265625 IsDebuggerPresent		failed	0	0
1619906624.765625 IsDebuggerPresent		failed	0	0
1619906625.265625 IsDebuggerPresent		failed	0	0
1619906625.765625 IsDebuggerPresent		failed	0	0
1619906626.265625 IsDebuggerPresent		failed	0	0
1619906626.765625 IsDebuggerPresent		failed	0	0
1619906627.265625 IsDebuggerPresent		failed	0	0
1619906627.765625 IsDebuggerPresent		failed	0	0
1619906628.265625 IsDebuggerPresent		failed	0	0
1619906628.765625 IsDebuggerPresent		failed	0	0
1619906629.265625 IsDebuggerPresent		failed	0	0
1619906629.765625 IsDebuggerPresent		failed	0	0
1619906630.265625 IsDebuggerPresent		failed	0	0
1619906630.765625 IsDebuggerPresent		failed	0	0
1619906631.265625 IsDebuggerPresent		failed	0	0
1619906631.765625 IsDebuggerPresent		failed	0	0
1619906632.265625 IsDebuggerPresent		failed	0	0
1619906632.765625 IsDebuggerPresent		failed	0	0
1619906633.265625 IsDebuggerPresent		failed	0	0
1619906633.765625 IsDebuggerPresent		failed	0	0
1619906634.265625 IsDebuggerPresent		failed	0	0
1619906634.765625 IsDebuggerPresent		failed	0	0
1619906635.265625 IsDebuggerPresent		failed	0	0
1619906635.765625 IsDebuggerPresent		failed	0	0
1619906636.265625 IsDebuggerPresent		failed	0	0
1619906636.765625 IsDebuggerPresent		failed	0	0
1619906637.265625 IsDebuggerPresent		failed	0	0
1619906637.765625 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906656.812625 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619932497.98925 __exception__	stacktrace: 0x46ee6fd 0x46eda77 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2224980 registers.edi: 2225008 registers.eax: 0 registers.ebp: 2225024 registers.edx: 158 registers.ebx: 0 registers.esi: 39830308 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 97 52 ac 20 eb 86 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x46eead1	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619932497.98925
__exception__

stacktrace:

0x46ee6fd
0x46eda77
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73c51b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73c68dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73c76a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73c76a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73c76a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73d16a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73d169ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73d16eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73d170b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73d16fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2224980
registers.edi: 2225008
registers.eax: 0
registers.ebp: 2225024
registers.edx: 158
registers.ebx: 0
registers.esi: 39830308
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 97 52 ac 20 eb 86 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x46eead1

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 128 个事件)

Time & API	Arguments	Status	Return
1619906611.453625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x009e0000	success	0
1619906611.453625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b60000	success	0
1619906612.390625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success	0
1619906612.406625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success	0
1619906612.406625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success	0
1619906612.406625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00422000	success	0
1619906612.687625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00432000	success	0
1619906612.781625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00433000	success	0
1619906612.797625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056b000	success	0
1619906612.797625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00567000	success	0
1619906612.812625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043c000	success	0
1619906612.875625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success	0
1619906613.140625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success	0
1619906613.234625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0055a000	success	0
1619906613.312625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00552000	success	0
1619906613.375625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00434000	success	0
1619906613.453625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00565000	success	0
1619906614.015625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00435000	success	0
1619906614.140625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044a000	success	0
1619906614.140625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success	0
1619906614.140625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042b000	success	0
1619906614.172625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00446000	success	0
1619906614.203625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00651000	success	0
1619906614.453625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b0000	success	0
1619906614.515625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success	0
1619906614.609625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00654000	success	0
1619906655.687625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b61000	success	0
1619906655.797625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00655000	success	0
1619906655.797625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00656000	success	0
1619906655.969625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0055c000	success	0
1619906656.125625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00657000	success	0
1619906656.187625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00438000	success	0
1619906656.219625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00658000	success	0
1619906656.515625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 299008 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05470400	failed	3221225550
1619906659.422625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00659000	success	0
1619906659.422625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00439000	success	0
1619906659.422625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065a000	success	0
1619906659.437625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065b000	success	0
1619906659.453625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065c000	success	0
1619906659.469625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065d000	success	0
1619906659.594625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065e000	success	0
1619906659.640625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x056f0000	success	0
1619906659.640625 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x056f1000	success	0
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05470178	failed	3221225550
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054701a0	failed	3221225550
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054701c8	failed	3221225550
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054701f0	failed	3221225550
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05470218	failed	3221225550
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054b9cee	failed	3221225550
1619906659.640625 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054b9ce2	failed	3221225550

A process attempted to delay the analysis task. (1 个事件)

description

cb11ecf7241a48ebe88b231b933255b0.exe tried to sleep 148 seconds, actually delayed analysis time by 148 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.632706178868967

section

{'size_of_data': '0x0008a400', 'virtual_address': '0x00002000', 'entropy': 7.632706178868967, 'name': '.text', 'virtual_size': '0x0008a394'}

description

A section with a high entropy has been found

entropy

0.7680555555555556

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906613.172625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619932481.50525 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (4 个事件)

Time & API	Arguments	Status
1619906659.890625 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2448 process_handle: 0x0000fcc8	failed
1619906659.890625 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2448 process_handle: 0x0000fcc8	success
1619932491.94225 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2440 process_handle: 0x0000021c	failed
1619932491.94225 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2440 process_handle: 0x0000021c	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906659.828625 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000052fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619906659.906625 NtAllocateVirtualMemory	process_identifier: 1760 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000b638 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 manipulating memory of non-child process 2448
1619906659.828625 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000052fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELó^àTþq @ À@¬qOð H.textR T `.rsrcðV@@.reloc Z@B process_handle: 0x0000b638 base_address: 0x00400000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNamegYVUTLMslTodKxUxPUIUqMMHfnP.exe(LegalCopyright h OriginalFilenamegYVUTLMslTodKxUxPUIUqMMHfnP.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000b638 base_address: 0x00448000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: p2 process_handle: 0x0000b638 base_address: 0x0044a000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: @ process_handle: 0x0000b638 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELó^àTþq @ À@¬qOð H.textR T `.rsrcðV@@.reloc Z@B process_handle: 0x0000b638 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 called NtSetContextThread to modify thread in remote process 1760
1619906659.906625 NtSetContextThread	thread_handle: 0x0000fcc8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4485630 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1760	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 resumed a thread in remote process 1760
1619906659.937625 NtResumeThread	thread_handle: 0x0000fcc8 suspend_count: 1 process_identifier: 1760	success	0	0

Executed a process and injected code into it, probably while unpacking (25 个事件)

Time & API	Arguments	Status	Return
1619906612.406625 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2440	success	0
1619906612.469625 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2440	success	0
1619906613.640625 NtResumeThread	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2440	success	0
1619906613.672625 NtResumeThread	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2440	success	0
1619906659.640625 NtResumeThread	thread_handle: 0x00003b5c suspend_count: 1 process_identifier: 2440	success	0
1619906659.656625 NtResumeThread	thread_handle: 0x00011524 suspend_count: 1 process_identifier: 2440	success	0
1619906659.828625 CreateProcessInternalW	thread_identifier: 1036 thread_handle: 0x000016c4 process_identifier: 2448 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cb11ecf7241a48ebe88b231b933255b0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cb11ecf7241a48ebe88b231b933255b0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000052fc inherit_handles: 0	success	1
1619906659.828625 NtGetContextThread	thread_handle: 0x000016c4	success	0
1619906659.828625 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000052fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619906659.906625 CreateProcessInternalW	thread_identifier: 2292 thread_handle: 0x0000fcc8 process_identifier: 1760 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cb11ecf7241a48ebe88b231b933255b0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cb11ecf7241a48ebe88b231b933255b0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000b638 inherit_handles: 0	success	1
1619906659.906625 NtGetContextThread	thread_handle: 0x0000fcc8	success	0
1619906659.906625 NtAllocateVirtualMemory	process_identifier: 1760 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000b638 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELó^àTþq @ À@¬qOð H.textR T `.rsrcðV@@.reloc Z@B process_handle: 0x0000b638 base_address: 0x00400000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: process_handle: 0x0000b638 base_address: 0x00402000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNamegYVUTLMslTodKxUxPUIUqMMHfnP.exe(LegalCopyright h OriginalFilenamegYVUTLMslTodKxUxPUIUqMMHfnP.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000b638 base_address: 0x00448000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: p2 process_handle: 0x0000b638 base_address: 0x0044a000	success	1
1619906659.906625 WriteProcessMemory	process_identifier: 1760 buffer: @ process_handle: 0x0000b638 base_address: 0x7efde008	success	1
1619906659.906625 NtSetContextThread	thread_handle: 0x0000fcc8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4485630 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1760	success	0
1619906659.937625 NtResumeThread	thread_handle: 0x0000fcc8 suspend_count: 1 process_identifier: 1760	success	0
1619906659.937625 NtResumeThread	thread_handle: 0x000077d4 suspend_count: 1 process_identifier: 2440	success	0
1619932470.16125 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1760	success	0
1619932470.17725 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1760	success	0
1619932496.23925 NtResumeThread	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 1760	success	0
1619932496.25525 NtResumeThread	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 1760	success	0
1619932498.00525 NtResumeThread	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 1760	success	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34330129
FireEye	Generic.mg.cb11ecf7241a48eb
Qihoo-360	Generic/Trojan.21a
McAfee	Fareit-FXH!CB11ECF7241A
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2361913
K7AntiVirus	Trojan ( 0056c2781 )
Alibaba	Trojan:MSIL/AgentTesla.5f482da2
K7GW	Trojan ( 0056c2781 )
Cybereason	malicious.a22d48
Arcabit	Trojan.Generic.D20BD611
Invincea	Mal/Generic-S
BitDefenderTheta	Gen:NN.ZemsilF.34570.Tm0@aGUV9k
Cyren	W32/MSIL_Kryptik.BEY.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKD.34330129
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Crypt.4!c
Tencent	Msil.Trojan.Crypt.Sxxp
Ad-Aware	Trojan.GenericKD.34330129
Sophos	Mal/Generic-S
Comodo	Malware@#2dgpeeqwr001k
F-Secure	Trojan.TR/Kryptik.nqyps
DrWeb	Trojan.PackedNET.406
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DHA20
McAfee-GW-Edition	BehavesLike.Win32.Generic.bh
Emsisoft	Trojan.GenericKD.34330129 (B)
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.MSIL.qfrr
Avira	TR/Kryptik.nqyps
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Trojan.GenericKD.34330129
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Formbook.C4178861
ALYac	Trojan.GenericKD.34330129
MAX	malware (ai score=86)
Malwarebytes	Trojan.Crypt.MSIL.Generic
ESET-NOD32	a variant of MSIL/Kryptik.XHJ
TrendMicro-HouseCall	TROJ_GEN.R002C0DHA20
Ikarus	Trojan.MSIL.Inject
eGambit	Unsafe.AI_Score_83%
Fortinet	MSIL/Kryptik.XTP!tr
AVG	Win32:RATX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-10 10:19:51

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com		127.0.0.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.