5.8
高危
60 个模型检测该样本为恶意!
重新分析
更多

3bd940aa8cce3f10808d20494f3f10b34502a14321ea9bb50123016d82c2203f

cbe93297db6a6936d5f4a599d65d35ef.exe

分析耗时

101s

最近分析

文件大小

312.9KB
静态报毒 动态报毒 100% AI SCORE=87 ATBH BAKB BZKEM CLASSIC CONFIDENCE FILEINFECTOR GEN2 HIGH CONFIDENCE HLLP KASHU KUKU MALICIOUS PE MALWARE@#8Q8VBUCD8EIZ POLY2 R + MAL SALICODE SALITY SCORE SECTOR STATIC AI UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Virus:Win32/Sality.f76f3ee4 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu Win32.Virus.Sality.gen 20190318 1.0.0.2
Avast Win32:SaliCode [Inf] 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
McAfee W32/Sality.gen.z 20201211 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619906578.841249
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\HUDSON\workspace\Autoupdate2.0-update\obj\jusched\Release\jusched.pdb
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619906578.466249
__exception__
stacktrace: 
cbe93297db6a6936d5f4a599d65d35ef+0x423cc @ 0x4423cc

registers.esp: 5898032
registers.edi: 2178940951
registers.eax: 2178940951
registers.ebp: 5898072
registers.edx: 2178940952
registers.ebx: 32211348
registers.esi: 4464589
registers.ecx: 2010527866
exception.instruction_r: 8a 08 40 84 c9 75 f9 2b c2 c7 45 fc fe ff ff ff
exception.symbol: lstrlen+0x1a lstrcmpW-0x3f kernelbase+0xa34a
exception.instruction: mov cl, byte ptr [eax]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41802
exception.address: 0x778ea34a
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619906578.356249
NtAllocateVirtualMemory
process_identifier: 2516
region_size: 17539072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e00000
success 0 0
1619906578.481249
NtProtectVirtualMemory
process_identifier: 2516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e00000
success 0 0
Foreign language identified in PE resource (22 个事件)
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
name RT_STRING language LANG_CHINESE offset 0x000400fc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000070
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.788338452641863 section {'size_of_data': '0x00012800', 'virtual_address': '0x0003e000', 'entropy': 7.788338452641863, 'name': '.rsrc', 'virtual_size': '0x00013000'} description A section with a high entropy has been found
entropy 0.24183006535947713 description Overall entropy of this PE file is high
网络通信
Operates on local firewall's policies and settings (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Modifies security center warnings (12 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify
Attempts to modify Explorer settings to prevent hidden files from being displayed (1 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Disables Windows Security features (10 个事件)
description attempts to disable user access control registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description attempts to disable windows update notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
description disables user access control notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
description attempts to disable windows firewall registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
description attempts to disable firewall exceptions registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Bkav W32.Sality.PE
Elastic malicious (high confidence)
MicroWorld-eScan Win32.Sality.3
FireEye Generic.mg.cbe93297db6a6936
CAT-QuickHeal W32.Sality.U
Cylance Unsafe
Zillya Virus.Sality.Win32.25
Sangfor Malware
K7AntiVirus Virus ( f10001071 )
Alibaba Virus:Win32/Sality.f76f3ee4
K7GW Virus ( f10001071 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Win32.Sality.3
Baidu Win32.Virus.Sality.gen
Cyren W32/Sality.gen2
Symantec W32.Sality.AE
TotalDefense Win32/Sality.AA
APEX Malicious
Avast Win32:SaliCode [Inf]
Kaspersky Virus.Win32.Sality.gen
BitDefender Win32.Sality.3
NANO-Antivirus Virus.Win32.Sality.bzkem
Paloalto generic.ml
AegisLab Virus.Win32.Sality.v!c
Ad-Aware Win32.Sality.3
TACHYON Virus/W32.Sality.D
Sophos Mal/Generic-R + Mal/Sality-D
Comodo Malware@#8q8vbucd8eiz
F-Secure Malware.W32/Sality.AT
DrWeb Win32.Sector.30
VIPRE Virus.Win32.Sality.atbh (v)
TrendMicro PE_SALITY.ER
McAfee-GW-Edition BehavesLike.Win32.Dropper.fc
Emsisoft Win32.Sality.3 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Win32/HLLP.Kuku.poly2
Avira W32/Sality.AT
Antiy-AVL Virus/Win32.Sality.gen
Microsoft Virus:Win32/Sality.AT
ViRobot Win32.Sality.Gen.A
ZoneAlarm Virus.Win32.Sality.gen
GData Win32.Sality.3
Cynet Malicious (score: 100)
AhnLab-V3 Win32/Kashu.E
Acronis suspicious
McAfee W32/Sality.gen.z
MAX malware (ai score=87)
VBA32 Virus.Win32.Sality.bakb
Zoner Trojan.Win32.Sality.22009
ESET-NOD32 Win32/Sality.NBA
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-09-18 03:41:47

Imports

Library ADVAPI32.dll:
0x42d000 RegCloseKey
0x42d004 RegOpenKeyExA
0x42d008 RegQueryValueExA
0x42d010 RegDeleteValueA
0x42d014 RegDeleteKeyA
0x42d018 RegCreateKeyExA
0x42d01c RegSetValueExA
0x42d020 RegQueryInfoKeyA
0x42d024 RegEnumKeyExA
0x42d030 CryptDestroyHash
0x42d034 CryptGetHashParam
0x42d038 CryptHashData
0x42d03c CryptReleaseContext
0x42d040 CryptCreateHash
0x42d048 RegEnumKeyA
Library GDI32.dll:
0x42d050 GetStockObject
Library WININET.dll:
0x42d2cc InternetCloseHandle
0x42d2d0 HttpSendRequestA
0x42d2d4 HttpOpenRequestA
0x42d2d8 InternetReadFile
0x42d2e0 HttpQueryInfoA
0x42d2e4 InternetConnectA
0x42d2e8 InternetOpenA
0x42d2ec InternetCrackUrlA
0x42d2f0 InternetErrorDlg
Library KERNEL32.dll:
0x42d058 SetEndOfFile
0x42d05c CreateFileW
0x42d064 CompareStringW
0x42d068 CompareStringA
0x42d06c GetLocaleInfoW
0x42d070 SetStdHandle
0x42d074 WriteConsoleW
0x42d078 GetConsoleOutputCP
0x42d07c WriteConsoleA
0x42d080 IsValidLocale
0x42d084 EnumSystemLocalesA
0x42d088 GetLocaleInfoA
0x42d08c GetUserDefaultLCID
0x42d090 CloseHandle
0x42d094 WriteFile
0x42d098 lstrlenA
0x42d09c SetFilePointer
0x42d0a0 CreateFileA
0x42d0a4 GetTempPathA
0x42d0a8 lstrcatA
0x42d0b0 LoadLibraryA
0x42d0b4 GetLastError
0x42d0b8 GetSystemDirectoryA
0x42d0bc FreeLibrary
0x42d0c0 GetProcAddress
0x42d0c4 RaiseException
0x42d0d0 lstrcmpA
0x42d0d4 CreateProcessA
0x42d0d8 CreateMutexA
0x42d0dc CreateEventA
0x42d0e0 WaitForSingleObject
0x42d0e4 GetModuleFileNameA
0x42d0e8 MultiByteToWideChar
0x42d0ec WideCharToMultiByte
0x42d0f0 lstrlenW
0x42d0fc lstrcmpiA
0x42d104 GetCommandLineA
0x42d108 IsDBCSLeadByte
0x42d10c SizeofResource
0x42d110 LoadResource
0x42d114 FindResourceA
0x42d118 LoadLibraryExA
0x42d11c GetModuleHandleA
0x42d120 GetThreadLocale
0x42d124 lstrcpyA
0x42d128 SetEvent
0x42d12c ResetEvent
0x42d130 CreateThread
0x42d134 lstrcpynA
0x42d138 ReadFile
0x42d140 CreatePipe
0x42d144 Sleep
0x42d148 OpenEventA
0x42d14c GetSystemTime
0x42d150 DeleteFileA
0x42d154 GetVersionExA
0x42d158 GetCurrentProcess
0x42d15c GetSystemInfo
0x42d160 LocalFree
0x42d168 CompareFileTime
0x42d170 GetTickCount
0x42d174 GetCurrentProcessId
0x42d180 GetStringTypeW
0x42d184 GetStringTypeA
0x42d188 LCMapStringW
0x42d18c LCMapStringA
0x42d19c GetProcessHeap
0x42d1ac InterlockedExchange
0x42d1b0 FlushFileBuffers
0x42d1b4 GetConsoleMode
0x42d1b8 GetConsoleCP
0x42d1bc GetFileType
0x42d1c0 SetHandleCount
0x42d1c4 HeapSize
0x42d1c8 GetStdHandle
0x42d1cc HeapCreate
0x42d1d0 HeapReAlloc
0x42d1d4 VirtualFree
0x42d1d8 IsValidCodePage
0x42d1dc GetOEMCP
0x42d1e0 GetACP
0x42d1e4 GetCPInfo
0x42d1e8 GetCurrentThreadId
0x42d1ec SetLastError
0x42d1f0 TlsFree
0x42d1f4 TlsSetValue
0x42d1f8 TlsAlloc
0x42d1fc TlsGetValue
0x42d204 GetStartupInfoA
0x42d208 ExitProcess
0x42d20c IsDebuggerPresent
0x42d218 TerminateProcess
0x42d21c VirtualQuery
0x42d220 GetModuleHandleW
0x42d224 VirtualAlloc
0x42d228 VirtualProtect
0x42d230 RtlUnwind
0x42d234 HeapAlloc
0x42d238 HeapFree
Library USER32.dll:
0x42d254 wsprintfA
0x42d258 CharNextA
0x42d25c PeekMessageA
0x42d260 DispatchMessageA
0x42d264 DispatchMessageW
0x42d268 TranslateMessage
0x42d26c GetMessageA
0x42d270 IsWindowUnicode
0x42d278 LoadStringA
0x42d27c GetDesktopWindow
0x42d280 MessageBoxA
0x42d284 RegisterClassA
0x42d288 CreateWindowExA
0x42d28c ShowWindow
0x42d290 SetWindowLongA
0x42d294 DestroyWindow
0x42d298 GetWindowLongA
0x42d29c DefWindowProcA
0x42d2a0 PostQuitMessage
0x42d2a4 CreatePopupMenu
0x42d2a8 AppendMenuA
0x42d2ac GetCursorPos
0x42d2b0 SetForegroundWindow
0x42d2b4 TrackPopupMenu
0x42d2b8 PostMessageA
0x42d2bc GetSystemMetrics
0x42d2c0 LoadImageA
0x42d2c4 GetMessageW
Library ole32.dll:
0x42d300 CoTaskMemRealloc
0x42d304 CoCreateInstance
0x42d308 CLSIDFromString
0x42d30c CoInitialize
0x42d310 CoUninitialize
0x42d314 CoTaskMemFree
0x42d318 CoTaskMemAlloc
Library SHELL32.dll:
0x42d248 Shell_NotifyIconA
0x42d24c ShellExecuteA
Library OLEAUT32.dll:
0x42d240 VarUI4FromStr

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.