5.4
中危
55 个模型检测该样本为恶意!
重新分析
更多

c73cdd4d62376205223c596603881734d6ea412ae79bb733f26b89816a54bfcf

ce3af7ffcb13c7ce845932a8a8489df6.exe

分析耗时

77s

最近分析

文件大小

674.0KB
静态报毒 动态报毒 100% 6S+BCE79KAI AI SCORE=84 ATTRIBUTE BACKDOORX BSCOPE CONFIDENCE DOWNLOADER34 ELDORADO FARFLI GENCIRC GENERICRXAA GRAFTOR HCVP HIGH CONFIDENCE HIGHCONFIDENCE HQAHQY KCLOUD KRYPTIK LOTOK LVYMS MALICIOUS PE MALWARE@#AMSOD80XVU3 Q074AD0G7QB QQ3@AAYRICCB QVM07 SCORE STATIC AI THIBABO UNSAFE ZEGOST ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXAA-FA!CE3AF7FFCB13 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast 20201210 21.1.5827.0
Alibaba Backdoor:Win32/Lotok.0fb646d3 20190527 0.3.0.5
Kingsoft Win32.Hack.Lotok.c.(kcloud) 20201211 2017.9.26.565
Tencent Malware.Win32.Gencirc.11adf3a1 20201211 1.0.0.1
静态指标
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Foreign language identified in PE resource (6 个事件)
name RT_ICON language LANG_CHINESE offset 0x000151b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000008a8
name RT_DIALOG language LANG_CHINESE offset 0x00015b60 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000136
name RT_DIALOG language LANG_CHINESE offset 0x00015b60 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000136
name RT_STRING language LANG_CHINESE offset 0x00015fa8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
name RT_GROUP_ICON language LANG_CHINESE offset 0x00015a58 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000014
name RT_VERSION language LANG_CHINESE offset 0x00015c98 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000030c
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619910854.079046
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 36864
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x10001000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.035475654211971 section {'size_of_data': '0x0000e000', 'virtual_address': '0x00007000', 'entropy': 7.035475654211971, 'name': '.data', 'virtual_size': '0x0000dc48'} description A section with a high entropy has been found
entropy 0.6666666666666666 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 156.226.20.95
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VMware System reg_value C:\Program Files\Google\google.exe
Expresses interest in specific running processes (2 个事件)
process ce3af7ffcb13c7ce845932a8a8489df6.exe
process: potential process injection target explorer.exe
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 156.226.20.95:2020
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Graftor.315286
FireEye Generic.mg.ce3af7ffcb13c7ce
McAfee GenericRXAA-FA!CE3AF7FFCB13
Cylance Unsafe
Zillya Backdoor.Lotok.Win32.301
Sangfor Malware
K7AntiVirus Trojan ( 00565ac91 )
BitDefender Gen:Variant.Graftor.315286
K7GW Trojan ( 00565ac91 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Kryptik.CCW.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky Backdoor.Win32.Lotok.csk
Alibaba Backdoor:Win32/Lotok.0fb646d3
NANO-Antivirus Trojan.Win32.Lotok.hqahqy
AegisLab Trojan.Win32.Malicious.4!c
Rising Backdoor.Zegost!8.177 (TFE:5:Q074Ad0g7qB)
Ad-Aware Gen:Variant.Graftor.315286
Emsisoft Gen:Variant.Graftor.315286 (B)
Comodo Malware@#amsod80xvu3
F-Secure Trojan.TR/AD.Farfli.lvyms
DrWeb Trojan.DownLoader34.25297
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.Win32.ZEGOST.THIBABO
McAfee-GW-Edition BehavesLike.Win32.Trojan.jz
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Crypt
Jiangmin Backdoor.Lotok.mp
Avira TR/AD.Farfli.lvyms
MAX malware (ai score=84)
Antiy-AVL Trojan[Backdoor]/Win32.Lotok
Kingsoft Win32.Hack.Lotok.c.(kcloud)
Microsoft Backdoor:Win32/Zegost.CQ!bit
Gridinsoft Trojan.Win32.Agent.oa
Arcabit Trojan.Graftor.D4CF96
ZoneAlarm Backdoor.Win32.Lotok.csk
GData Gen:Variant.Graftor.315286
Cynet Malicious (score: 100)
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.34670.Qq3@aayriccb
VBA32 BScope.Backdoor.Lotok
Malwarebytes Backdoor.Farfli
Panda Trj/CI.A
ESET-NOD32 a variant of Win32/Kryptik.HCVP
TrendMicro-HouseCall Backdoor.Win32.ZEGOST.THIBABO
Tencent Malware.Win32.Gencirc.11adf3a1
Yandex Trojan.Kryptik!6S+BcE79kaI
SentinelOne Static AI - Malicious PE
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-14 22:26:28

Imports

Library MFC42.DLL:
0x405058
0x40505c
0x405060
0x405064
0x405068
0x40506c
0x405070
0x405074
0x405078
0x40507c
0x405080
0x405084
0x405088
0x40508c
0x405090
0x405094
0x405098
0x40509c
0x4050a0
0x4050a4
0x4050a8
0x4050ac
0x4050b0
0x4050b4
0x4050b8
0x4050bc
0x4050c0
0x4050c4
0x4050c8
0x4050cc
0x4050d0
0x4050d4
0x4050d8
0x4050dc
0x4050e0
0x4050e4
0x4050e8
0x4050ec
0x4050f0
0x4050f4
0x4050f8
0x4050fc
0x405100
0x405104
0x405108
0x40510c
0x405110
0x405114
0x405118
0x40511c
0x405120
0x405124
0x405128
0x40512c
0x405130
0x405134
0x405138
0x40513c
0x405140
0x405144
0x405148
0x40514c
0x405150
0x405154
0x405158
0x40515c
0x405160
0x405164
0x405168
0x40516c
0x405170
0x405174
0x405178
0x40517c
0x405180
0x405184
0x405188
0x40518c
0x405190
0x405194
0x405198
0x40519c
0x4051a0
0x4051a4
0x4051a8
0x4051ac
0x4051b0
0x4051b4
0x4051b8
0x4051bc
0x4051c0
0x4051c4
0x4051c8
0x4051cc
0x4051d0
0x4051d4
0x4051d8
0x4051dc
0x4051e0
0x4051e4
0x4051e8
0x4051ec
0x4051f0
0x4051f4
0x4051f8
0x4051fc
0x405200
0x405204
0x405208
0x40520c
Library MSVCRT.dll:
0x405214 _except_handler3
0x405218 __set_app_type
0x40521c __p__fmode
0x405220 __p__commode
0x405224 _adjust_fdiv
0x405228 __setusermatherr
0x40522c _initterm
0x405230 __getmainargs
0x405234 _acmdln
0x405238 exit
0x40523c _XcptFilter
0x405240 _exit
0x405244 _setmbcp
0x405248 _strcmpi
0x40524c __CxxFrameHandler
0x405250 _controlfp
0x405254 _mbscmp
0x405258 realloc
0x40525c free
0x405260 memmove
0x405264 __dllonexit
0x405268 _onexit
Library KERNEL32.dll:
0x405000 CloseHandle
0x405004 Sleep
0x405008 GetProcAddress
0x40500c LoadLibraryA
0x405010 FreeLibrary
0x405014 OutputDebugStringA
0x40501c ResetEvent
0x405028 ResumeThread
0x40502c CreateThread
0x405030 GetModuleHandleA
0x405034 GetStartupInfoA
0x405038 WaitForSingleObject
0x40503c SetEvent
0x405040 TerminateThread
0x405044 CreateEventA
Library USER32.dll:
0x405270 EnableWindow
0x405274 IsIconic
0x405278 GetSystemMetrics
0x40527c GetClientRect
0x405280 DrawIcon
0x405284 AppendMenuA
0x405288 SendMessageA
0x40528c LoadIconA
0x405290 GetSystemMenu

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.