6.0
高危
53 个模型检测该样本为恶意!
重新分析
更多

33bd83d65da21eaa3609bfdf538f7f0095b6741650e621d3391cedfd0a5756d5

cff8e5805779290339373f4648a975e9.exe

分析耗时

74s

最近分析

文件大小

906.1KB
静态报毒 动态报毒 4G1@A0B3NRKI AI SCORE=81 AIDETECTVM ATTRIBUTE BSCOPE CLASSIC CONFIDENCE DANGEROUSSIG DEYMA DOWNLOADER34 EHLS ELDORADO ENCPK EPSN GDSDA GENERICKD GENKRYPTIK GENOME GRAYWARE HFJQ HIGH CONFIDENCE HIGHCONFIDENCE KRYPT KRYPTIK LFEMR MALWARE2 QAKBOT R002C0PH520 R347002 SCORE SUSGEN TETC UNSAFE WACATAC XYANG@0 YMACCO ZEXAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanDownloader:Win32/Deyma.ce328fcf 20190527 0.3.0.5
Avast Win32:DangerousSig [Trj] 20200814 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200814 2013.8.14.323
McAfee Packed-GBS!CFF8E5805779 20200814 6.0.6.653
Tencent Win32.Trojan-downloader.Deyma.Tetc 20200814 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619910845.937886
NtAllocateVirtualMemory
process_identifier: 428
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619910846.921886
NtAllocateVirtualMemory
process_identifier: 428
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619910846.921886
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619915817.313749
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619915818.829749
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00a30000
success 0 0
1619915818.829749
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Creates executable files on the filesystem (2 个事件)
file c:\programdata\1321ba6d1f\bdif.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cred.dll
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619910847.468886
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x0000008c
process_identifier: 2340
current_directory:
filepath:
track: 1
command_line: c:\programdata\1321ba6d1f\bdif.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000088
inherit_handles: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619915819.563749
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 217.8.117.52
Attempts to identify installed AV products by installation directory (7 个事件)
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619915822.126749
RegSetValueExA
key_handle: 0x000003c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619915822.126749
RegSetValueExA
key_handle: 0x000003c0
value: àtÍ­>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619915822.126749
RegSetValueExA
key_handle: 0x000003c0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619915822.126749
RegSetValueExW
key_handle: 0x000003c0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619915822.141749
RegSetValueExA
key_handle: 0x000003d4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619915822.141749
RegSetValueExA
key_handle: 0x000003d4
value: àtÍ­>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619915822.141749
RegSetValueExA
key_handle: 0x000003d4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619915822.157749
RegSetValueExW
key_handle: 0x000003bc
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 217.8.117.52:80
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader34.17858
MicroWorld-eScan Trojan.GenericKD.43597324
FireEye Generic.mg.cff8e58057792903
ALYac Trojan.GenericKD.43597324
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005652be1 )
Alibaba TrojanDownloader:Win32/Deyma.ce328fcf
K7GW Trojan ( 005652be1 )
Cybereason malicious.057792
TrendMicro TROJ_GEN.R002C0PH520
BitDefenderTheta Gen:NN.ZexaF.34152.4G1@a0b3nrki
F-Prot W32/Kryptik.BSQ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Downloader.Win32.Deyma.bqz
BitDefender Trojan.GenericKD.43597324
Avast Win32:DangerousSig [Trj]
Rising Trojan.Kryptik!1.C9B6 (CLASSIC)
Ad-Aware Trojan.GenericKD.43597324
Comodo TrojWare.Win32.Genome.xyang@0
F-Secure Trojan.TR/Kryptik.lfemr
Zillya Downloader.Deyma.Win32.179
Invincea heuristic
Sophos Mal/EncPk-APV
Cyren W32/Kryptik.BSQ.gen!Eldorado
Avira TR/Kryptik.lfemr
Fortinet W32/GenKryptik.EPSN!tr
Antiy-AVL GrayWare/Win32.Kryptik.ehls
Arcabit Trojan.Generic.D2993E0C
ViRobot Trojan.Win32.Z.Zusy.927808.A
ZoneAlarm Trojan-Downloader.Win32.Deyma.bqz
Microsoft Trojan:Win32/Ymacco.AA33
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R347002
McAfee Packed-GBS!CFF8E5805779
MAX malware (ai score=81)
VBA32 BScope.Trojan.Wacatac
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of Win32/Kryptik.HFJQ
TrendMicro-HouseCall Backdoor.Win32.QAKBOT.SMF
Tencent Win32.Trojan-downloader.Deyma.Tetc
Ikarus Trojan.Win32.Krypt
MaxSecure Trojan.Malware.104539475.susgen
GData Trojan.GenericKD.43597324
AVG Win32:DangerousSig [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-05 06:04:56

Imports

Library KERNEL32.dll:
0x4d90b0 GetModuleHandleA
0x4d90b4 GetLastError
0x4d90b8 LoadLibraryA
0x4d90bc GetProcAddress
0x4d90c4 GetTickCount
0x4d90cc IsDebuggerPresent
0x4d90d8 GetCurrentProcess
0x4d90dc TerminateProcess
0x4d90e4 Sleep
0x4d90e8 InterlockedExchange
0x4d90ec GetStartupInfoW
0x4d90f0 GetCommandLineW
0x4d90f4 GetModuleFileNameW
0x4d90f8 CreateProcessW
0x4d90fc WaitForSingleObject
0x4d9100 CloseHandle
0x4d9104 FormatMessageW
0x4d9108 LocalFree
0x4d910c GetCurrentProcessId
0x4d9110 GetCurrentThreadId
0x4d9114 WaitNamedPipeA
0x4d9118 HeapReAlloc
0x4d911c GlobalFree
0x4d9120 _lwrite
0x4d9128 GetCommConfig
0x4d912c IsBadHugeWritePtr
0x4d9130 GetConsoleAliasA
0x4d9134 ResetEvent
0x4d9138 ReplaceFileA
Library USER32.dll:
0x4d9144 IsCharAlphaW
0x4d9148 CloseClipboard
0x4d914c GetWindowDC
0x4d9150 IsCharAlphaNumericA
0x4d9154 DestroyIcon
0x4d915c DestroyMenu
0x4d9160 DestroyWindow
0x4d9164 IsWindowVisible
0x4d9168 PaintDesktop
0x4d916c IsGUIThread
0x4d9170 DrawMenuBar
0x4d9174 CharNextA
0x4d9178 VkKeyScanA
0x4d917c GetKeyboardLayout
0x4d9180 GetAsyncKeyState
0x4d9184 AnyPopup
0x4d9188 LoadIconW
0x4d918c MessageBoxW
0x4d9190 DialogBoxParamW
0x4d9194 DlgDirListW
0x4d9198 DdeDisconnectList
0x4d919c EnableMenuItem
0x4d91a0 GetUpdateRect
0x4d91a4 SetScrollRange
Library GDI32.dll:
0x4d91ac GdiGetBatchLimit
0x4d91b0 GetObjectType
0x4d91b4 UnrealizeObject
0x4d91b8 GetROP2
0x4d91bc CloseMetaFile
0x4d91c0 BeginPath
0x4d91c4 GetTextColor
0x4d91cc GetMapMode
0x4d91d0 AbortPath
0x4d91d4 GetLayout
0x4d91d8 GetTextAlign
0x4d91dc GetEnhMetaFileW
0x4d91e0 GetEnhMetaFileA
0x4d91e4 GetStockObject
0x4d91e8 StrokePath
0x4d91ec GetPixelFormat
0x4d91f0 GetStretchBltMode
0x4d91f4 WidenPath
0x4d91f8 RealizePalette
0x4d91fc GetTextCharset
0x4d9200 SaveDC
0x4d9204 SetMetaRgn
0x4d9208 SwapBuffers
0x4d920c UpdateColors
0x4d9210 PathToRegion
0x4d9214 GetFontLanguageInfo
0x4d9218 GetGraphicsMode
0x4d921c GetDCPenColor
0x4d9220 GetSystemPaletteUse
0x4d9224 GetPolyFillMode
0x4d922c GdiEntry5
0x4d9230 CreateBrushIndirect
0x4d9234 XLATEOBJ_piVector
0x4d9238 GetGlyphOutlineWow
0x4d923c GdiConsoleTextOut
0x4d9240 GdiEntry14
0x4d9244 ExtEscape
0x4d924c GetPath
0x4d9250 EudcLoadLinkW
0x4d9258 UpdateICMRegKeyW
0x4d925c GdiPlayScript
0x4d9260 SetTextAlign
0x4d9268 LPtoDP
0x4d926c GetRasterizerCaps
0x4d9270 EngQueryEMFInfo
0x4d9274 GdiAddGlsRecord
0x4d9278 EngAlphaBlend
0x4d927c MoveToEx
0x4d9280 RestoreDC
0x4d9284 GetNearestColor
0x4d9288 GdiFlush
0x4d928c ScaleWindowExtEx
0x4d9290 CLIPOBJ_bEnum
0x4d9294 GdiEntry15
0x4d9298 GdiSwapBuffers
0x4d929c GdiIsMetaPrintDC
0x4d92a0 EngCreateBitmap
0x4d92a4 GetCharWidthFloatA
0x4d92ac SelectPalette
0x4d92b4 EndPage
0x4d92b8 StretchBlt
0x4d92bc SetWindowOrgEx
0x4d92c0 SetViewportOrgEx
0x4d92c4 SetTextColor
0x4d92c8 SetStretchBltMode
0x4d92cc SetROP2
0x4d92d0 SetPixel
0x4d92d4 SetDIBColorTable
0x4d92d8 SetBrushOrgEx
0x4d92dc SetBkMode
0x4d92e0 SetBkColor
0x4d92e4 SelectObject
0x4d92e8 RoundRect
0x4d92ec RemoveFontResourceW
0x4d92f0 Rectangle
0x4d92f4 RectVisible
0x4d92f8 Polyline
0x4d92fc Pie
0x4d9300 PatBlt
0x4d9304 MaskBlt
0x4d9308 LineTo
0x4d930c LineDDA
0x4d9310 IntersectClipRect
0x4d9314 GetWindowOrgEx
0x4d9318 GetTextMetricsW
0x4d931c GetTextExtentPointW
0x4d9328 GetRgnBox
0x4d932c GetPixel
0x4d9330 GetPaletteEntries
0x4d9334 GetObjectW
0x4d9338 GetDeviceCaps
0x4d933c GetDIBits
0x4d9340 GetDIBColorTable
0x4d9344 GetDCOrgEx
0x4d934c GetClipBox
0x4d9350 GetBrushOrgEx
0x4d9354 GetBitmapBits
0x4d9358 FrameRgn
0x4d935c ExtTextOutW
0x4d9360 ExtFloodFill
0x4d9364 ExcludeClipRect
0x4d9368 EnumFontsW
0x4d936c Ellipse
0x4d9370 DeleteObject
0x4d9374 DeleteDC
0x4d9378 CreateSolidBrush
0x4d937c CreateRectRgn
0x4d9380 CreatePenIndirect
0x4d9384 CreatePalette
0x4d938c CreateFontIndirectW
0x4d9390 CreateDIBitmap
0x4d9394 CreateDIBSection
0x4d9398 CreateCompatibleDC
0x4d93a0 CreateBitmap
0x4d93a4 Chord
0x4d93a8 BitBlt
0x4d93ac Arc
0x4d93b0 AddFontResourceW
Library ADVAPI32.dll:
0x4d93b8 RegOpenKeyW
0x4d93bc RegQueryValueExA
Library SHELL32.dll:
0x4d93c4 CommandLineToArgvW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.