4.8
中危
58 个模型检测该样本为恶意!
重新分析
更多

7a45727eb3a581f98e8637406a2daae6a2d517b5978432b2352da9e1a47e115d

d4ce78526e4ef62c443278654aa7b0e9.exe

分析耗时

72s

最近分析

文件大小

571.5KB
静态报毒 动态报毒 100% A + MAL AGENTB AI SCORE=100 AIDETECTVM BANKERX BFSCZ BSCOPE BUNITU CLASSIC COBRA CONFIDENCE ELDORADO ELJF ENCPK GA@8SFC92 GENCIRC GENERICKDZ GENETIC GENKRYPTIK HDJM HIGH CONFIDENCE HKPGOG INJECT3 JM0@ASZCWYHI JXZI KRYPTIK MALICIOUS PE MALWARE1 PROXY QAKBOT QBOT R336864 S13419017 SCORE UNSAFE WACATAC WACATACPMF ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20200921 6.0.6.653
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Alibaba Trojan:Win32/Agentb.e0183c86 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20200921 18.4.3895.0
Kingsoft 20200922 2013.8.14.323
Tencent Malware.Win32.Gencirc.10cdcae2 20200922 1.0.0.1
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619910846.072148
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619917076.05475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619917076.71075
__exception__
stacktrace: 
d4ce78526e4ef62c443278654aa7b0e9+0x3f07 @ 0x403f07
d4ce78526e4ef62c443278654aa7b0e9+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5979528
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: d4ce78526e4ef62c443278654aa7b0e9+0x3449
exception.instruction: in eax, dx
exception.module: d4ce78526e4ef62c443278654aa7b0e9.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619917076.71075
__exception__
stacktrace: 
d4ce78526e4ef62c443278654aa7b0e9+0x3f10 @ 0x403f10
d4ce78526e4ef62c443278654aa7b0e9+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5979528
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: d4ce78526e4ef62c443278654aa7b0e9+0x34e2
exception.instruction: in eax, dx
exception.module: d4ce78526e4ef62c443278654aa7b0e9.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619910845.822148
NtAllocateVirtualMemory
process_identifier: 2252
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ca0000
success 0 0
1619910845.837148
NtAllocateVirtualMemory
process_identifier: 2252
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ce0000
success 0 0
1619910845.837148
NtProtectVirtualMemory
process_identifier: 2252
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619917075.97675
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00690000
success 0 0
1619917075.97675
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1619917075.99275
NtProtectVirtualMemory
process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619910847.009148
CreateProcessInternalW
thread_identifier: 1564
thread_handle: 0x0000014c
process_identifier: 2056
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d4ce78526e4ef62c443278654aa7b0e9.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 6.922404964217177 section {'size_of_data': '0x00017c00', 'virtual_address': '0x00079000', 'entropy': 6.922404964217177, 'name': '.rsrc', 'virtual_size': '0x00017bdc'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619917076.71075
__exception__
stacktrace: 
d4ce78526e4ef62c443278654aa7b0e9+0x3f07 @ 0x403f07
d4ce78526e4ef62c443278654aa7b0e9+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5979528
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: d4ce78526e4ef62c443278654aa7b0e9+0x3449
exception.instruction: in eax, dx
exception.module: d4ce78526e4ef62c443278654aa7b0e9.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.67171
CAT-QuickHeal Trojan.WacatacPMF.S13419017
Cylance Unsafe
Zillya Trojan.Qbot.Win32.8206
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (D)
Alibaba Trojan:Win32/Agentb.e0183c86
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Invincea ML/PE-A + Mal/EncPk-APV
Cyren W32/Kryptik.BMW.gen!Eldorado
Symantec W32.Qakbot
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.Agentb.jxzi
BitDefender Trojan.GenericKDZ.67171
NANO-Antivirus Trojan.Win32.Inject3.hkpgog
ViRobot Trojan.Win32.S.QakBot.585216.D
Avast Win32:BankerX-gen [Trj]
Rising Trojan.Kryptik!1.C745 (CLASSIC)
Ad-Aware Trojan.GenericKDZ.67171
Sophos Mal/EncPk-APV
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/AD.Qbot.bfscz
DrWeb Trojan.Inject3.40031
VIPRE Trojan.Win32.Generic.pak!cobra
TrendMicro Backdoor.Win32.QAKBOT.SME
FireEye Generic.mg.d4ce78526e4ef62c
Emsisoft Trojan.GenericKDZ.67171 (B)
Ikarus Backdoor.QBot
GData Trojan.GenericKDZ.67171
Jiangmin Trojan.Zenpak.bss
Webroot Trojan.Proxy.Bunitu
Avira TR/AD.Qbot.bfscz
Antiy-AVL Trojan/Win32.Wacatac
Arcabit Trojan.Generic.D10663
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm Trojan.Win32.Agentb.jxzi
Microsoft Trojan:Win32/Qakbot.AR!MTB
AhnLab-V3 Backdoor/Win32.Qakbot.R336864
Acronis suspicious
VBA32 BScope.Trojan.Inject
ALYac Trojan.Agent.QakBot
MAX malware (ai score=100)
Malwarebytes Backdoor.Qbot
ESET-NOD32 a variant of Win32/Kryptik.HDJM
TrendMicro-HouseCall Backdoor.Win32.QAKBOT.SME
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-15 16:27:31

Imports

Library KERNEL32.dll:
0x47804c HeapFree
0x478050 GetProcessHeap
0x478054 GetModuleHandleW
0x478058 GetModuleHandleA
0x47805c LoadLibraryW
0x478060 GetProcAddress
0x478064 FreeLibrary
0x478068 OutputDebugStringW
0x47806c GetLocalTime
0x478070 WriteFile
0x478074 SetFilePointer
0x478080 HeapAlloc
0x478084 CreateFileW
0x478088 DeviceIoControl
0x47808c CreateThread
0x478090 WaitForSingleObject
0x478094 GetCurrentProcess
0x478098 GetLastError
0x47809c CloseHandle
0x4780a0 ExitThread
0x4780a4 SetLastError
0x4780a8 lstrlenW
0x4780ac GlobalReAlloc
0x4780b0 GlobalLock
0x4780b4 lstrcatW
0x4780b8 GlobalUnlock
0x4780bc lstrcpyW
0x4780c0 AddAtomW
0x4780c4 IsValidLocale
0x4780c8 GlobalFree
0x4780cc DeleteAtom
0x4780d0 lstrcmpW
0x4780d4 LocalAlloc
0x4780d8 lstrcpynW
0x4780dc GetLocaleInfoW
0x4780e0 GlobalGetAtomNameW
0x4780e4 LocalFree
0x4780e8 WinExec
0x4780ec GetStartupInfoW
0x4780f0 GetAtomNameW
0x4780f4 ExitProcess
0x4780f8 GlobalAlloc
0x4780fc lstrcmpiW
0x478100 VirtualAlloc
Library USER32.dll:
0x478108 LoadIconA
0x47810c AnyPopup
0x478110 CloseWindow
0x478114 GetListBoxInfo
0x478118 InSendMessage
0x47811c GetKeyboardType
0x478120 GetSystemMetrics
0x478124 GetMenu
0x478128 IsIconic
0x47812c GetParent
0x478130 GetTopWindow
0x478134 DestroyCursor
0x478138 CloseClipboard
0x478140 IsCharAlphaNumericW
0x478144 GetActiveWindow
0x478148 IsCharUpperW
0x47814c CopyIcon
0x478150 GetKeyboardLayout
0x478154 GetDoubleClickTime
Library GDI32.dll:
0x47815c GetEnhMetaFileW
0x478160 CreatePatternBrush
0x478164 GetROP2
0x478168 DeleteEnhMetaFile
0x47816c CloseFigure
0x478170 GetTextAlign
0x478178 SetMetaRgn
0x47817c DeleteColorSpace
0x478180 GetStockObject
0x478184 GetObjectType
0x478188 UnrealizeObject
Library ADVAPI32.dll:
0x478190 RegOpenKeyA
0x478194 RegQueryValueExA
Library SHELL32.dll:
0x47819c ShellExecuteW
0x4781a8 SHChangeNotify
0x4781ac SHBrowseForFolderW
0x4781b0

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.