3.2
中危
58 个模型检测该样本为恶意!
重新分析
更多

3083241b8d1d278d7e92c97ef4cede9408abf232c4ecbaa33ffab8cb235734c5

d5c4c9bb4b55e8fe34f64308575313aa.exe

分析耗时

79s

最近分析

文件大小

748.2KB
静态报毒 动态报毒 AI SCORE=82 AIDETECTVM ATTRIBUTE BSCOPE CLASSIC CONFIDENCE EJWK ELDORADO EMMP EMOTET GENCIRC GENERICKD GENERICRXAA GENETIC GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HJYSII IAX7MW0J5MU KRYPTIK MALWARE1 MALWARE@#3CYEFDVAPIZ33 MANSABO QVM03 R + TROJ R066C0DIK20 R335697 SCORE STATIC AI SUSGEN SUSPICIOUS PE TRICKBO TRICKBOT TROG UDTXS UM1@AG8Z10MK VEBZENPAK WACATAC ZEVBAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.56c138ff 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Dropper-gen [Drp] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b9ecf0 20201211 1.0.0.1
McAfee GenericRXAA-AA!D5C4C9BB4B55 20201211 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619914301.791895
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (26 个事件)
Time & API Arguments Status Return Repeated
1619910846.438879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c0000
success 0 0
1619910846.438879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.470879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.501879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.517879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.532879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.548879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.548879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.563879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.579879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.610879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.626879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.642879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.657879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.657879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.673879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c0000
success 0 0
1619910846.673879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00455000
success 0 0
1619910846.688879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910846.688879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619910846.688879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 172032
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004d1000
success 0 0
1619910864.360879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619910864.360879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x10000000
success 0 0
1619910864.360879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x10001000
success 0 0
1619910864.360879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d40000
success 0 0
1619910864.438879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d50000
success 0 0
1619910864.438879
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d60000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619910846.235879
NtProtectVirtualMemory
process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x003d0000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619914290.697895
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619914294.259895
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43106659
ALYac Backdoor.Agent.Trickbot
Zillya Trojan.Injector.Win32.728036
SUPERAntiSpyware Trojan.Agent/Gen-TrickBot
Sangfor Malware
K7AntiVirus Trojan ( 005662da1 )
Alibaba Trojan:Win32/Emotet.56c138ff
K7GW Trojan ( 005662da1 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Generic.D291C163
Cyren W32/VBInject.ADO.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Dropper-gen [Drp]
Kaspersky HEUR:Trojan.Win32.Vebzenpak.pef
BitDefender Trojan.GenericKD.43106659
NANO-Antivirus Trojan.Win32.GenKryptik.hjysii
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.10b9ecf0
Ad-Aware Trojan.GenericKD.43106659
Emsisoft Trojan.GenericKD.43106659 (B)
Comodo Malware@#3cyefdvapiz33
F-Secure Trojan.TR/AD.TrickBot.udtxs
DrWeb Trojan.Packed.140
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R066C0DIK20
McAfee-GW-Edition BehavesLike.Win32.Generic.bh
FireEye Generic.mg.d5c4c9bb4b55e8fe
Sophos Mal/Generic-R + Troj/TrickBo-WU
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Mansabo.bme
Avira TR/AD.TrickBot.udtxs
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Malware.Win32.Wacatac.ba
Microsoft Trojan:Win32/Trickbot.MK!MSR
AegisLab Trojan.Win32.Vebzenpak.trog
ZoneAlarm HEUR:Trojan.Win32.Vebzenpak.pef
GData Trojan.GenericKD.43106659
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Agent.R335697
McAfee GenericRXAA-AA!D5C4C9BB4B55
MAX malware (ai score=82)
VBA32 BScope.Trojan.Packed
Malwarebytes Trojan.Packed.VB
ESET-NOD32 a variant of Win32/Injector.EMMP
TrendMicro-HouseCall TROJ_GEN.R066C0DIK20
Rising Trojan.Kryptik!1.C606 (CLASSIC)
Yandex Trojan.Injector!IAX7Mw0J5MU
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-04 21:22:15

Imports

Library user32.dll:
0x401000 LoadStringW
Library Shlwapi.dll:
0x40100c PathIsDirectoryW
0x401010 PathRemoveFileSpecW
Library oleaut32.dll:
0x401018 SysReAllocString
0x40101c SysAllocString
0x401020 SysFreeString
0x401024 SysAllocStringLen
0x40102c SysStringLen
Library kernel32.dll:
0x401034 GetProcAddress
0x401038 VirtualAlloc
0x40103c FindResourceW
0x401040 VirtualProtect
0x401044 RtlMoveMemory
0x401048 WideCharToMultiByte
0x40104c LoadResource
0x401050 SizeofResource
0x401054 GetProcessHeap
0x401058 lstrcpynW
0x40105c GetModuleHandleW
0x401060 LockResource
0x401064 ExitProcess
0x401068 lstrlenW
0x40106c lstrcatW
0x401070 CreateDirectoryW
0x401074 VirtualFree
0x401078 GetUserDefaultLCID
0x40107c HeapAlloc
Library MSVBVM60.DLL:
0x401084 __vbaStrI2
0x401088 _CIcos
0x40108c _adj_fptan
0x401090 __vbaVarMove
0x401094 __vbaAryMove
0x401098 __vbaFreeVar
0x40109c __vbaStrVarMove
0x4010a0 __vbaFreeVarList
0x4010a4 __vbaEnd
0x4010a8 _adj_fdiv_m64
0x4010ac __vbaFreeObjList
0x4010b0 _adj_fprem1
0x4010b4 __vbaStrCat
0x4010b8 __vbaLsetFixstr
0x4010c0 _adj_fdiv_m32
0x4010c4 __vbaAryDestruct
0x4010c8
0x4010cc
0x4010d0 __vbaObjSet
0x4010d4
0x4010d8
0x4010dc _adj_fdiv_m16i
0x4010e0 __vbaObjSetAddref
0x4010e4 _adj_fdivr_m16i
0x4010e8
0x4010ec __vbaFpR4
0x4010f0 __vbaBoolVar
0x4010f4 __vbaStrFixstr
0x4010f8 _CIsin
0x4010fc __vbaErase
0x401100 __vbaVarZero
0x401104 __vbaChkstk
0x401108 EVENT_SINK_AddRef
0x40110c
0x401114 __vbaStrCmp
0x401118 __vbaVarTstEq
0x40111c __vbaI2I4
0x401120 __vbaObjVar
0x401124 __vbaVarLateMemSt
0x401128 __vbaCastObjVar
0x40112c __vbaLbound
0x401130 __vbaStrR4
0x401134 _adj_fpatan
0x401138 __vbaRedim
0x40113c EVENT_SINK_Release
0x401140 __vbaUI1I2
0x401144 _CIsqrt
0x40114c __vbaExceptHandler
0x401150 _adj_fprem
0x401154 _adj_fdivr_m64
0x401158 __vbaI2Str
0x40115c
0x401160 __vbaFPException
0x401164 __vbaUbound
0x401168 __vbaStrVarVal
0x40116c
0x401170 __vbaLsetFixstrFree
0x401174 __vbaI2Var
0x401178 _CIlog
0x40117c __vbaErrorOverflow
0x401180 __vbaVar2Vec
0x401184 __vbaR8Str
0x401188 __vbaNew2
0x401190 _adj_fdiv_m32i
0x401194 _adj_fdivr_m32i
0x401198 __vbaStrCopy
0x40119c __vbaI4Str
0x4011a0 __vbaFreeStrList
0x4011a4 _adj_fdivr_m32
0x4011a8 _adj_fdiv_r
0x4011ac
0x4011b0 __vbaI4Var
0x4011b4 __vbaAryLock
0x4011b8 __vbaVarAdd
0x4011bc __vbaLateMemCall
0x4011c0 __vbaVarDup
0x4011c4 __vbaFpI2
0x4011cc __vbaR8IntI2
0x4011d0 _CIatan
0x4011d4 __vbaCastObj
0x4011d8 __vbaStrMove
0x4011dc _allmul
0x4011e0 __vbaLenVarB
0x4011e8 _CItan
0x4011ec __vbaAryUnlock
0x4011f0 __vbaFPInt
0x4011f4 _CIexp
0x4011f8 __vbaI4ErrVar
0x4011fc __vbaFreeObj
0x401200 __vbaFreeStr

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49238 239.255.255.250 1900
192.168.56.101 49714 239.255.255.250 3702
192.168.56.101 49716 239.255.255.250 3702
192.168.56.101 53658 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.