11.6
0-day
57 个模型检测该样本为恶意!
重新分析
更多

5312fab3ad83a00863c90baec3bbe7f1265cc6d94398b364f2cd7c11369af074

d7b70938804e6bf813446a2e55f5cc62.exe

分析耗时

74s

最近分析

文件大小

545.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=88 ATTRIBUTE BUCPH7 CONFIDENCE ELDORADO FAREIT GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HQEZZY IGENT IM0@AOFVO9B KRYPTIK KTSE LIMITAIL LOKIBOT LWBU65 MALWARE@#2QYC8ONBYQCGD MASSLOGGER MDSDM PACKEDNET PUTTY PWSX QVM03 R + TROJ R346706 RMWB SCORE SMK1 SUSGEN TSCOPE UNSAFE WTDN YAKBEEXMSIL ZEMSILCO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXU!D7B70938804E 20201120 6.0.6.653
Baidu 20190318 1.0.0.2
Alibaba Trojan:MSIL/AgentTesla.b4aab0c1 20190527 0.3.0.5
Tencent Msil.Trojan.Crypt.Wtdn 20201124 1.0.0.1
Kingsoft 20201124 2017.9.26.565
Avast 20201124 20.10.5736.0
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619981162.867375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619981168.929375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 96 个事件)
Time & API Arguments Status Return Repeated
1619948419.662793
IsDebuggerPresent
failed 0 0
1619948419.662793
IsDebuggerPresent
failed 0 0
1619948421.084793
IsDebuggerPresent
failed 0 0
1619948421.568793
IsDebuggerPresent
failed 0 0
1619948422.100793
IsDebuggerPresent
failed 0 0
1619948422.568793
IsDebuggerPresent
failed 0 0
1619948423.100793
IsDebuggerPresent
failed 0 0
1619948423.568793
IsDebuggerPresent
failed 0 0
1619948424.100793
IsDebuggerPresent
failed 0 0
1619948424.568793
IsDebuggerPresent
failed 0 0
1619948425.100793
IsDebuggerPresent
failed 0 0
1619948425.568793
IsDebuggerPresent
failed 0 0
1619948426.100793
IsDebuggerPresent
failed 0 0
1619948426.568793
IsDebuggerPresent
failed 0 0
1619948427.100793
IsDebuggerPresent
failed 0 0
1619948427.568793
IsDebuggerPresent
failed 0 0
1619948428.100793
IsDebuggerPresent
failed 0 0
1619948428.568793
IsDebuggerPresent
failed 0 0
1619948429.100793
IsDebuggerPresent
failed 0 0
1619948429.568793
IsDebuggerPresent
failed 0 0
1619948430.100793
IsDebuggerPresent
failed 0 0
1619948430.568793
IsDebuggerPresent
failed 0 0
1619948431.100793
IsDebuggerPresent
failed 0 0
1619948431.568793
IsDebuggerPresent
failed 0 0
1619948432.100793
IsDebuggerPresent
failed 0 0
1619948432.568793
IsDebuggerPresent
failed 0 0
1619948433.100793
IsDebuggerPresent
failed 0 0
1619948433.568793
IsDebuggerPresent
failed 0 0
1619948434.100793
IsDebuggerPresent
failed 0 0
1619948434.568793
IsDebuggerPresent
failed 0 0
1619948435.100793
IsDebuggerPresent
failed 0 0
1619948435.568793
IsDebuggerPresent
failed 0 0
1619948436.100793
IsDebuggerPresent
failed 0 0
1619948436.568793
IsDebuggerPresent
failed 0 0
1619948437.100793
IsDebuggerPresent
failed 0 0
1619948437.568793
IsDebuggerPresent
failed 0 0
1619948438.100793
IsDebuggerPresent
failed 0 0
1619948438.568793
IsDebuggerPresent
failed 0 0
1619948439.100793
IsDebuggerPresent
failed 0 0
1619948439.568793
IsDebuggerPresent
failed 0 0
1619948440.100793
IsDebuggerPresent
failed 0 0
1619948440.568793
IsDebuggerPresent
failed 0 0
1619948441.100793
IsDebuggerPresent
failed 0 0
1619948441.568793
IsDebuggerPresent
failed 0 0
1619948442.100793
IsDebuggerPresent
failed 0 0
1619948442.568793
IsDebuggerPresent
failed 0 0
1619948443.100793
IsDebuggerPresent
failed 0 0
1619948443.568793
IsDebuggerPresent
failed 0 0
1619948444.100793
IsDebuggerPresent
failed 0 0
1619948444.568793
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948419.740793
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 94 个事件)
Time & API Arguments Status Return Repeated
1619948418.662793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a10000
success 0 0
1619948418.662793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c00000
success 0 0
1619948419.100793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619948419.100793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619948419.272793
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619948419.662793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a10000
success 0 0
1619948419.662793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a70000
success 0 0
1619948419.678793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0051a000
success 0 0
1619948419.678793
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619948419.678793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00512000
success 0 0
1619948420.147793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00522000
success 0 0
1619948420.334793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00545000
success 0 0
1619948420.334793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054b000
success 0 0
1619948420.334793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619948420.443793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00523000
success 0 0
1619948420.459793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00524000
success 0 0
1619948420.459793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052c000
success 0 0
1619948420.506793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e0000
success 0 0
1619948420.678793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00525000
success 0 0
1619948421.209793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00526000
success 0 0
1619948421.334793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619948421.334793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00537000
success 0 0
1619948421.443793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619948421.475793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e1000
success 0 0
1619948421.787793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00528000
success 0 0
1619948421.787793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00529000
success 0 0
1619948421.803793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e3000
success 0 0
1619948421.897793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d30000
success 0 0
1619948421.959793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d31000
success 0 0
1619948421.990793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e4000
success 0 0
1619948422.006793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d32000
success 0 0
1619948422.022793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e5000
success 0 0
1619948422.053793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e8000
success 0 0
1619948463.068793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00581000
success 0 0
1619948463.147793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009e9000
success 0 0
1619948463.256793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0051c000
success 0 0
1619948463.272793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ea000
success 0 0
1619948463.318793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d33000
success 0 0
1619948463.318793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052d000
success 0 0
1619948463.318793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d34000
success 0 0
1619948463.334793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009eb000
success 0 0
1619948463.397793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ec000
success 0 0
1619948463.397793
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055a0400
failed 3221225550 0
1619948466.412793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ed000
success 0 0
1619948466.412793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d35000
success 0 0
1619948466.412793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ee000
success 0 0
1619948466.412793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ef000
success 0 0
1619948466.490793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04b80000
success 0 0
1619948466.600793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04b81000
success 0 0
1619948467.053793
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04b82000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description d7b70938804e6bf813446a2e55f5cc62.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.404440081035866 section {'size_of_data': '0x00087a00', 'virtual_address': '0x00002000', 'entropy': 7.404440081035866, 'name': '.text', 'virtual_size': '0x00087814'} description A section with a high entropy has been found
entropy 0.9963269054178145 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619948420.787793
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619981168.789375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 104.16.154.36
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619948467.240793
NtAllocateVirtualMemory
process_identifier: 1036
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010d40
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00010d40
base_address: 0x00400000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x00010d40
base_address: 0x0041a000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: @
process_handle: 0x00010d40
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00010d40
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2196 called NtSetContextThread to modify thread in remote process 1036
Time & API Arguments Status Return Repeated
1619948467.240793
NtSetContextThread
thread_handle: 0x00010d3c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1036
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2196 resumed a thread in remote process 1036
Time & API Arguments Status Return Repeated
1619948467.553793
NtResumeThread
thread_handle: 0x00010d3c
suspend_count: 1
process_identifier: 1036
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619948419.662793
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2196
success 0 0
1619948419.693793
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2196
success 0 0
1619948419.803793
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 2196
success 0 0
1619948421.006793
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2196
success 0 0
1619948421.053793
NtResumeThread
thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2196
success 0 0
1619948467.068793
NtResumeThread
thread_handle: 0x00010d30
suspend_count: 1
process_identifier: 2196
success 0 0
1619948467.068793
NtResumeThread
thread_handle: 0x000026dc
suspend_count: 1
process_identifier: 2196
success 0 0
1619948467.240793
CreateProcessInternalW
thread_identifier: 2496
thread_handle: 0x00010d3c
process_identifier: 1036
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d7b70938804e6bf813446a2e55f5cc62.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d7b70938804e6bf813446a2e55f5cc62.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00010d40
inherit_handles: 0
success 1 0
1619948467.240793
NtGetContextThread
thread_handle: 0x00010d3c
success 0 0
1619948467.240793
NtAllocateVirtualMemory
process_identifier: 1036
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010d40
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00010d40
base_address: 0x00400000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer:
process_handle: 0x00010d40
base_address: 0x00401000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer:
process_handle: 0x00010d40
base_address: 0x00415000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x00010d40
base_address: 0x0041a000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer:
process_handle: 0x00010d40
base_address: 0x004a0000
success 1 0
1619948467.240793
WriteProcessMemory
process_identifier: 1036
buffer: @
process_handle: 0x00010d40
base_address: 0x7efde008
success 1 0
1619948467.240793
NtSetContextThread
thread_handle: 0x00010d3c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1036
success 0 0
1619948467.553793
NtResumeThread
thread_handle: 0x00010d3c
suspend_count: 1
process_identifier: 1036
success 0 0
1619981161.664375
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 1036
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34278276
FireEye Generic.mg.d7b70938804e6bf8
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Qihoo-360 Generic/HEUR/QVM03.0.FEB2.Malware.Gen
McAfee Fareit-FXU!D7B70938804E
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056bdaa1 )
BitDefender Trojan.GenericKD.34278276
K7GW Trojan ( 0056bdaa1 )
Cybereason malicious.11b1f6
Arcabit Trojan.Generic.D20B0B84
BitDefenderTheta Gen:NN.ZemsilCO.34634.Im0@aOfvo9b
Cyren W32/MSIL_Troj.YB.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
Alibaba Trojan:MSIL/AgentTesla.b4aab0c1
NANO-Antivirus Trojan.Win32.Crypt.hqezzy
ViRobot Trojan.Win32.S.Agent.558080.Q
Tencent Msil.Trojan.Crypt.Wtdn
Ad-Aware Trojan.GenericKD.34278276
Emsisoft Trojan.GenericKD.34278276 (B)
Comodo Malware@#2qyc8onbyqcgd
F-Secure Trojan.TR/Kryptik.mdsdm
DrWeb Trojan.PackedNET.402
TrendMicro TrojanSpy.MSIL.LIMITAIL.SMK1.hp
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Sophos Mal/Generic-R + Troj/Fareit-KZW
Ikarus Trojan-Spy.MassLogger
Jiangmin Trojan.MSIL.rmwb
Webroot W32.Trojan.Gen
Avira TR/Kryptik.mdsdm
Antiy-AVL Trojan[PSW]/Win32.Fareit
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:MSIL/AgentTesla.J!MTB
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Win32.Trojan-Stealer.LokiBot.LWBU65
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Infostealer.R346706
ALYac Trojan.GenericKD.34278276
MAX malware (ai score=88)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
Panda Trj/WLT.F
Zoner Trojan.Win32.94684
ESET-NOD32 Win32/PSW.Fareit.L
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-03 09:26:24

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702
192.168.56.101 65005 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.