5.2
中危
46 个模型检测该样本为恶意!
重新分析
更多

948e6e5867d676b1c1a3844a8e012d6169dab72638ecc6d199f416663f04c4bc

d9cc4184dc9d1f6353943105749785b5.exe

分析耗时

97s

最近分析

文件大小

337.1KB
静态报毒 动态报毒 AI SCORE=83 ARTEMIS CONFIDENCE ENEQ FDUJ FORMBOOK GENERICKD HIGH CONFIDENCE INJUKE MALWARE@#36A3XPY3KFD4C OBFUSRANSOM PWSTEAL QVM42 R03BC0DI520 SCORE SIGGEN10 UNSAFE WACATAC YTSOH 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Pwsteal.2ea45567 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201002 18.4.3895.0
Kingsoft 20201002 2013.8.14.323
McAfee Artemis!D9CC4184DC9D 20201002 6.0.6.653
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619983333.099249
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619983327.286876
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619983333.286249
__exception__
stacktrace: 
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x77d602ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x77d601c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x745fd359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x778f11c4
SE_ProcessDying+0xce ApphelpCheckExe-0x5d02 apphelp+0x1008b @ 0x745a008b
SE_ProcessDying+0x64 ApphelpCheckExe-0x5d6c apphelp+0x10021 @ 0x745a0021
hook+0x173 hook_get_mem-0x33a @ 0x745e4e8e
monitor_hook+0x5d monitor_unhook-0x1c @ 0x745e162d
hook_library+0x1a unhook_library-0x3 @ 0x745ec6b9
New_ntdll_LdrLoadDll@16+0x112 New_ntdll_LdrUnloadDll@4-0x20 @ 0x745fd566
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x778f1d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x76354a08
winhttp+0x2484 @ 0x75252484

registers.esp: 1960812
registers.edi: 1033164613
registers.eax: 0
registers.ebp: 1960936
registers.edx: 2001928192
registers.ebx: 1036180037
registers.esi: 2001933840
registers.ecx: 1961034
exception.instruction_r: 8b 0c 87 03 ca 8b 55 e0 89 55 0c 8b 55 0c 8a 12
exception.symbol: LdrGetDllHandleEx+0x3c2 LdrGetProcedureAddress-0xd0 ntdll+0x300da
exception.instruction: mov ecx, dword ptr [edi + eax*4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 196826
exception.address: 0x77d600da
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (13 个事件)
Time & API Arguments Status Return Repeated
1619983333.083249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10008000
success 0 0
1619983333.083249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619983333.099249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75380000
success 0 0
1619983333.146249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74571000
success 0 0
1619983333.161249
NtAllocateVirtualMemory
process_identifier: 796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00300000
success 0 0
1619983333.161249
NtAllocateVirtualMemory
process_identifier: 796
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00320000
success 0 0
1619983333.161249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619983333.161249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75251000
success 0 0
1619983333.161249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75101000
success 0 0
1619983333.161249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75250000
success 0 0
1619983333.224249
NtProtectVirtualMemory
process_identifier: 796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76121000
success 0 0
1619983333.271249
NtAllocateVirtualMemory
process_identifier: 796
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619983333.271249
NtAllocateVirtualMemory
process_identifier: 796
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00360000
success 0 0
Creates executable files on the filesystem (17 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\DobbyTropicbird.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\autoexp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\u25dts.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\CMAccept.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\VsWebSiteInterop.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\MicrosoftVisualBasicVsa.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\u2lsamp1.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\msenv2p.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\undname.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\contextp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\1.COMServerPS.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\ildasm.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\bscmakeui.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\notifications\myblog\servlet\msenvmnu.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\41.opends60.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\notifications\myblog\servlet\74.opends60.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\cmtnptTcpAcceptNA.dll
Drops an executable to the user AppData folder (11 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\MicrosoftVisualBasicVsa.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\contextp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\notifications\myblog\servlet\msenvmnu.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\autoexp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\msenv2p.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\u2lsamp1.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\VsWebSiteInterop.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\cmtnptTcpAcceptNA.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\scheduling\bb-hist\controlpanel\u25dts.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\coupons\06\index_2\CMAccept.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\DobbyTropicbird.dll
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 23.204.249.53
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43776517
FireEye Generic.mg.d9cc4184dc9d1f63
CAT-QuickHeal Trojan.Injuke
ALYac Trojan.GenericKD.43776517
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 0056dacd1 )
Alibaba Trojan:Win32/Pwsteal.2ea45567
K7GW Trojan ( 0056dacd1 )
CrowdStrike win/malicious_confidence_60% (W)
Arcabit Trojan.Generic.D29BFA05
Invincea Mal/Generic-S
Cyren W32/Trojan.FDUJ-8515
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Injuke.gen
BitDefender Trojan.GenericKD.43776517
AegisLab Trojan.Win32.Injuke.4!c
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.43776517
Sophos Mal/Generic-S
Comodo Malware@#36a3xpy3kfd4c
F-Secure Trojan.TR/Injector.ytsoh
DrWeb Trojan.Siggen10.11484
Zillya Trojan.Injuke.Win32.1298
TrendMicro TROJ_GEN.R03BC0DI520
McAfee-GW-Edition BehavesLike.Win32.ObfusRansom.fc
Emsisoft Trojan.GenericKD.43776517 (B)
Ikarus Trojan-Spy.FormBook
Webroot W32.Trojan.Gen
Avira TR/Injector.ytsoh
Microsoft Trojan:Win32/Pwsteal.Q!bit
ZoneAlarm HEUR:Trojan.Win32.Injuke.gen
GData Trojan.GenericKD.43776517
Cynet Malicious (score: 85)
McAfee Artemis!D9CC4184DC9D
MAX malware (ai score=83)
VBA32 Trojan.Wacatac
Malwarebytes Trojan.MalPack.MSIL
Zoner Trojan.Win32.93202
ESET-NOD32 Win32/Injector.ENEQ
TrendMicro-HouseCall TROJ_GEN.R03BC0DI520
AVG Win32:Trojan-gen
Cybereason malicious.3af4f2
Qihoo-360 Generic/HEUR/QVM42.3.AF1F.Malware.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-12-16 08:51:03

Imports

Library KERNEL32.dll:
0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
Library USER32.dll:
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
Library SHELL32.dll:
0x40816c ShellExecuteExA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
Library ADVAPI32.dll:
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040
0x408044 ImageList_Destroy
Library ole32.dll:
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
23.204.249.53 443 192.168.56.101 49173

UDP

Source Source Port Destination Destination Port
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 53945 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.