4.2
中危
55 个模型检测该样本为恶意!
重新分析
更多

955ba81a4e94b54bb77612904e733b791ccd6e473f964e160a6f357cfbd0be3b

d9f5e0e253f40bb6d931acd1ceadf63a.exe

分析耗时

76s

最近分析

文件大小

330.3KB
静态报毒 动态报毒 100% AI SCORE=88 AIDETECTVM ATTRIBUTE BSCOPE CLASSIC CONFIDENCE DECZK ELDORADO EMOTET GENCIRC GENERICKDZ GENETIC GENOME HIGH CONFIDENCE HIGHCONFIDENCE HQSCAZ HYNAMER LOADER MALICIOUS PE MALWARE1 QVM41 R + TROJ R346971 SCORE SUSGEN TNUPR@0 TRICK TRICKBO TRICKBOT UNSAFE UQX@AMXCLHCI USXVPH620 ZENPAK ZEXAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Trickbot.7171960c 20190527 0.3.0.5
Avast Win32:Malware-gen 20200910 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200910 2013.8.14.323
McAfee Emotet-FSA!D9F5E0E253F4 20200910 6.0.6.653
Tencent Malware.Win32.Gencirc.10cde60e 20200910 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619959226.184875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Users\User\Desktop\Windows-classic-samples-master\Windows-classic-samples-master\Samples\Security\SecretAgreementWithPersistedKeys\cpp\Release\SecretAgreementWithPersistedKeys.pdb
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1619948415.373479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619948415.467479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00720000
success 0 0
1619948415.467479
NtProtectVirtualMemory
process_identifier: 2064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 204800
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00761000
success 0 0
1619948428.717479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1619948428.717479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x10000000
success 0 0
1619948428.717479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x10001000
success 0 0
1619948428.779479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1619948428.779479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619948428.779479
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007f0000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.666678938622542 section {'size_of_data': '0x0004fa00', 'virtual_address': '0x00005000', 'entropy': 7.666678938622542, 'name': '.rsrc', 'virtual_size': '0x0004f8b0'} description A section with a high entropy has been found
entropy 0.9680851063829787 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1619959211.731875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619959215.215875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619959220.418875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Trick.46562
MicroWorld-eScan Gen:Variant.Zusy.310686
ALYac Gen:Variant.Zusy.310686
Cylance Unsafe
Zillya Trojan.Emotet.Win32.23344
Sangfor Malware
K7AntiVirus Trojan ( 00561b741 )
Alibaba Trojan:Win32/Trickbot.7171960c
K7GW Trojan ( 00561b741 )
Cybereason malicious.0c6ee7
Arcabit Trojan.Zusy.D4BD9E
TrendMicro TrojanSpy.Win32.TRICKBOT.USXVPH620
BitDefenderTheta Gen:NN.ZexaF.34216.uqX@amxCLHci
Cyren W32/Hynamer.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/TrickBot.CR
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Zenpak.pef
BitDefender Gen:Variant.Zusy.310686
NANO-Antivirus Trojan.Win32.Trick.hqscaz
ViRobot Trojan.Win32.Z.Zusy.338197
Avast Win32:Malware-gen
Rising Trojan.TrickBot!1.CA23 (CLASSIC)
Ad-Aware Gen:Variant.Zusy.310686
Comodo TrojWare.Win32.Genome.tnupr@0
F-Secure Trojan.TR/AD.TrickBot.deczk
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/Trickbo-YF
FireEye Generic.mg.d9f5e0e253f40bb6
Sophos Troj/Trickbo-YF
SentinelOne DFI - Malicious PE
Jiangmin Trojan.Banker.Emotet.oan
Avira TR/AD.TrickBot.deczk
MAX malware (ai score=88)
Antiy-AVL Trojan/Win32.TrickBot
Microsoft Trojan:Win32/Trickbot.VC!MTB
AegisLab Trojan.Win32.Zusy.4!c
ZoneAlarm HEUR:Trojan.Win32.Zenpak.pef
GData Gen:Variant.Zusy.310686
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Trickbot.R346971
McAfee Emotet-FSA!D9F5E0E253F4
VBA32 BScope.Backdoor.Emotet
Malwarebytes Trojan.Loader
TrendMicro-HouseCall TrojanSpy.Win32.TRICKBOT.USXVPH620
Tencent Malware.Win32.Gencirc.10cde60e
Ikarus Trojan.Win32.Trickbot
MaxSecure Trojan.Malware.73872809.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-04 21:40:55

Imports

Library ncrypt.dll:
0x403114 NCryptOpenKey
0x403118 NCryptDeleteKey
0x403120 NCryptSetProperty
0x403124 NCryptFinalizeKey
0x403128 NCryptExportKey
0x403138 BCryptExportKey
0x40313c NCryptImportKey
0x403144 NCryptDeriveKey
0x403148 BCryptImportKeyPair
0x403150 BCryptDeriveKey
0x403154 NCryptFreeObject
0x403158 BCryptDestroyKey
0x403160 BCryptDestroySecret
Library KERNEL32.dll:
0x403008 GetCurrentThreadId
0x40300c GetTickCount
0x403014 IsDebuggerPresent
0x40301c GetCurrentProcessId
0x403020 GetCurrentProcess
0x403024 TerminateProcess
0x40302c Sleep
0x403030 InterlockedExchange
0x40303c ExitProcess
0x403040 FreeConsole
0x403044 GetProcessHeap
0x403048 HeapAlloc
0x40304c HeapFree
0x403050 LoadLibraryExA
Library ADVAPI32.dll:
Library MSVCP90.dll:
Library MSVCR90.dll:
0x403088 _unlock
0x40308c __dllonexit
0x403090 _lock
0x403094 _onexit
0x403098 _decode_pointer
0x4030a0 _invoke_watson
0x4030a4 _controlfp_s
0x4030a8 ?terminate@@YAXXZ
0x4030ac wprintf
0x4030b0 _time64
0x4030b4 __CxxFrameHandler3
0x4030b8 atoi
0x4030bc rand
0x4030c0 srand
0x4030c4 memcpy
0x4030c8 _amsg_exit
0x4030cc __wgetmainargs
0x4030d0 _cexit
0x4030d4 _exit
0x4030d8 _XcptFilter
0x4030dc exit
0x4030e0 __winitenv
0x4030e4 _initterm
0x4030e8 _initterm_e
0x4030ec _configthreadlocale
0x4030f0 __setusermatherr
0x4030f4 _adjust_fdiv
0x4030f8 __p__commode
0x4030fc __p__fmode
0x403100 _encode_pointer
0x403104 __set_app_type
0x403108 _crt_debugger_hook

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.