5.8
高危
61 个模型检测该样本为恶意!
重新分析
更多

396ce7128d66f4693a84c9a7433d5154d3f356e03e61e71a0492177d108c3a95

dba551ec4fbb437729d1d97ea4399bb6.exe

分析耗时

95s

最近分析

文件大小

101.5KB
静态报毒 动态报毒 ++8LN4UW0KE 100% A + MAL AGENTB AI SCORE=83 ANTIAV AVECMA AVECML AVEMARIA CLASSIC CLIPBANKER CONFIDENCE DEEPSCAN EMOGEN FAMVT FCNI GENASA GENCIRC GENETIC GHJPT HIGH CONFIDENCE HLKNTW IGENERIC INDT INVADER JIAD MALICIOUS PE MARIA MOCRT R263895 REDCAP REMCOS SCORE SGENERIC SLLG STATIC AI TRNC UNSAFE VA@81MMKI WARZONERAT 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee WarzoneRAT-FCNI!DBA551EC4FBB 20201211 6.0.6.653
Alibaba Trojan:Win32/Agentb.7104f958 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b9d15e 20201211 1.0.0.1
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.868148
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name WM_DSP
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619948413.837148
__exception__
stacktrace: 
dba551ec4fbb437729d1d97ea4399bb6+0x3453 @ 0x213453
dba551ec4fbb437729d1d97ea4399bb6+0xf4ef @ 0x21f4ef
dba551ec4fbb437729d1d97ea4399bb6+0x11599 @ 0x221599
dba551ec4fbb437729d1d97ea4399bb6+0x58e9 @ 0x2158e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 5960720
registers.edi: 5960832
registers.eax: 5960744
registers.ebp: 5960760
registers.edx: 35651584
registers.ebx: 0
registers.esi: 5960968
registers.ecx: 0
exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76373118
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619960831.597521
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000040a0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (1 个事件)
name WM_DSP language LANG_ENGLISH offset 0x0014c070 filetype PE32 executable (GUI) Intel 80386, for MS Windows sublanguage SUBLANG_ARABIC_QATAR size 0x00002c00
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 185.140.53.41
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\:Zone.Identifier
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Bkav W32.FamVT.AvecML.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan DeepScan:Generic.Malware.SLlg.142B6B73
FireEye Generic.mg.dba551ec4fbb4377
CAT-QuickHeal Trojan.IGENERIC
McAfee WarzoneRAT-FCNI!DBA551EC4FBB
Cylance Unsafe
Zillya Trojan.Agent.Win32.1306496
Sangfor Malware
K7AntiVirus Trojan ( 0019d9b81 )
Alibaba Trojan:Win32/Agentb.7104f958
K7GW Trojan ( 0019d9b81 )
Cybereason malicious.c4fbb4
Arcabit DeepScan:Generic.Malware.SLlg.142B6B73
Cyren W32/Antiav.INDT-0919
Symantec Backdoor.Avecma
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Malware.AveMaria-8799014-1
Kaspersky Trojan.Win32.Agentb.jiad
BitDefender DeepScan:Generic.Malware.SLlg.142B6B73
NANO-Antivirus Trojan.Win32.Invader.hlkntw
Paloalto generic.ml
AegisLab Trojan.Win32.Agentb.trnC
Tencent Malware.Win32.Gencirc.10b9d15e
Ad-Aware DeepScan:Generic.Malware.SLlg.142B6B73
TACHYON Trojan-Dropper/W32.ClipBanker.103936
Sophos ML/PE-A + Mal/Emogen-Y
Comodo TrojWare.Win32.AntiAV.VA@81mmki
F-Secure Trojan.TR/Redcap.ghjpt
DrWeb Trojan.PWS.Maria.3
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.MOCRT.SM
McAfee-GW-Edition BehavesLike.Win32.Dropper.ch
Emsisoft DeepScan:Generic.Malware.SLlg.142B6B73 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Agentb.eab
Avira TR/Redcap.ghjpt
Antiy-AVL Trojan/Win32.SGeneric
Gridinsoft Trojan.Win32.Agent.vb!s1
Microsoft Backdoor:Win32/Remcos!MTB
ZoneAlarm Trojan.Win32.Agentb.jiad
GData Win32.Backdoor.AveMaria.A
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.AveMaria.R263895
BitDefenderTheta AI:Packer.62FE91571F
ALYac DeepScan:Generic.Malware.SLlg.142B6B73
MAX malware (ai score=83)
VBA32 Trojan.Agentb
Malwarebytes Backdoor.AveMaria
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (12 个事件)
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49180
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49191
dead_host 192.168.56.101:49186
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49176
dead_host 185.140.53.41:2104
dead_host 192.168.56.101:49185
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49195
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-11 20:14:59

Imports

Library KERNEL32.dll:
0x412088 TerminateThread
0x41208c CreateThread
0x412090 WriteFile
0x412094 CreateFileW
0x412098 LoadLibraryW
0x41209c GetLocalTime
0x4120a0 GetCurrentThreadId
0x4120a4 GetCurrentProcessId
0x4120a8 ReadFile
0x4120ac FindFirstFileA
0x4120b0 GetBinaryTypeW
0x4120b4 FindNextFileA
0x4120b8 GetFullPathNameA
0x4120bc GetTempPathW
0x4120c4 CreateFileA
0x4120c8 GlobalAlloc
0x4120d4 LocalFree
0x4120d8 GetFileSize
0x4120dc FreeLibrary
0x4120e0 SetDllDirectoryW
0x4120e4 WaitForSingleObject
0x4120e8 GetCurrentProcess
0x4120f0 CreatePipe
0x4120f4 PeekNamedPipe
0x4120f8 DuplicateHandle
0x4120fc SetEvent
0x412100 CreateProcessW
0x412104 CreateEventA
0x412108 GetModuleFileNameW
0x41210c LoadResource
0x412110 FindResourceW
0x412114 HeapFree
0x41211c LoadLibraryExW
0x412120 FindFirstFileW
0x412124 FindNextFileW
0x412128 SetFilePointer
0x412130 VirtualQuery
0x412134 CopyFileW
0x412138 GetDriveTypeW
0x41214c CreateMutexA
0x412150 ReleaseMutex
0x412154 TerminateProcess
0x412158 OpenProcess
0x412160 Process32NextW
0x412164 Process32FirstW
0x412168 CreateProcessA
0x41216c SizeofResource
0x412170 VirtualProtect
0x412174 GetSystemDirectoryW
0x412178 LockResource
0x412180 GetStartupInfoA
0x412184 Process32First
0x412188 WriteProcessMemory
0x41218c Process32Next
0x412194 VirtualProtectEx
0x412198 VirtualAllocEx
0x41219c CreateRemoteThread
0x4121a0 WinExec
0x4121a4 GetTempPathA
0x4121a8 GetCommandLineA
0x4121ac GetModuleHandleA
0x4121b0 ExitProcess
0x4121b4 GetProcAddress
0x4121b8 LoadLibraryA
0x4121bc GetProcessHeap
0x4121c0 HeapAlloc
0x4121c4 lstrcmpW
0x4121c8 GetTickCount
0x4121cc lstrcpyW
0x4121d0 WideCharToMultiByte
0x4121d4 HeapReAlloc
0x4121d8 VirtualAlloc
0x4121dc DeleteFileW
0x4121e0 lstrcpyA
0x4121e4 Sleep
0x4121e8 MultiByteToWideChar
0x4121ec lstrcatA
0x4121f0 lstrcmpA
0x4121f4 lstrlenA
0x4121fc lstrlenW
0x412200 CloseHandle
0x412204 lstrcatW
0x412208 VirtualFree
0x41220c GetLastError
0x412210 SetLastError
0x412214 GetModuleFileNameA
0x412218 CreateDirectoryW
0x41221c GetComputerNameW
0x412220 IsWow64Process
Library USER32.dll:
0x412284 MessageBoxA
0x412288 GetKeyState
0x41228c GetMessageA
0x412290 DispatchMessageA
0x412294 CreateWindowExW
0x412298 CallNextHookEx
0x41229c wsprintfW
0x4122a0 wsprintfA
0x4122a4 GetWindowTextW
0x4122a8 GetAsyncKeyState
0x4122ac RegisterClassW
0x4122b0 GetRawInputData
0x4122b4 GetKeyNameTextW
0x4122b8 DefWindowProcA
0x4122c0 TranslateMessage
0x4122c4 ToUnicode
0x4122c8 GetForegroundWindow
0x4122cc PostQuitMessage
0x4122d0 GetLastInputInfo
0x4122d4 MapVirtualKeyA
Library ADVAPI32.dll:
0x412004 RegDeleteKeyA
0x41200c RegEnumKeyExW
0x412010 RegOpenKeyExA
0x412014 RegOpenKeyExW
0x412018 RegQueryValueExW
0x41201c RegQueryInfoKeyW
0x412020 RegCloseKey
0x412024 OpenServiceW
0x41202c QueryServiceConfigW
0x412034 StartServiceW
0x412038 RegSetValueExW
0x41203c RegCreateKeyExA
0x412040 OpenSCManagerW
0x412044 CloseServiceHandle
0x412048 GetTokenInformation
0x41204c LookupAccountSidW
0x412050 FreeSid
0x412054 OpenProcessToken
0x412064 RegDeleteValueW
0x412068 RegSetValueExA
0x41206c RegCreateKeyExW
0x412070 RegDeleteKeyW
0x412074 RegQueryValueExA
Library SHELL32.dll:
0x412244 ShellExecuteW
0x412248 ShellExecuteExA
0x41224c ShellExecuteExW
0x412250
0x41225c SHGetFolderPathW
Library urlmon.dll:
0x412334 URLDownloadToFileW
Library WS2_32.dll:
0x4122dc send
0x4122e0 WSAStartup
0x4122e4 shutdown
0x4122e8 closesocket
0x4122ec WSACleanup
0x4122f0 InetNtopW
0x4122f4 gethostbyname
0x4122f8 inet_addr
0x4122fc getaddrinfo
0x412300 setsockopt
0x412304 freeaddrinfo
0x412308 htons
0x41230c recv
0x412310 connect
0x412314 socket
Library ole32.dll:
0x412320 CoUninitialize
0x412324 CoCreateInstance
0x412328 CoTaskMemFree
0x41232c CoInitialize
Library SHLWAPI.dll:
0x412264 StrStrA
0x412268 StrStrW
0x41226c PathFindExtensionW
0x412270 PathCombineA
0x412274 PathFindFileNameW
0x412278 PathFileExistsW
0x41227c PathRemoveFileSpecA
Library NETAPI32.dll:
0x412228 NetUserAdd
Library OLEAUT32.dll:
0x412234 VariantInit
Library CRYPT32.dll:
0x412080 CryptUnprotectData
Library PSAPI.DLL:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.