10.8
0-day
57 个模型检测该样本为恶意!
重新分析
更多

39e500bf794a3245be4db60416ce78a510838680c806b5533d95feeb53b2c5a1

dcd8cc8a2c1ab08cfa3d43c4b653b348.exe

分析耗时

75s

最近分析

文件大小

496.0KB
静态报毒 动态报毒 100% ABLA AGENSLA AGENTTESLA AI SCORE=87 AUTO AVSARHER BTJEKX CONFIDENCE DYSGXG ELDORADO FAREIT FUERY GENERICKD GENERICRXKO HIGH CONFIDENCE HMZWXS KCLOUD KRYPTIK KTSE MALWARE@#106DM6IBDNC5Y NEGASTEAL PLYAP PSWTROJ PWSX R336658 S + MAL SCORE SIGGEN2 SUSGEN TGSBZI TSCOPE UNSAFE YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKO-YR!DCD8CC8A2C1A 20201120 6.0.6.653
Alibaba TrojanSpy:MSIL/AgentTesla.09df7123 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201124 20.10.5736.0
Tencent Win32.Trojan.Inject.Auto 20201124 1.0.0.1
Kingsoft Win32.PSWTroj.Undef.(kcloud) 20201124 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619978556.540625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619978558.305625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619978559.930625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619978560.102625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619948419.097234
IsDebuggerPresent
failed 0 0
1619978542.461625
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948421.769234
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619978559.868625
__exception__
stacktrace: 
0x45bf92e
0x45bec88
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2747248
registers.edi: 39316680
registers.eax: 0
registers.ebp: 2747292
registers.edx: 158
registers.ebx: 2747500
registers.esi: 2126294359
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc 69 c6 20 53 1a 23 35 cd
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x45bfd8f
success 0 0
1619978594.180625
__exception__
stacktrace: 
0x4cb2997
0x45bf2f7
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2746020
registers.edi: 40958636
registers.eax: 40961276
registers.ebp: 2746080
registers.edx: 40961276
registers.ebx: 0
registers.esi: 0
registers.ecx: 1911774966
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 e9 3a c4 6c
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x54c0687
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 137 个事件)
Time & API Arguments Status Return Repeated
1619948418.144234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00740000
success 0 0
1619948418.144234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619948418.941234
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619948419.097234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004da000
success 0 0
1619948419.097234
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619948419.097234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d2000
success 0 0
1619948419.269234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e2000
success 0 0
1619948419.331234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e3000
success 0 0
1619948419.331234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0051b000
success 0 0
1619948419.331234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00517000
success 0 0
1619948419.363234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ec000
success 0 0
1619948419.706234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e4000
success 0 0
1619948419.706234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e5000
success 0 0
1619948419.753234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e6000
success 0 0
1619948419.753234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e0000
success 0 0
1619948419.831234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e7000
success 0 0
1619948419.863234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004fa000
success 0 0
1619948419.863234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f7000
success 0 0
1619948419.863234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0050a000
success 0 0
1619948419.894234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004db000
success 0 0
1619948419.925234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e8000
success 0 0
1619948419.925234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e9000
success 0 0
1619948419.988234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e1000
success 0 0
1619948420.238234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f6000
success 0 0
1619948420.316234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e0000
success 0 0
1619948420.363234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00502000
success 0 0
1619948420.410234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00515000
success 0 0
1619948420.535234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c0000
success 0 0
1619948420.550234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04da0000
success 0 0
1619948420.550234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f00000
success 0 0
1619948420.550234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f01000
success 0 0
1619948420.581234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f02000
success 0 0
1619948420.581234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f03000
success 0 0
1619948420.581234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f04000
success 0 0
1619948420.613234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e2000
success 0 0
1619948420.613234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f05000
success 0 0
1619948420.613234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f06000
success 0 0
1619948420.628234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e3000
success 0 0
1619948420.628234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f07000
success 0 0
1619948420.628234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f0b000
success 0 0
1619948420.644234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f1c000
success 0 0
1619948420.706234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ea000
success 0 0
1619948420.753234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e4000
success 0 0
1619948420.816234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e5000
success 0 0
1619948420.816234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c1000
success 0 0
1619948420.816234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c2000
success 0 0
1619948420.816234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e7000
success 0 0
1619948420.863234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e1000
success 0 0
1619948420.878234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e9000
success 0 0
1619948420.956234
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c3000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.785373687118314 section {'size_of_data': '0x0007ac00', 'virtual_address': '0x00002000', 'entropy': 7.785373687118314, 'name': '.text', 'virtual_size': '0x0007aac8'} description A section with a high entropy has been found
entropy 0.9909182643794148 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619948422.019234
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619978543.118625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948422.316234
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 580
process_handle: 0x000002a8
failed 0 0
1619948422.316234
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 580
process_handle: 0x000002a8
success 0 0
1619978556.024625
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2764
process_handle: 0x00000220
failed 0 0
1619978556.024625
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2764
process_handle: 0x00000220
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619948421.988234
NtAllocateVirtualMemory
process_identifier: 580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000024c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948422.394234
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description dcd8cc8a2c1ab08cfa3d43c4b653b348.exe tried to sleep 2728232 seconds, actually delayed analysis time by 2728232 seconds
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 2764 manipulating memory of non-child process 580
Time & API Arguments Status Return Repeated
1619948421.988234
NtAllocateVirtualMemory
process_identifier: 580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000024c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948422.394234
WriteProcessMemory
process_identifier: 3060
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñ»^à ”^³ À@ @… ³OÀèà  H.textd“ ” `.rsrcèÀ–@@.reloc àš@B
process_handle: 0x000002ac
base_address: 0x00400000
success 1 0
1619948422.410234
WriteProcessMemory
process_identifier: 3060
buffer: €0€HXÀŒŒ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamedBjCoeLsqPbaIoXChlursSPc.exe(LegalCopyright dOriginalFilenamedBjCoeLsqPbaIoXChlursSPc.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000002ac
base_address: 0x0044c000
success 1 0
1619948422.410234
WriteProcessMemory
process_identifier: 3060
buffer: ° `3
process_handle: 0x000002ac
base_address: 0x0044e000
success 1 0
1619948422.410234
WriteProcessMemory
process_identifier: 3060
buffer: @
process_handle: 0x000002ac
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619948422.394234
WriteProcessMemory
process_identifier: 3060
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñ»^à ”^³ À@ @… ³OÀèà  H.textd“ ” `.rsrcèÀ–@@.reloc àš@B
process_handle: 0x000002ac
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2764 called NtSetContextThread to modify thread in remote process 3060
Time & API Arguments Status Return Repeated
1619948422.410234
NtSetContextThread
thread_handle: 0x000002a8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4502366
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3060
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2764 resumed a thread in remote process 3060
Time & API Arguments Status Return Repeated
1619948422.613234
NtResumeThread
thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 3060
success 0 0
Executed a process and injected code into it, probably while unpacking (23 个事件)
Time & API Arguments Status Return Repeated
1619948419.097234
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2764
success 0 0
1619948419.128234
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2764
success 0 0
1619948420.300234
NtResumeThread
thread_handle: 0x000001d4
suspend_count: 1
process_identifier: 2764
success 0 0
1619948421.988234
CreateProcessInternalW
thread_identifier: 2456
thread_handle: 0x00000248
process_identifier: 580
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dcd8cc8a2c1ab08cfa3d43c4b653b348.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dcd8cc8a2c1ab08cfa3d43c4b653b348.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000024c
inherit_handles: 0
success 1 0
1619948421.988234
NtGetContextThread
thread_handle: 0x00000248
success 0 0
1619948421.988234
NtAllocateVirtualMemory
process_identifier: 580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000024c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948422.394234
CreateProcessInternalW
thread_identifier: 2760
thread_handle: 0x000002a8
process_identifier: 3060
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dcd8cc8a2c1ab08cfa3d43c4b653b348.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dcd8cc8a2c1ab08cfa3d43c4b653b348.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002ac
inherit_handles: 0
success 1 0
1619948422.394234
NtGetContextThread
thread_handle: 0x000002a8
success 0 0
1619948422.394234
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619948422.394234
WriteProcessMemory
process_identifier: 3060
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñ»^à ”^³ À@ @… ³OÀèà  H.textd“ ” `.rsrcèÀ–@@.reloc àš@B
process_handle: 0x000002ac
base_address: 0x00400000
success 1 0
1619948422.394234
WriteProcessMemory
process_identifier: 3060
buffer:
process_handle: 0x000002ac
base_address: 0x00402000
success 1 0
1619948422.410234
WriteProcessMemory
process_identifier: 3060
buffer: €0€HXÀŒŒ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamedBjCoeLsqPbaIoXChlursSPc.exe(LegalCopyright dOriginalFilenamedBjCoeLsqPbaIoXChlursSPc.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000002ac
base_address: 0x0044c000
success 1 0
1619948422.410234
WriteProcessMemory
process_identifier: 3060
buffer: ° `3
process_handle: 0x000002ac
base_address: 0x0044e000
success 1 0
1619948422.410234
WriteProcessMemory
process_identifier: 3060
buffer: @
process_handle: 0x000002ac
base_address: 0x7efde008
success 1 0
1619948422.410234
NtSetContextThread
thread_handle: 0x000002a8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4502366
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3060
success 0 0
1619948422.613234
NtResumeThread
thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 3060
success 0 0
1619978542.461625
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3060
success 0 0
1619978542.493625
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 3060
success 0 0
1619978558.102625
NtResumeThread
thread_handle: 0x000002cc
suspend_count: 1
process_identifier: 3060
success 0 0
1619978558.149625
NtResumeThread
thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 3060
success 0 0
1619978559.883625
NtResumeThread
thread_handle: 0x00000364
suspend_count: 1
process_identifier: 3060
success 0 0
1619978566.102625
NtResumeThread
thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 3060
success 0 0
1619978600.118625
NtResumeThread
thread_handle: 0x00000404
suspend_count: 1
process_identifier: 3060
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43164213
FireEye Trojan.GenericKD.43164213
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee GenericRXKO-YR!DCD8CC8A2C1A
Cylance Unsafe
Zillya Worm.AutoRun.Win32.49
Sangfor Malware
K7AntiVirus Trojan ( 00566b921 )
Alibaba TrojanSpy:MSIL/AgentTesla.09df7123
K7GW Trojan ( 00566b921 )
Cybereason malicious.6d1596
Arcabit Trojan.Generic.D292A235
Cyren W32/MSIL_Kryptik.ASC.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.43164213
NANO-Antivirus Trojan.Win32.Agensla.hmzwxs
Paloalto generic.ml
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.43164213
Emsisoft Trojan.GenericKD.43164213 (B)
Comodo Malware@#106dm6ibdnc5y
F-Secure Trojan.TR/AD.AgentTesla.plyap
DrWeb Trojan.PWS.Siggen2.48876
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.NEGASTEAL.DYSGXG
McAfee-GW-Edition BehavesLike.Win32.Fareit.gc
Sophos Mal/Generic-S + Mal/Generic-L
Ikarus Trojan-Spy.Agent
Jiangmin Trojan.PSW.MSIL.abla
Webroot Trojan.Dropper.Gen
Avira TR/AD.AgentTesla.plyap
Antiy-AVL Trojan/Win32.Fuery
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Microsoft TrojanSpy:MSIL/AgentTesla.A!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Win32.Trojan-Stealer.AgentTesla.TGSBZI
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSIL.R336658
ALYac Trojan.GenericKD.43164213
MAX malware (ai score=87)
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
Zoner Trojan.Win32.91884
ESET-NOD32 MSIL/Autorun.Spy.Agent.DF
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.DYSGXG
Rising Spyware.Agent!8.C6 (KTSE)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-15 03:13:53

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.