6.0
高危
58 个模型检测该样本为恶意!
重新分析
更多

5df97284c32afb8a994a9b771f1af0efe9696d6e4591bb7c3d0791ae7238348e

dd698d32cc668372d09462595980ab4f.exe

分析耗时

75s

最近分析

文件大小

906.1KB
静态报毒 动态报毒 100% 4G1@A0XP2PNI A + MAL AI SCORE=85 AIDETECTVM BSCOPE CLASSIC CONFIDENCE DANGEROUSSIG DEYMA DOWNLOADER34 EHLS ELDORADO ENCPK GDSDA GENERICKD GRAYWARE HFJQ HIDC HIGH CONFIDENCE HQPWCC KCLOUD KRYPT KRYPTIK MALWARE2 MALWARE@#1X2RL1FOU1EX1 QAKBOT QVM19 R057C0PH520 R347002 SCORE SUSGEN TROJDOWNLOADER UNSAFE WACATAC WTNL YMACCO ZEXAF ZGVCE ZHNMKK4CTTY ZLOB 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Packed-GBS!DD698D32CC66 20201211 6.0.6.653
Alibaba TrojanDownloader:Win32/Deyma.bc2035a6 20190527 0.3.0.5
Avast Win32:DangerousSig [Trj] 20201210 21.1.5827.0
Tencent Win32.Trojan-downloader.Deyma.Wtnl 20201211 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.TrojDownloader.Deyma.b.(kcloud) 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619948409.00611
NtAllocateVirtualMemory
process_identifier: 368
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00650000
success 0 0
1619948410.22511
NtAllocateVirtualMemory
process_identifier: 368
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619948410.24111
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619948973.721499
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 741376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e10000
success 0 0
1619948974.956499
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 737280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619948974.956499
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 151552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Creates executable files on the filesystem (2 个事件)
file c:\programdata\1321ba6d1f\bdif.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cred.dll
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619948410.72511
CreateProcessInternalW
thread_identifier: 2272
thread_handle: 0x0000008c
process_identifier: 1912
current_directory:
filepath:
track: 1
command_line: c:\programdata\1321ba6d1f\bdif.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000088
inherit_handles: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619948975.878499
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 104.16.154.36
host 172.217.24.14
host 217.8.117.52
Attempts to identify installed AV products by installation directory (7 个事件)
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619948978.456499
RegSetValueExA
key_handle: 0x000003bc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619948978.456499
RegSetValueExA
key_handle: 0x000003bc
value: €ÉÊ,?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619948978.456499
RegSetValueExA
key_handle: 0x000003bc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619948978.456499
RegSetValueExW
key_handle: 0x000003bc
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619948978.456499
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619948978.456499
RegSetValueExA
key_handle: 0x000003d0
value: €ÉÊ,?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619948978.456499
RegSetValueExA
key_handle: 0x000003d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619948978.487499
RegSetValueExW
key_handle: 0x000003b8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 217.8.117.52:80
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader34.24832
MicroWorld-eScan Trojan.GenericKD.43595313
FireEye Generic.mg.dd698d32cc668372
Qihoo-360 Generic/HEUR/QVM19.1.06E7.Malware.Gen
McAfee Packed-GBS!DD698D32CC66
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2345432
Sangfor Malware
K7AntiVirus Trojan ( 005652be1 )
Alibaba TrojanDownloader:Win32/Deyma.bc2035a6
K7GW Trojan ( 005652be1 )
Cybereason malicious.2cc668
Arcabit Trojan.Generic.D2993631
BitDefenderTheta Gen:NN.ZexaF.34670.4G1@a0Xp2Pni
Cyren W32/Kryptik.BSQ.gen!Eldorado
Symantec Packed.Generic.459
ESET-NOD32 a variant of Win32/Kryptik.HFJQ
APEX Malicious
Avast Win32:DangerousSig [Trj]
Kaspersky Trojan-Downloader.Win32.Deyma.bqt
BitDefender Trojan.GenericKD.43595313
NANO-Antivirus Trojan.Win32.Deyma.hqpwcc
Paloalto generic.ml
Tencent Win32.Trojan-downloader.Deyma.Wtnl
Ad-Aware Trojan.GenericKD.43595313
Emsisoft Trojan.GenericKD.43595313 (B)
Comodo Malware@#1x2rl1fou1ex1
F-Secure Trojan.TR/AD.Zlob.zgvce
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R057C0PH520
McAfee-GW-Edition Packed-GBS!DD698D32CC66
Sophos ML/PE-A + Mal/EncPk-APV
Webroot W32.Trojan.Gen
Avira TR/AD.Zlob.zgvce
Antiy-AVL GrayWare/Win32.Kryptik.ehls
Kingsoft Win32.TrojDownloader.Deyma.b.(kcloud)
Gridinsoft Trojan.Win32.Packed.oa
Microsoft Trojan:Win32/Ymacco.AA5D
AegisLab Trojan.Win32.Deyma.a!c
ZoneAlarm Trojan-Downloader.Win32.Deyma.bqt
GData Trojan.GenericKD.43595313
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Kryptik.R347002
VBA32 BScope.Trojan.Wacatac
ALYac Trojan.GenericKD.43595313
MAX malware (ai score=85)
Malwarebytes Trojan.MalPack
TrendMicro-HouseCall Backdoor.Win32.QAKBOT.SMF
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-04 21:56:52

Imports

Library KERNEL32.dll:
0x4d90b0 GetModuleHandleA
0x4d90b4 GetLastError
0x4d90b8 LoadLibraryA
0x4d90bc GetProcAddress
0x4d90c4 GetTickCount
0x4d90cc IsDebuggerPresent
0x4d90d8 GetCurrentProcess
0x4d90dc TerminateProcess
0x4d90e4 Sleep
0x4d90e8 InterlockedExchange
0x4d90ec GetStartupInfoW
0x4d90f0 GetCommandLineW
0x4d90f4 GetModuleFileNameW
0x4d90f8 CreateProcessW
0x4d90fc WaitForSingleObject
0x4d9100 CloseHandle
0x4d9104 FormatMessageW
0x4d9108 LocalFree
0x4d910c GetCurrentProcessId
0x4d9110 GetCurrentThreadId
0x4d9114 WaitNamedPipeA
0x4d9118 HeapReAlloc
0x4d911c GlobalFree
0x4d9120 _lwrite
0x4d9128 GetCommConfig
0x4d912c IsBadHugeWritePtr
0x4d9130 GetConsoleAliasA
0x4d9134 ResetEvent
0x4d9138 ReplaceFileA
Library USER32.dll:
0x4d9144 IsCharAlphaW
0x4d9148 CloseClipboard
0x4d914c GetWindowDC
0x4d9150 IsCharAlphaNumericA
0x4d9154 DestroyIcon
0x4d915c DestroyMenu
0x4d9160 DestroyWindow
0x4d9164 IsWindowVisible
0x4d9168 PaintDesktop
0x4d916c IsGUIThread
0x4d9170 DrawMenuBar
0x4d9174 CharNextA
0x4d9178 VkKeyScanA
0x4d917c GetKeyboardLayout
0x4d9180 GetAsyncKeyState
0x4d9184 AnyPopup
0x4d9188 LoadIconW
0x4d918c MessageBoxW
0x4d9190 DialogBoxParamW
0x4d9194 DlgDirListW
0x4d9198 DdeDisconnectList
0x4d919c EnableMenuItem
0x4d91a0 GetUpdateRect
0x4d91a4 SetScrollRange
Library GDI32.dll:
0x4d91ac GetStockObject
0x4d91b0 GdiGetBatchLimit
0x4d91b4 GetObjectType
0x4d91b8 UnrealizeObject
0x4d91bc GetROP2
0x4d91c0 CloseMetaFile
0x4d91c4 BeginPath
0x4d91c8 GetTextColor
0x4d91d0 GetMapMode
0x4d91d4 AbortPath
0x4d91d8 GetLayout
0x4d91dc GetTextAlign
0x4d91e0 GetEnhMetaFileW
0x4d91e4 GetEnhMetaFileA
0x4d91e8 StrokePath
0x4d91ec GetPixelFormat
0x4d91f0 GetStretchBltMode
0x4d91f4 WidenPath
0x4d91f8 RealizePalette
0x4d91fc GetTextCharset
0x4d9200 SaveDC
0x4d9204 SetMetaRgn
0x4d9208 SwapBuffers
0x4d920c UpdateColors
0x4d9210 PathToRegion
0x4d9214 GetFontLanguageInfo
0x4d9218 GetGraphicsMode
0x4d921c GetDCPenColor
0x4d9220 GetSystemPaletteUse
0x4d9224 GetPolyFillMode
0x4d922c GdiEntry5
0x4d9230 CreateBrushIndirect
0x4d9234 XLATEOBJ_piVector
0x4d9238 GetGlyphOutlineWow
0x4d923c GdiConsoleTextOut
0x4d9240 GdiEntry14
0x4d9244 ExtEscape
0x4d924c GetPath
0x4d9250 EudcLoadLinkW
0x4d9258 UpdateICMRegKeyW
0x4d925c GdiPlayScript
0x4d9260 SetTextAlign
0x4d9268 LPtoDP
0x4d926c GetRasterizerCaps
0x4d9270 EngQueryEMFInfo
0x4d9274 GdiAddGlsRecord
0x4d9278 EngAlphaBlend
0x4d927c MoveToEx
0x4d9280 RestoreDC
0x4d9284 GetNearestColor
0x4d9288 GdiFlush
0x4d928c ScaleWindowExtEx
0x4d9290 CLIPOBJ_bEnum
0x4d9294 GdiEntry15
0x4d9298 GdiSwapBuffers
0x4d929c GdiIsMetaPrintDC
0x4d92a0 EngCreateBitmap
0x4d92a4 GetCharWidthFloatA
0x4d92ac SelectPalette
0x4d92b4 EndPage
0x4d92b8 StretchBlt
0x4d92bc SetWindowOrgEx
0x4d92c0 SetViewportOrgEx
0x4d92c4 SetTextColor
0x4d92c8 SetStretchBltMode
0x4d92cc SetROP2
0x4d92d0 SetPixel
0x4d92d4 SetDIBColorTable
0x4d92d8 SetBrushOrgEx
0x4d92dc SetBkMode
0x4d92e0 SetBkColor
0x4d92e4 SelectObject
0x4d92e8 RoundRect
0x4d92ec RemoveFontResourceW
0x4d92f0 Rectangle
0x4d92f4 RectVisible
0x4d92f8 Polyline
0x4d92fc Pie
0x4d9300 PatBlt
0x4d9304 MaskBlt
0x4d9308 LineTo
0x4d930c LineDDA
0x4d9310 IntersectClipRect
0x4d9314 GetWindowOrgEx
0x4d9318 GetTextMetricsW
0x4d931c GetTextExtentPointW
0x4d9328 GetRgnBox
0x4d932c GetPixel
0x4d9330 GetPaletteEntries
0x4d9334 GetObjectW
0x4d9338 GetDeviceCaps
0x4d933c GetDIBits
0x4d9340 GetDIBColorTable
0x4d9344 GetDCOrgEx
0x4d934c GetClipBox
0x4d9350 GetBrushOrgEx
0x4d9354 GetBitmapBits
0x4d9358 FrameRgn
0x4d935c ExtTextOutW
0x4d9360 ExtFloodFill
0x4d9364 ExcludeClipRect
0x4d9368 EnumFontsW
0x4d936c Ellipse
0x4d9370 DeleteObject
0x4d9374 DeleteDC
0x4d9378 CreateSolidBrush
0x4d937c CreateRectRgn
0x4d9380 CreatePenIndirect
0x4d9384 CreatePalette
0x4d938c CreateFontIndirectW
0x4d9390 CreateDIBitmap
0x4d9394 CreateDIBSection
0x4d9398 CreateCompatibleDC
0x4d93a0 CreateBitmap
0x4d93a4 Chord
0x4d93a8 BitBlt
0x4d93ac Arc
0x4d93b0 AddFontResourceW
Library ADVAPI32.dll:
0x4d93b8 RegOpenKeyW
0x4d93bc RegQueryValueExA
Library SHELL32.dll:
0x4d93c4 CommandLineToArgvW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.