SmartHawk

12.6

0-day

52 个模型检测该样本为恶意！

重新分析

下载样本

0e78531c4d82fd69b3fcc300fae7430bef8569b57bb9c4bd2461f12d662e29ab

ddaff9daff983a3a13f51eff8a6f17bc.exe

分析耗时

73s

最近分析

文件大小

678.5KB

静态报毒动态报毒 AI SCORE=100 ATTRIBUTE CLOUD CONFIDENCE ELDORADO FAREIT FORMBOOK GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE INJUKE KRYPTIK LOKIBOT MALICIOUS PE MSILKRYPT PUTTY PWSX QUYHC R057C0DGI20 R345222 SCORE SIGGEN9 TSCOPE UNSAFE WVBB 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:MSIL/FareIt.2e0578fe	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200725	18.4.3895.0
Kingsoft		20200725	2013.8.14.323
McAfee	Fareit-FXH!DDAFF9DAFF98	20200725	6.0.6.653
Tencent	Msil.Trojan.Injuke.Wvbb	20200725	1.0.0.1
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619970911.495 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948416.418698 IsDebuggerPresent		failed	0	0
1619948417.700698 IsDebuggerPresent		failed	0	0
1619948417.934698 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619970909.932 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 个事件)

Time & API	Arguments	Status
1619948415.559698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x007f0000	success
1619948415.559698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009d0000	success
1619948416.262698 NtProtectVirtualMemory	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619948416.418698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0032a000	success
1619948416.418698 NtProtectVirtualMemory	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619948416.418698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00322000	success
1619948416.637698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00342000	success
1619948416.762698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00343000	success
1619948416.762698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047b000	success
1619948416.762698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success
1619948417.262698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00344000	success
1619948417.262698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00345000	success
1619948417.262698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00346000	success
1619948417.293698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0034c000	success
1619948417.340698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0034a000	success
1619948417.637698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c0000	success
1619948417.668698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0036a000	success
1619948417.684698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00362000	success
1619948417.715698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00347000	success
1619948417.715698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00356000	success
1619948417.715698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0035a000	success
1619948417.715698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00357000	success
1619948417.731698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0032b000	success
1619948417.871698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00475000	success
1619948418.012698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00348000	success
1619948456.325698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c1000	success
1619948456.465698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009d1000	success
1619948456.528698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00349000	success
1619948456.575698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0036c000	success
1619948456.575698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c2000	success
1619948456.668698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c3000	success
1619948456.684698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x04aa0000	success
1619948456.684698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba0000	success
1619948456.684698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba1000	success
1619948456.700698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba2000	success
1619948456.715698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba3000	success
1619948456.715698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba4000	success
1619948456.731698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba5000	success
1619948456.731698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba6000	success
1619948456.731698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04baa000	success
1619948456.731698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bbb000	success
1619948456.746698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bbc000	success
1619948456.746698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bbd000	success
1619948456.746698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bbe000	success
1619948456.762698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bbf000	success
1619948456.762698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bc0000	success
1619948456.762698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bc1000	success
1619948456.778698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01140000	success
1619948456.793698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c4000	success
1619948456.809698 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bc2000	success

Steals private information from local Internet browsers (19 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.380317806260352

section

{'size_of_data': '0x000a9200', 'virtual_address': '0x00002000', 'entropy': 7.380317806260352, 'name': '.text', 'virtual_size': '0x000a9158'}

description

A section with a high entropy has been found

entropy

0.9977876106194691

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	195.69.140.147

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948457.075698 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Harvests credentials from local FTP client softwares (22 个事件)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (3 个事件)

Time & API	Arguments	Status	Return
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À process_handle: 0x000001fc base_address: 0x00400000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: TÍ<¨K¢`Ý;U process_handle: 0x000001fc base_address: 0x0041a000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: @ process_handle: 0x000001fc base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À process_handle: 0x000001fc base_address: 0x00400000	success	1	0

Harvests credentials from local email clients (3 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2364 called NtSetContextThread to modify thread in remote process 3004
1619948457.075698 NtSetContextThread	thread_handle: 0x000001f8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3004	success	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2364 resumed a thread in remote process 3004
1619948457.371698 NtResumeThread	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 3004	success	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

195.69.140.147:80

Executed a process and injected code into it, probably while unpacking (14 个事件)

Time & API	Arguments	Status	Return
1619948416.418698 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2364	success	0
1619948416.512698 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2364	success	0
1619948457.059698 CreateProcessInternalW	thread_identifier: 1208 thread_handle: 0x000001f8 process_identifier: 3004 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ddaff9daff983a3a13f51eff8a6f17bc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ddaff9daff983a3a13f51eff8a6f17bc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000001fc inherit_handles: 0	success	1
1619948457.075698 NtGetContextThread	thread_handle: 0x000001f8	success	0
1619948457.075698 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À process_handle: 0x000001fc base_address: 0x00400000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: process_handle: 0x000001fc base_address: 0x00401000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: process_handle: 0x000001fc base_address: 0x00415000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: TÍ<¨K¢`Ý;U process_handle: 0x000001fc base_address: 0x0041a000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: process_handle: 0x000001fc base_address: 0x004a0000	success	1
1619948457.075698 WriteProcessMemory	process_identifier: 3004 buffer: @ process_handle: 0x000001fc base_address: 0x7efde008	success	1
1619948457.075698 NtSetContextThread	thread_handle: 0x000001f8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3004	success	0
1619948457.371698 NtResumeThread	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 3004	success	0
1619970910.463 NtResumeThread	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 3004	success	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

MicroWorld-eScan	Trojan.GenericKD.34185933
FireEye	Generic.mg.ddaff9daff983a3a
CAT-QuickHeal	Trojan.MSIL
ALYac	Trojan.GenericKD.34185933
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2240061
Sangfor	Malware
K7AntiVirus	Trojan ( 0056abfe1 )
Alibaba	Trojan:MSIL/FareIt.2e0578fe
K7GW	Trojan ( 0056abfe1 )
Cybereason	malicious.784326
Arcabit	Trojan.Generic.D209A2CD
TrendMicro	TROJ_GEN.R057C0DGI20
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Formbook-8998050-0
Kaspersky	HEUR:Trojan.MSIL.Injuke.gen
BitDefender	Trojan.GenericKD.34185933
AegisLab	Trojan.Multi.Generic.4!c
Avast	Win32:PWSX-gen [Trj]
Rising	Trojan.Lokibot!8.F1B5 (CLOUD)
Ad-Aware	Trojan.GenericKD.34185933
Sophos	Troj/MSIL-PJA
F-Secure	Trojan.TR/Kryptik.quyhc
DrWeb	Trojan.Siggen9.59981
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.Crypt (A)
SentinelOne	DFI - Malicious PE
Cyren	W32/MSIL_Kryptik.BDS.gen!Eldorado
Avira	TR/Kryptik.quyhc
Antiy-AVL	Trojan/MSIL.Injuke
Microsoft	Trojan:MSIL/FareIt.GM!MTB
Endgame	malicious (high confidence)
ZoneAlarm	HEUR:Trojan.MSIL.Injuke.gen
GData	Trojan.GenericKD.34185933
AhnLab-V3	Trojan/Win32.MSILKrypt.R345222
McAfee	Fareit-FXH!DDAFF9DAFF98
MAX	malware (ai score=100)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of MSIL/Kryptik.WXD
TrendMicro-HouseCall	TROJ_GEN.R057C0DGI20
Tencent	Msil.Trojan.Injuke.Wvbb
Ikarus	Trojan-Spy.Agent
Fortinet	MSIL/Kryptik.WXF!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-17 13:09:29

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.