6.8
高危
58 个模型检测该样本为恶意!
重新分析
更多

a8c03f50ff8217b8e4fe7e650360a566003875d0a943af2f2b3b895908872e4a

dddfc5bf7599ae2aacd87640404f585d.exe

分析耗时

77s

最近分析

文件大小

152.4KB
静态报毒 动态报毒 100% A@7H5WHA AI SCORE=80 BVRQHU CLASSIC CONFIDENCE FAREIT FILEINFECTOR FIXFLO FLOFIX FLOODFIX FLOXIF FLOXITNV FLOXLIB GEN1 GULOADER HIGH CONFIDENCE LTXD MALICIOUS PE PIONEER PIONNER R + W32 SCORE STATIC AI UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Dropper-FIY!DDDFC5BF7599 20201211 6.0.6.653
Alibaba Virus:Win32/Floxif.gen1 20190527 0.3.0.5
Baidu Win32.Virus.Floxif.a 20190318 1.0.0.2
Avast Win32:FloxLib-A [Trj] 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
Tencent Virus.Win32.Pionner.tt 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.708588
__exception__
stacktrace: 
crc32+0xb353 FloodFix-0xadb symsrv+0xc9b0 @ 0x1000c9b0
FloodFix2+0x472c symsrv+0x11e54 @ 0x10011e54
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40959368
registers.edi: 1447909480
registers.eax: 1447909480
registers.ebp: 40959428
registers.edx: 22104
registers.ebx: 0
registers.esi: 22104
registers.ecx: 10
exception.instruction_r: ed 3b df 0f 94 45 e4 5e 5f 5a 59 5b c7 45 fc ff
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: crc32+0x1e34 FloodFix-0x9ffa symsrv+0x3491
exception.address: 0x10003491
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://www.aieov.com/logo.gif
Performs some HTTP requests (1 个事件)
request GET http://www.aieov.com/logo.gif
Allocates read-write-execute memory (usually to unpack itself) (16 个事件)
Time & API Arguments Status Return Repeated
1619948411.505588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619948411.693588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619948411.693588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00402000
success 0 0
1619948414.833588
NtAllocateVirtualMemory
process_identifier: 732
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02710000
success 0 0
1619948422.568588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948424.818588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948431.786588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948434.036588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948440.974588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948443.224588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948450.130588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948452.380588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948459.552588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948461.802588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948468.771588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
1619948471.021588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77536000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Program Files\Common Files\System\symsrv.dll
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.865588
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x025c0000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619948416.927588
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.724588
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619948419.505588
RegSetValueExA
key_handle: 0x000003b8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619948419.505588
RegSetValueExA
key_handle: 0x000003b8
value:  ž3?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619948419.505588
RegSetValueExA
key_handle: 0x000003b8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619948419.505588
RegSetValueExW
key_handle: 0x000003b8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619948419.505588
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619948419.505588
RegSetValueExA
key_handle: 0x000003d0
value:  ž3?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619948419.505588
RegSetValueExA
key_handle: 0x000003d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619948419.536588
RegSetValueExW
key_handle: 0x000003b4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.708588
__exception__
stacktrace: 
crc32+0xb353 FloodFix-0xadb symsrv+0xc9b0 @ 0x1000c9b0
FloodFix2+0x472c symsrv+0x11e54 @ 0x10011e54
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40959368
registers.edi: 1447909480
registers.eax: 1447909480
registers.ebp: 40959428
registers.edx: 22104
registers.ebx: 0
registers.esi: 22104
registers.ecx: 10
exception.instruction_r: ed 3b df 0f 94 45 e4 5e 5f 5a 59 5b c7 45 fc ff
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: crc32+0x1e34 FloodFix-0x9ffa symsrv+0x3491
exception.address: 0x10003491
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.FloxitNV.PE
Elastic malicious (high confidence)
MicroWorld-eScan Win32.Floxif.A
ClamAV Win.Virus.Pioneer-9111434-0
CAT-QuickHeal W32.Pioneer.CZ1
McAfee Dropper-FIY!DDDFC5BF7599
Malwarebytes Virus.Floxif
AegisLab Virus.Win32.Pioneer.lTXd
Sangfor Malware
K7AntiVirus Virus ( 00521e9a1 )
Alibaba Virus:Win32/Floxif.gen1
K7GW Virus ( 00521e9a1 )
Cybereason malicious.f7599a
Arcabit Win32.Floxif.A
Baidu Win32.Virus.Floxif.a
Cyren W32/Floxif.B
TotalDefense Win32/Flofix.D
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Virus.Win32.Pioneer.cz
BitDefender Win32.Floxif.A
NANO-Antivirus Virus.Win32.Pioneer.bvrqhu
Avast Win32:FloxLib-A [Trj]
Rising Downloader.Guloader!1.C738 (CLASSIC)
Ad-Aware Win32.Floxif.A
Emsisoft Win32.Floxif.A (B)
Comodo Virus.Win32.Floxif.A@7h5wha
F-Secure Malware.W32/Floxif.hdc
DrWeb Win32.FloodFix.7
VIPRE Virus.Win32.Floxif.a (v)
TrendMicro PE_FLOXIF.D
McAfee-GW-Edition BehavesLike.Win32.Fareit.cc
FireEye Generic.mg.dddfc5bf7599ae2a
Sophos Mal/Generic-R + W32/Floxif-C
Jiangmin Win32/Pioneer.l
Avira W32/Floxif.hdc
Antiy-AVL Virus/Win32.Pioneer.cz
Microsoft Virus:Win32/Floxif.H
ZoneAlarm Virus.Win32.Pioneer.cz
GData Win32.Floxif.A
AhnLab-V3 Win32/Fixflo.GEN
VBA32 Virus.Win32.Floxif.h
ALYac Win32.Floxif.A
MAX malware (ai score=80)
Cylance Unsafe
Zoner Virus.Win32.32881
ESET-NOD32 Win32/Floxif.H
TrendMicro-HouseCall PE_FLOXIF.D
Tencent Virus.Win32.Pionner.tt
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2010-07-01 01:06:17

Imports

Library MSVBVM60.DLL:
0x401000
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010
0x401014
0x401018 __vbaFreeVar
0x40101c __vbaLenBstr
0x401020 __vbaStrVarMove
0x401024 __vbaFreeVarList
0x401028
0x40102c _adj_fdiv_m64
0x401030
0x401034
0x401038 __vbaFreeObjList
0x40103c
0x401040
0x401044 _adj_fprem1
0x401048 __vbaStrCat
0x401050 _adj_fdiv_m32
0x401054 __vbaAryDestruct
0x401058
0x40105c __vbaObjSet
0x401060 _adj_fdiv_m16i
0x401064 _adj_fdivr_m16i
0x401068
0x40106c
0x401070
0x401074
0x401078 __vbaFpR8
0x40107c _CIsin
0x401080
0x401084
0x401088
0x40108c __vbaChkstk
0x401090 EVENT_SINK_AddRef
0x401098 __vbaStrCmp
0x40109c
0x4010a0 __vbaAryConstruct2
0x4010a4 __vbaVarTstEq
0x4010a8
0x4010ac
0x4010b0 __vbaCastObjVar
0x4010b4
0x4010b8 _adj_fpatan
0x4010bc
0x4010c0
0x4010c4 EVENT_SINK_Release
0x4010c8
0x4010cc _CIsqrt
0x4010d4
0x4010d8 __vbaExceptHandler
0x4010dc
0x4010e0 _adj_fprem
0x4010e4 _adj_fdivr_m64
0x4010e8 __vbaFPException
0x4010ec
0x4010f0 __vbaStrVarVal
0x4010f4
0x4010f8 _CIlog
0x4010fc
0x401100 __vbaNew2
0x401104 _adj_fdiv_m32i
0x401108 _adj_fdivr_m32i
0x40110c __vbaStrCopy
0x401110 __vbaVarSetObj
0x401114 __vbaI4Str
0x401118 __vbaFreeStrList
0x40111c _adj_fdivr_m32
0x401120 _adj_fdiv_r
0x401124
0x401128
0x40112c
0x401130 __vbaStrComp
0x401134
0x401138 __vbaVarDup
0x40113c
0x401144 _CIatan
0x401148
0x40114c __vbaStrMove
0x401150 _allmul
0x401154
0x401158 _CItan
0x40115c _CIexp
0x401160 __vbaFreeObj
0x401164 __vbaFreeStr

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49176 104.200.23.95 www.aieov.com 80
192.168.56.101 49177 104.200.23.95 www.aieov.com 80
192.168.56.101 49179 104.200.23.95 www.aieov.com 80
192.168.56.101 49180 104.200.23.95 www.aieov.com 80
192.168.56.101 49181 104.200.23.95 www.aieov.com 80
192.168.56.101 49182 104.200.23.95 www.aieov.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://www.aieov.com/logo.gif 
GET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.