4.4
中危
56 个模型检测该样本为恶意!
重新分析
更多

847c4c145a938ef3001fe8f16bfd73eb9a3e26484b0c83c6539e1b22e1572970

deb2a20f3fc26466484c9766bf4558a4.exe

分析耗时

44s

最近分析

文件大小

448.4KB
静态报毒 动态报毒 100% AGENTB AI SCORE=83 AIDETECTVM BEHY BYHYN CLASSIC CONFIDENCE CY1@AILWZBEO CY1@HILWZBEO EJQB ELDORADO EMOTET EMOTETU GENCIRC GENETIC GENKRYPTIK GENOME GRAYWARE HCXL HIGH CONFIDENCE HLLP KRYPTIK L5QV MALWARE2 NVE6WF7 R + TROJ R333438 SCORE SMTHA SUSGEN TRICK TRICKBOT TROJANX UNSAFE VTTA@8QS2PA ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/TrickBot.9f510a34 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201229 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b9d4b5 20201229 1.0.0.1
Kingsoft 20201229 2017.9.26.565
McAfee Emotet-FQC!DEB2A20F3FC2 20201229 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619961578.344646
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619948412.706241
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619961578.297646
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619961578.250646
__exception__
stacktrace: 
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x75636d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x756205bd
hook_in_monitor+0x45 lde-0x133 @ 0x756142ea
New_ntdll_NtOpenFile+0x2b New_ntdll_NtOpenKey-0x1ce @ 0x75632c8b
GetVolumeInformationW+0xda GetVolumeInformationByHandleW-0xc6 kernelbase+0x1ab4a @ 0x7fefdc6ab4a
GetVolumeInformationW+0x35 RtlMoveMemory-0x553 kernel32+0x22185 @ 0x77a52185
0x9213c
0x17ea30

registers.r14: 1567280
registers.r9: 1970009600
registers.rcx: 0
registers.rsi: 0
registers.r10: 0
registers.rbx: 1566108
registers.rdi: 1566144
registers.r11: 0
registers.r8: 5
registers.rdx: 2
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1566048
registers.rax: 1
registers.r13: 0
exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77b69a5a
success 0 0
1619961578.891646
__exception__
stacktrace: 
0xad540
0xa2ffd

registers.r14: 1567280
registers.r9: 0
registers.rcx: 1565456
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 732728
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1564824
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xad540
success 0 0
1619961578.906646
__exception__
stacktrace: 
0xad540
0xa2ffd

registers.r14: 1567280
registers.r9: 0
registers.rcx: 1565456
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 732728
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1564824
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xad540
success 0 0
1619961578.906646
__exception__
stacktrace: 
0xad540
0xa2ffd

registers.r14: 1567280
registers.r9: 0
registers.rcx: 1565456
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 732728
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1564824
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xad540
success 0 0
1619961578.906646
__exception__
stacktrace: 
0xad540
0xa2ffd

registers.r14: 1567280
registers.r9: 0
registers.rcx: 1565456
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 732728
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1564824
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xad540
success 0 0
1619961578.922646
__exception__
stacktrace: 
0xad540
0xa2ffd

registers.r14: 1567280
registers.r9: 0
registers.rcx: 1565456
registers.rsi: 0
registers.r10: 54
registers.rbx: 104
registers.rdi: 732728
registers.r11: 27
registers.r8: 0
registers.rdx: 512
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1564824
registers.rax: 0
registers.r13: 2007313264
exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48
exception.instruction: movzx r10d, word ptr [r8 + r9*2]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xad540
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1619948416.175241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 196608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619948416.487241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 188416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x027b0000
success 0 0
1619948416.503241
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x027e1000
success 0 0
1619948425.128241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f40000
success 0 0
1619948425.128241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x10000000
success 0 0
1619948425.128241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x10001000
success 0 0
1619948425.128241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619948425.331241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02810000
success 0 0
1619948425.331241
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02820000
success 0 0
Creates hidden or system file (8 个事件)
Time & API Arguments Status Return Repeated
1619948416.362241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.362241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.362241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.362241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.409241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.409241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.409241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
1619948416.409241
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000000
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM)
filepath_r: \??\C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3154413779-3303930873-3537499701-500
create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info: 4294967295 ()
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
failed 3221225525 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.996865761035031 section {'size_of_data': '0x00056000', 'virtual_address': '0x0001a000', 'entropy': 6.996865761035031, 'name': '.rsrc', 'virtual_size': '0x00055bc4'} description A section with a high entropy has been found
entropy 0.7747747747747747 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.EmotetU.Gen.Cy1@hiLwzBeO
CAT-QuickHeal Trojan.Emotet
ALYac Trojan.EmotetU.Gen.Cy1@hiLwzBeO
Cylance Unsafe
K7AntiVirus Trojan ( 00564dd11 )
Alibaba Trojan:Win32/TrickBot.9f510a34
K7GW Trojan ( 00564dd11 )
Cybereason malicious.f3fc26
Arcabit Trojan.EmotetU.Gen.E225AA
Cyren W32/Trickbot.DL.gen!Eldorado
Symantec Packed.Generic.534
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.gen
BitDefender Trojan.EmotetU.Gen.Cy1@hiLwzBeO
Paloalto generic.ml
AegisLab Virus.Win32.HLLP.l5Qv
Tencent Malware.Win32.Gencirc.10b9d4b5
Ad-Aware Trojan.EmotetU.Gen.Cy1@hiLwzBeO
Emsisoft Trojan.EmotetU.Gen.Cy1@hiLwzBeO (B)
Comodo TrojWare.Win32.Genome.VTTA@8qs2pa
F-Secure Trojan.TR/AD.TrickBot.byhyn
DrWeb Trojan.Trick.46562
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.TRICKBOT.SMTHA
McAfee-GW-Edition Emotet-FQC!DEB2A20F3FC2
FireEye Generic.mg.deb2a20f3fc26466
Sophos Mal/Generic-R + Troj/Agent-BEHY
Ikarus Trojan-Banker.TrickBot
Jiangmin Trojan.Agentb.gnz
Avira TR/AD.TrickBot.byhyn
eGambit Unsafe.AI_Score_98%
Antiy-AVL GrayWare/Win32.Generic
Gridinsoft Trojan.Win32.TrickBot.vb
Microsoft Trojan:Win32/TrickBot.ARJ!MTB
ViRobot Trojan.Win32.Trickbot.458752.E
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.gen
GData Trojan.EmotetU.Gen.Cy1@hiLwzBeO
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Trickbot.R333438
McAfee Emotet-FQC!DEB2A20F3FC2
MAX malware (ai score=83)
Malwarebytes Trojan.TrickBot
ESET-NOD32 a variant of Win32/Kryptik.HCXL
TrendMicro-HouseCall TrojanSpy.Win32.TRICKBOT.SMTHA
Rising Trojan.TrickBot!1.C549 (CLASSIC)
Yandex Trojan.Agent!nve6wF7/PIc
MaxSecure Trojan.Malware.1728101.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-18 00:47:08

Imports

Library KERNEL32.dll:
0x419294 SizeofResource
0x419298 LoadResource
0x41929c FindResourceA
0x4192a0 LoadLibraryA
0x4192a4 GetModuleHandleA
0x4192a8 LoadLibraryW
0x4192b4 GetCurrentThread
0x4192b8 CompareStringW
0x4192bc CompareStringA
0x4192c0 GetStringTypeW
0x4192c4 GetStringTypeA
0x4192c8 LCMapStringW
0x4192cc GetCurrentProcess
0x4192d4 SetStdHandle
0x4192d8 ReadFile
0x4192dc GetProcAddress
0x4192e0 GetOEMCP
0x4192e4 GetACP
0x4192e8 GetCPInfo
0x4192ec IsBadCodePtr
0x4192f0 IsBadReadPtr
0x4192f8 CloseHandle
0x4192fc FlushFileBuffers
0x419300 SetFilePointer
0x419304 GetLastError
0x419308 WriteFile
0x41930c LCMapStringA
0x419314 MultiByteToWideChar
0x419318 HeapFree
0x419320 GetSystemTime
0x419324 GetLocalTime
0x419328 RtlUnwind
0x41932c GetStartupInfoA
0x419330 GetCommandLineA
0x419334 GetVersion
0x419338 ExitProcess
0x41933c RaiseException
0x419340 TerminateProcess
0x419344 HeapReAlloc
0x419348 HeapAlloc
0x41934c HeapSize
0x419350 HeapDestroy
0x419354 HeapCreate
0x419358 VirtualFree
0x41935c VirtualAlloc
0x419360 IsBadWritePtr
0x419368 GetModuleFileNameA
0x419374 WideCharToMultiByte
0x419380 SetHandleCount
0x419384 GetStdHandle
0x419388 GetFileType
Library USER32.dll:
0x4193ec GetMessageW
0x4193f0 TranslateMessage
0x4193f4 DispatchMessageW
0x4193f8 DefWindowProcW
0x4193fc InvalidateRect
0x419400 GetDesktopWindow
0x419404 BeginPaint
0x419408 EndPaint
0x41940c PostQuitMessage
0x419410 SetTimer
0x419414 KillTimer
0x419418 FillRect
0x41941c DrawTextW
0x419420 LoadIconW
0x419424 LoadCursorW
0x419428 RegisterClassExW
0x41942c CreateWindowExW
0x419430 ShowWindow
0x419434 UpdateWindow
0x419438 MessageBoxA
Library GDI32.dll:
0x419264 GetStockObject

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.