5.4
中危
61 个模型检测该样本为恶意!
重新分析
更多

40ff9ac67eaadb1650b85fcd1046efe51478ee680046653f63f5d48964333519

e2a7fffed01fe4a670e90400fc160b37.exe

分析耗时

85s

最近分析

文件大小

687.5KB
静态报毒 动态报毒 A + MAL AI SCORE=89 AIDETECTVM BANKERX BSCOPE BUNITU CLASSIC CONFIDENCE ELDORADO ELJF ENCPK ERFL ERLG GA@8SFC92 GDSDA GENCIRC GENKRYPTIK HDMT HIGH CONFIDENCE HKJWPI ICRXJNAUDG8 INJECT3 KRYPTIK MALICIOUS PE MALWARE1 PINKSBOT QAKBOT QBOT QM0@AIHCG3LK QVM20 R337792 SCORE SHADE SMTHA STATIC AI SUSGEN TROJANBANKER UNSAFE URSU VQXQO WACATAC ZENPAK ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee W32/PinkSbot-GS!E2A7FFFED01F 20201211 6.0.6.653
Alibaba TrojanBanker:Win32/Bunitu.a9573453 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10cdcd52 20201211 1.0.0.1
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619962469.901999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619962470.901999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619962473.448999
__exception__
stacktrace: 
e2a7fffed01fe4a670e90400fc160b37+0x3f07 @ 0x403f07
e2a7fffed01fe4a670e90400fc160b37+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5916888
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: e2a7fffed01fe4a670e90400fc160b37+0x3449
exception.instruction: in eax, dx
exception.module: e2a7fffed01fe4a670e90400fc160b37.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
1619962473.448999
__exception__
stacktrace: 
e2a7fffed01fe4a670e90400fc160b37+0x3f10 @ 0x403f10
e2a7fffed01fe4a670e90400fc160b37+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5916888
registers.ecx: 20
exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0
exception.symbol: e2a7fffed01fe4a670e90400fc160b37+0x34e2
exception.instruction: in eax, dx
exception.module: e2a7fffed01fe4a670e90400fc160b37.exe
exception.exception_code: 0xc0000096
exception.offset: 13538
exception.address: 0x4034e2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619962469.761999
NtAllocateVirtualMemory
process_identifier: 3040
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01c90000
success 0 0
1619962469.776999
NtAllocateVirtualMemory
process_identifier: 3040
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01cd0000
success 0 0
1619962469.776999
NtProtectVirtualMemory
process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619962470.870999
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619962470.870999
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619962470.870999
NtProtectVirtualMemory
process_identifier: 1476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619962470.682999
CreateProcessInternalW
thread_identifier: 2080
thread_handle: 0x00000154
process_identifier: 1476
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2a7fffed01fe4a670e90400fc160b37.exe /C
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000158
inherit_handles: 0
success 1 0
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1619962473.448999
__exception__
stacktrace: 
e2a7fffed01fe4a670e90400fc160b37+0x3f07 @ 0x403f07
e2a7fffed01fe4a670e90400fc160b37+0x1b25 @ 0x401b25
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637624
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637684
registers.edx: 22104
registers.ebx: 1
registers.esi: 5916888
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb
exception.symbol: e2a7fffed01fe4a670e90400fc160b37+0x3449
exception.instruction: in eax, dx
exception.module: e2a7fffed01fe4a670e90400fc160b37.exe
exception.exception_code: 0xc0000096
exception.offset: 13385
exception.address: 0x403449
success 0 0
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.ERFL
FireEye Generic.mg.e2a7fffed01fe4a6
McAfee W32/PinkSbot-GS!E2A7FFFED01F
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005673a11 )
Alibaba TrojanBanker:Win32/Bunitu.a9573453
K7GW Trojan ( 005671951 )
CrowdStrike win/malicious_confidence_60% (W)
Arcabit Trojan.Agent.ERFL
Cyren W32/Trojan.DZW.gen!Eldorado
Symantec Packed.Generic.459
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Malware.Erlg-9769223-0
Kaspersky HEUR:Trojan-Banker.Win32.Qbot.pef
BitDefender Trojan.Agent.ERFL
NANO-Antivirus Trojan.Win32.Inject3.hkjwpi
Paloalto generic.ml
ViRobot Trojan.Win32.Qakbot.702976
Tencent Malware.Win32.Gencirc.10cdcd52
Ad-Aware Trojan.Agent.ERFL
TACHYON Trojan/W32.Agent.704000.DC
Emsisoft Trojan.Agent.ERFL (B)
Comodo TrojWare.Win32.Qbot.GA@8sfc92
F-Secure Trojan.TR/AD.Qbot.vqxqo
DrWeb Trojan.Inject3.40188
Zillya Trojan.Kryptik.Win32.2038782
TrendMicro TrojanSpy.Win32.QAKBOT.SMTHA.hp
McAfee-GW-Edition BehavesLike.Win32.Generic.jm
Sophos ML/PE-A + Mal/EncPk-APV
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Zenpak.bsq
Avira TR/AD.Qbot.vqxqo
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Kryptik.dd!n
Microsoft Trojan:Win32/Bunitu.PVI!MTB
AegisLab Trojan.Win32.Ursu.4!c
ZoneAlarm HEUR:Trojan-Banker.Win32.Qbot.pef
GData Trojan.Agent.ERFL
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Bunitu.R337792
BitDefenderTheta Gen:NN.ZexaF.34670.Qm0@aiHcG3lk
ALYac Trojan.Agent.QakBot
MAX malware (ai score=89)
VBA32 BScope.TrojanRansom.Shade
Malwarebytes Trojan.Qbot
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-20 02:24:51

Imports

Library KERNEL32.dll:
0x490acc GetModuleHandleA
0x490ad0 GetStartupInfoA
0x490ad4 GetCommandLineA
0x490ad8 GetVersionExA
0x490adc ExitProcess
0x490ae0 GetProcAddress
0x490ae4 WriteFile
0x490ae8 GetStdHandle
0x490aec GetModuleFileNameA
0x490b00 WideCharToMultiByte
0x490b04 GetLastError
0x490b0c SetHandleCount
0x490b10 GetFileType
0x490b18 TlsFree
0x490b1c SetLastError
0x490b20 GetCurrentThreadId
0x490b24 TlsSetValue
0x490b28 TlsGetValue
0x490b2c TlsAlloc
0x490b30 HeapDestroy
0x490b34 HeapCreate
0x490b38 VirtualFree
0x490b3c HeapFree
0x490b48 LoadLibraryA
0x490b4c GetACP
0x490b50 GetOEMCP
0x490b54 GetCPInfo
0x490b58 HeapAlloc
0x490b60 VirtualAlloc
0x490b64 HeapReAlloc
0x490b68 LCMapStringA
0x490b6c MultiByteToWideChar
0x490b70 LCMapStringW
0x490b74 GetStringTypeA
0x490b78 GetStringTypeW
0x490b7c GetLocaleInfoA
0x490b80 RtlUnwind
0x490b84 VirtualProtect
0x490b88 GetSystemInfo
0x490b8c VirtualQuery
0x490b90 GetModuleHandleW
Library USER32.dll:
0x490b98 SetDeskWallpaper
0x490ba8 CharToOemBuffW
0x490bac InsertMenuA
0x490bb0 SetShellWindow
0x490bb4 DefFrameProcW
0x490bb8 DefMDIChildProcW
0x490bbc LoadCursorFromFileA
0x490bc8 CreateMDIWindowA
0x490bcc LoadCursorA
0x490bd0 SendMessageA
0x490bd4 LoadImageW
0x490bd8 ReleaseDC
0x490bdc SetMenuItemInfoW
0x490be0 DrawTextA
0x490be4 GetKeyboardState
0x490be8 ShowCursor
0x490bf4 DefDlgProcW
0x490bf8 ToUnicodeEx
0x490bfc mouse_event
0x490c00 GetDlgItemTextA
0x490c04 RemoveMenu
0x490c08 GetClipboardData
0x490c0c IMPGetIMEA
0x490c10 CreateMDIWindowW
0x490c14 CreatePopupMenu
0x490c18 CallWindowProcA
0x490c1c OemKeyScan
0x490c20 SetWinEventHook
0x490c24 IsCharLowerW
0x490c28 LoadMenuA
0x490c2c DefDlgProcA
0x490c30 EnumWindowStationsW
0x490c34 DrawIcon
0x490c38 DdeAddData
0x490c3c LoadIconA
0x490c40 CharNextA
Library GDI32.dll:
0x490c48 SelectPalette
0x490c4c GetStringBitmapA
0x490c54 GdiResetDCEMF
0x490c58 DeleteObject
0x490c5c IntersectClipRect
0x490c64 GetCharWidthA
0x490c68 GetCharWidthW
0x490c6c GdiSetPixelFormat
0x490c70 GetWinMetaFileBits
0x490c74 EngFindResource
0x490c7c GetTextFaceW
0x490c84 CreateEnhMetaFileW
0x490c88 CLIPOBJ_cEnumStart
0x490c90 EngQueryEMFInfo
0x490c94 GetGlyphIndicesA
0x490c98 GetCharABCWidthsA
0x490c9c GdiAlphaBlend
0x490ca0 EnumObjects
0x490ca4 GetGlyphOutline
0x490ca8 ScaleViewportExtEx
0x490cb0 EndDoc
0x490cb4 CreateICA
0x490cc0 ExtEscape
0x490cc8 GdiPrinterThunk
0x490ccc SetGraphicsMode
0x490cd4 GdiGetSpoolMessage
0x490ce4 EnableEUDC
0x490ce8 CreateEllipticRgn
0x490cec RealizePalette
0x490cf0 BitBlt
0x490cf4 FONTOBJ_pfdg
0x490cf8 UpdateColors
Library COMDLG32.dll:
0x490d00 GetFileTitleW
Library ADVAPI32.dll:
0x490d08 RegCloseKey
0x490d0c RegOpenKeyA
0x490d10 RegQueryValueExA
Library SHELL32.dll:
0x490d18 ShellExecuteExW
0x490d1c CheckEscapesW
0x490d20 DoEnvironmentSubstW
0x490d28 FindExecutableW
0x490d2c SHBindToParent
0x490d34 Shell_NotifyIcon
0x490d3c SHGetMalloc
0x490d44 SHGetFileInfo
0x490d48 DuplicateIcon
0x490d50 SHFileOperation
0x490d54 SHGetFileInfoA
0x490d60 SHFormatDrive
0x490d64 SHGetFolderLocation
0x490d68 SHBrowseForFolderA
0x490d6c ShellHookProc
0x490d70 SHBrowseForFolderW
0x490d74 DragQueryFile
0x490d78 SHAppBarMessage
0x490d7c SHFreeNameMappings
Library ole32.dll:
0x490d88 OleRun
0x490d8c CoUninitialize
0x490d90 CoInitializeEx
0x490d94 CoCreateInstance
Library SHLWAPI.dll:
0x490d9c PathIsUNCW
0x490da0 StrChrA
0x490da4 StrChrIA
0x490da8 StrStrA
Library MSVCRT.dll:
0x490db0 _gcvt
Library IMM32.dll:
0x490db8 ImmGetContext

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.