6.6
高危
55 个模型检测该样本为恶意!
重新分析
更多

f1d71d77f6c9b0358f6421df901379e2d85c6c2a964506040780c79cda860b68

e3967f808e44d24555d3a668901afae4.exe

分析耗时

64s

最近分析

文件大小

339.0KB
静态报毒 动态报毒 AGEN AI SCORE=88 AIDETECTVM AJVA ATTRIBUTE BSCOPE CONFIDENCE ELDORADO FVDEWK GDSDA GENASA GENERIC@ML GENERICRXHW GRAYWARE HIGH CONFIDENCE HIGHCONFIDENCE MALWARE1 MALWARE@#3SOML0N9MP6LQ NEO2INEECAO OCCAMY PDMXENRUMWIHUABUFB2ANQ PREDATOR QQPASS QQROB R282639 RAZY RDMK SCORE SUSGEN TROJANPSW TROJANX UNSAFE UNWADERS 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXHW-LH!E3967F808E44 20201229 6.0.6.653
Alibaba TrojanPSW:Win32/Predator.0516a346 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201229 21.1.5827.0
Kingsoft 20201229 2017.9.26.565
Tencent Win32.Trojan-qqpass.Qqrob.Ajva 20201229 1.0.0.1
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619983836.259749
IsDebuggerPresent
failed 0 0
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section code
section data
One or more processes crashed (5 个事件)
Time & API Arguments Status Return Repeated
1619983826.165749
__exception__
stacktrace: 
e3967f808e44d24555d3a668901afae4+0x19ee8 @ 0x419ee8
e3967f808e44d24555d3a668901afae4+0x3b53a @ 0x43b53a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1636472
registers.edi: 12
registers.eax: 6064712
registers.ebp: 1637688
registers.edx: 2130566132
registers.ebx: 0
registers.esi: 1637708
registers.ecx: 325648384
exception.instruction_r: cc c2 04 00 8b 54 24 04 8b 02 81 38 03 00 00 80
exception.symbol: e3967f808e44d24555d3a668901afae4+0xa389
exception.instruction: int3
exception.module: e3967f808e44d24555d3a668901afae4.exe
exception.exception_code: 0x80000003
exception.offset: 41865
exception.address: 0x40a389
success 0 0
1619983826.321749
__exception__
stacktrace: 
e3967f808e44d24555d3a668901afae4+0xbf2e @ 0x40bf2e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 11074144
registers.edi: 12
registers.eax: 6236936
registers.ebp: 11075360
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 1637708
registers.ecx: 325648384
exception.instruction_r: cc c2 04 00 8b 54 24 04 8b 02 81 38 03 00 00 80
exception.symbol: e3967f808e44d24555d3a668901afae4+0xa389
exception.instruction: int3
exception.module: e3967f808e44d24555d3a668901afae4.exe
exception.exception_code: 0x80000003
exception.offset: 41865
exception.address: 0x40a389
success 0 0
1619983831.321749
__exception__
stacktrace: 
e3967f808e44d24555d3a668901afae4+0xbf2e @ 0x40bf2e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 11074144
registers.edi: 12
registers.eax: 6452584
registers.ebp: 11075360
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 1637708
registers.ecx: 325648384
exception.instruction_r: cc c2 04 00 8b 54 24 04 8b 02 81 38 03 00 00 80
exception.symbol: e3967f808e44d24555d3a668901afae4+0xa389
exception.instruction: int3
exception.module: e3967f808e44d24555d3a668901afae4.exe
exception.exception_code: 0x80000003
exception.offset: 41865
exception.address: 0x40a389
success 0 0
1619983836.321749
__exception__
stacktrace: 
e3967f808e44d24555d3a668901afae4+0xbf2e @ 0x40bf2e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 11074144
registers.edi: 12
registers.eax: 136912048
registers.ebp: 11075360
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 1637708
registers.ecx: 325648384
exception.instruction_r: cc c2 04 00 8b 54 24 04 8b 02 81 38 03 00 00 80
exception.symbol: e3967f808e44d24555d3a668901afae4+0xa389
exception.instruction: int3
exception.module: e3967f808e44d24555d3a668901afae4.exe
exception.exception_code: 0x80000003
exception.offset: 41865
exception.address: 0x40a389
success 0 0
1619983836.634749
__exception__
stacktrace: 
e3967f808e44d24555d3a668901afae4+0x19207 @ 0x419207
e3967f808e44d24555d3a668901afae4+0x19f1f @ 0x419f1f
e3967f808e44d24555d3a668901afae4+0x3b53a @ 0x43b53a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1628832
registers.edi: 1634383
registers.eax: 0
registers.ebp: 1635148
registers.edx: 0
registers.ebx: 0
registers.esi: 1633312
registers.ecx: 1
exception.instruction_r: 8a 02 42 84 c0 75 f9 2b d1 8b ce 52 ff 74 24 0c
exception.symbol: e3967f808e44d24555d3a668901afae4+0xc92a
exception.instruction: mov al, byte ptr [edx]
exception.module: e3967f808e44d24555d3a668901afae4.exe
exception.exception_code: 0xc0000005
exception.offset: 51498
exception.address: 0x40c92a
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619983826.103749
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
Steals private information from local Internet browsers (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Last Version
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to access Bitcoin/ALTCoin wallets (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Electrum\wallets
Harvests credentials from local FTP client softwares (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.467448
FireEye Generic.mg.e3967f808e44d245
McAfee GenericRXHW-LH!E3967F808E44
Cylance Unsafe
AegisLab Trojan.Win32.Predator.i!c
Sangfor Malware
K7AntiVirus Spyware ( 005520891 )
Alibaba TrojanPSW:Win32/Predator.0516a346
K7GW Spyware ( 005520891 )
Cybereason malicious.08e44d
Arcabit Trojan.Razy.D721F8
BitDefenderTheta AI:Packer.C650AE5821
Cyren W32/Agent_Troj.V.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Razy-7351643-0
Kaspersky Trojan-PSW.Win32.Predator.csb
BitDefender Gen:Variant.Razy.467448
NANO-Antivirus Trojan.Win32.Stealer.fvdewk
Avast Win32:TrojanX-gen [Trj]
Rising Trojan.Generic@ML.94 (RDMK:PDMXENrumWiHuabUFb2AnQ)
Ad-Aware Gen:Variant.Razy.467448
Sophos Mal/Generic-S
Comodo Malware@#3soml0n9mp6lq
F-Secure Heuristic.HEUR/AGEN.1108439
DrWeb Trojan.PWS.Stealer.26541
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition GenericRXHW-LH!E3967F808E44
Emsisoft Gen:Variant.Razy.467448 (B)
Jiangmin Trojan.PSW.Predator.su
MaxSecure Trojan.Malware.74042871.susgen
Avira HEUR/AGEN.1108439
MAX malware (ai score=88)
Antiy-AVL GrayWare/Win32.Unwaders
Microsoft Trojan:Win32/Occamy.CF1
ZoneAlarm Trojan-PSW.Win32.Predator.csb
GData Gen:Variant.Razy.467448
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.R282639
Acronis suspicious
VBA32 BScope.TrojanPSW.Stealer
ALYac Gen:Variant.Razy.467448
ESET-NOD32 a variant of Win32/Spy.Agent.PTM
Tencent Win32.Trojan-qqpass.Qqrob.Ajva
Yandex Trojan.GenAsa!NEo2InEecAo
Ikarus Trojan-Spy.Agent
eGambit Unsafe.AI_Score_61%
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-08-04 03:57:11

Imports

Library KERNEL32.dll:
0x455000 LoadLibraryA
0x455004 WriteConsoleW
0x455008 CloseHandle
0x45501c SetEvent
0x455020 ResetEvent
0x455028 CreateEventW
0x45502c GetModuleHandleW
0x455030 GetProcAddress
0x455034 IsDebuggerPresent
0x455040 GetStartupInfoW
0x45504c GetCurrentProcessId
0x455050 GetCurrentThreadId
0x455058 InitializeSListHead
0x45505c GetCurrentProcess
0x455060 TerminateProcess
0x455064 RaiseException
0x455068 RtlUnwind
0x45506c GetLastError
0x455070 SetLastError
0x455074 EncodePointer
0x455078 TlsAlloc
0x45507c TlsGetValue
0x455080 TlsSetValue
0x455084 TlsFree
0x455088 FreeLibrary
0x45508c LoadLibraryExW
0x455090 ExitProcess
0x455094 GetModuleHandleExW
0x455098 GetModuleFileNameW
0x45509c GetStdHandle
0x4550a0 WriteFile
0x4550a4 HeapFree
0x4550a8 WideCharToMultiByte
0x4550ac MultiByteToWideChar
0x4550b0 HeapAlloc
0x4550b4 GetFileType
0x4550b8 HeapReAlloc
0x4550bc FindClose
0x4550c0 FindFirstFileExW
0x4550c4 FindNextFileW
0x4550c8 IsValidCodePage
0x4550cc GetACP
0x4550d0 GetOEMCP
0x4550d4 GetCPInfo
0x4550d8 GetCommandLineA
0x4550dc GetCommandLineW
0x4550ec CompareStringW
0x4550f0 LCMapStringW
0x4550f4 GetProcessHeap
0x4550f8 SetStdHandle
0x4550fc GetStringTypeW
0x455100 SetFilePointerEx
0x455104 HeapSize
0x455108 FlushFileBuffers
0x45510c GetConsoleCP
0x455110 GetConsoleMode
0x455114 DecodePointer
0x455118 CreateFileW
0x45511c VirtualQuery

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.