8.8
极危
56 个模型检测该样本为恶意!
重新分析
更多

520acee8bba3d48f5a215c090709c4fbdac96e044be4b3525a1bbf8c7de2466a

e5b68b9cf8904965778ec8cceb8e87c2.exe

分析耗时

86s

最近分析

文件大小

164.0KB
静态报毒 动态报毒 100% AI SCORE=82 AIDETECTVM ATTRIBUTE CLASSIC CONFIDENCE CRYPTERX ELDORADO FSJZ GENKRYPTIK GRAFTOR HDVJ HDWC HIGH CONFIDENCE HIGHCONFIDENCE HLFKYF HPGEN HVBPV INJECT3 KCLOUD KRYPTIK KY0@AWQWEMEJ MALWARE1 MALWARE@#124Y1EA02F0TD MIDIE NN6TV3KCQEE PROXYGATE QVM10 SCORE SHELLCODECRYPTER STATIC AI SUSGEN SUSPICIOUS PE TRICKBOT TROJDOWNLOADER UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Trickbot-FSJZ!E5B68B9CF890 20201211 6.0.6.653
Alibaba TrojanDownloader:Win32/Adload.23b3a573 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20201210 21.1.5827.0
Kingsoft Win32.TrojDownloader.Adload.ry.(kcloud) 20201211 2017.9.26.565
Tencent 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619952136.939875
NtProtectVirtualMemory
process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0041c000
success 0 0
1619952137.236625
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Foreign language identified in PE resource (1 个事件)
name RT_VERSION language LANG_CHINESE offset 0x0002b028 filetype SysEx File - IDP sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002f0
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e5b68b9cf8904965778ec8cceb8e87c2.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e5b68b9cf8904965778ec8cceb8e87c2.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619952137.268625
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00440000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.9356261680676035 section {'size_of_data': '0x00008600', 'virtual_address': '0x00023000', 'entropy': 7.9356261680676035, 'name': '.rsrc', 'virtual_size': '0x00008495'} description A section with a high entropy has been found
entropy 0.20552147239263804 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e5b68b9cf8904965778ec8cceb8e87c2.exe
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2116 called NtSetContextThread to modify thread in remote process 472
Time & API Arguments Status Return Repeated
1619952137.002875
NtSetContextThread
thread_handle: 0x000000e8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4260288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 472
success 0 0
Executed a process and injected code into it, probably while unpacking (4 个事件)
Time & API Arguments Status Return Repeated
1619952136.955875
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2116
success 0 0
1619952136.971875
CreateProcessInternalW
thread_identifier: 2272
thread_handle: 0x000000e8
process_identifier: 472
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e5b68b9cf8904965778ec8cceb8e87c2.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e5b68b9cf8904965778ec8cceb8e87c2.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e5b68b9cf8904965778ec8cceb8e87c2.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000000ec
inherit_handles: 0
success 1 0
1619952136.971875
NtGetContextThread
thread_handle: 0x000000e8
success 0 0
1619952137.002875
NtSetContextThread
thread_handle: 0x000000e8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4260288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 472
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
FireEye Generic.mg.e5b68b9cf8904965
McAfee Trickbot-FSJZ!E5B68B9CF890
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2039521
Sangfor Malware
K7AntiVirus Trojan ( 00567ef11 )
Alibaba TrojanDownloader:Win32/Adload.23b3a573
K7GW Trojan ( 00567ef11 )
Cybereason malicious.cf8904
Arcabit Trojan.Midie.D11C69
BitDefenderTheta Gen:NN.ZexaF.34670.ky0@aWqWeMej
Cyren W32/S-2985393c!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HDVJ
APEX Malicious
Avast Win32:CrypterX-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.Win32.Adload.pef
BitDefender Gen:Variant.Midie.72809
NANO-Antivirus Trojan.Win32.Inject3.hlfkyf
Paloalto generic.ml
MicroWorld-eScan Gen:Variant.Midie.72809
Rising Trojan.Kryptik!1.C75C (CLASSIC)
Ad-Aware Gen:Variant.Midie.72809
Emsisoft Gen:Variant.Midie.72809 (B)
Comodo Malware@#124y1ea02f0td
F-Secure Trojan.TR/AD.ShellcodeCrypter.hvbpv
DrWeb Trojan.Inject3.42797
VIPRE Trojan.Win32.Generic!BT
TrendMicro Mal_HPGen-37b
McAfee-GW-Edition BehavesLike.Win32.Trojan.cc
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin TrojanDownloader.Adload.aafe
Avira TR/AD.ShellcodeCrypter.hvbpv
Antiy-AVL Trojan[Downloader]/Win32.Adload
Kingsoft Win32.TrojDownloader.Adload.ry.(kcloud)
Microsoft Trojan:Win32/Trickbot.PVB!MTB
AegisLab Trojan.Win32.Graftor.4!c
ZoneAlarm HEUR:Trojan-Downloader.Win32.Adload.pef
GData Gen:Variant.Midie.72809
Acronis suspicious
VBA32 TrojanDownloader.Adload
ALYac Gen:Variant.Midie.72809
MAX malware (ai score=82)
Malwarebytes Adware.ProxyGate
TrendMicro-HouseCall Mal_HPGen-37b
Yandex Trojan.GenKryptik!Nn6Tv3KCqEE
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-02 17:02:09

Imports

Library GLU32.dll:
0x412018 gluNextContour
0x412020 gluGetNurbsProperty
0x412028 gluBeginSurface
Library WINMM.dll:
0x412180 midiInGetNumDevs
0x412184 wod32Message
0x412188 joyGetDevCapsW
0x41218c mixerGetLineInfoA
0x412190 midiOutGetDevCapsA
0x412194 auxGetDevCapsW
Library USER32.dll:
0x412168 SendNotifyMessageA
0x41216c GetCursorPos
0x412174 RedrawWindow
Library SHLWAPI.dll:
0x41214c SHRegQueryUSValueA
0x412150 StrTrimA
0x412158 UrlEscapeA
0x41215c UrlIsW
Library RPCRT4.dll:
0x412134 RpcBindingFree
0x412138 RpcTestCancel
0x41213c I_RpcClearMutex
0x412140 NdrProxyFreeBuffer
Library COMDLG32.dll:
0x412000 ReplaceTextW
0x412004 ChooseColorW
0x41200c ChooseColorA
0x412010 ChooseFontW
Library KERNEL32.dll:
0x412030 HeapReAlloc
0x412034 HeapSize
0x412038 GetConsoleMode
0x41203c GetConsoleCP
0x412040 FlushFileBuffers
0x412044 GetProcessHeap
0x412048 CloseHandle
0x41204c SetStdHandle
0x412058 GetCommandLineW
0x41205c GetCommandLineA
0x412060 GetCPInfo
0x412064 GetOEMCP
0x412068 IsValidCodePage
0x41206c FindNextFileA
0x412070 SetFilePointerEx
0x412074 CreateFileW
0x412078 WriteConsoleW
0x41207c DecodePointer
0x412080 GetStringTypeW
0x412084 VirtualProtect
0x412090 GetCurrentProcess
0x412094 TerminateProcess
0x4120a0 GetCurrentProcessId
0x4120a4 GetCurrentThreadId
0x4120ac InitializeSListHead
0x4120b0 IsDebuggerPresent
0x4120b4 GetStartupInfoW
0x4120b8 GetModuleHandleW
0x4120bc RtlUnwind
0x4120c0 GetLastError
0x4120c4 SetLastError
0x4120d8 TlsAlloc
0x4120dc TlsGetValue
0x4120e0 TlsSetValue
0x4120e4 TlsFree
0x4120e8 FreeLibrary
0x4120ec GetProcAddress
0x4120f0 LoadLibraryExW
0x4120f4 GetStdHandle
0x4120f8 WriteFile
0x4120fc GetModuleFileNameA
0x412100 MultiByteToWideChar
0x412104 WideCharToMultiByte
0x412108 ExitProcess
0x41210c GetModuleHandleExW
0x412110 GetACP
0x412114 HeapFree
0x412118 HeapAlloc
0x41211c LCMapStringW
0x412120 GetFileType
0x412124 FindClose
0x412128 FindFirstFileExA
0x41212c RaiseException

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.