SmartHawk

7.8

高危

52 个模型检测该样本为恶意！

重新分析

下载样本

e93afd4067150bd662214a18a87f226e8b50729186caf728ef70d71eb4510094

e739df7351d40a3ca22df1f8690ae392.exe

分析耗时

90s

最近分析

文件大小

564.0KB

静态报毒动态报毒 AGENTTESLA AI SCORE=100 ATTRIBUTE CLOUD ELDORADO EPNV FAREIT GDSDA GENERICKDZ GENKRYPTIK GENOME HIGH CONFIDENCE HIGHCONFIDENCE HPCMPH IENLY KRYPTIK LOKIBOT MALICIOUS PE MSILKRYPT NEGASTEAL QVM03 R346182 RATX SCORE SIGGEN2 SMAUJ SUSGEN TGIWM@0 TSCOPE UNSAFE VSNTGS20 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXO!E739DF7351D4	20200813	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.885cf12b	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RATX-gen [Trj]	20200813	18.4.3895.0
Tencent		20200813	1.0.0.1
Kingsoft		20200813	2013.8.14.323
CrowdStrike		20190702	1.0

Checks if process is being debugged by a debugger (36 个事件)

Time & API	Arguments	Status	Return	Repeated
1620809371.489436 IsDebuggerPresent		failed	0	0
1620809371.504436 IsDebuggerPresent		failed	0	0
1620809421.614436 IsDebuggerPresent		failed	0	0
1620809422.129436 IsDebuggerPresent		failed	0	0
1620809422.629436 IsDebuggerPresent		failed	0	0
1620809423.129436 IsDebuggerPresent		failed	0	0
1620809423.629436 IsDebuggerPresent		failed	0	0
1620809424.129436 IsDebuggerPresent		failed	0	0
1620809424.629436 IsDebuggerPresent		failed	0	0
1620809425.129436 IsDebuggerPresent		failed	0	0
1620809425.629436 IsDebuggerPresent		failed	0	0
1620809426.129436 IsDebuggerPresent		failed	0	0
1620809426.629436 IsDebuggerPresent		failed	0	0
1620809427.129436 IsDebuggerPresent		failed	0	0
1620809427.629436 IsDebuggerPresent		failed	0	0
1620809428.129436 IsDebuggerPresent		failed	0	0
1620809428.629436 IsDebuggerPresent		failed	0	0
1620809429.129436 IsDebuggerPresent		failed	0	0
1620809429.629436 IsDebuggerPresent		failed	0	0
1620809430.129436 IsDebuggerPresent		failed	0	0
1620809430.629436 IsDebuggerPresent		failed	0	0
1620809431.129436 IsDebuggerPresent		failed	0	0
1620809431.629436 IsDebuggerPresent		failed	0	0
1620809432.129436 IsDebuggerPresent		failed	0	0
1620809432.629436 IsDebuggerPresent		failed	0	0
1620809433.129436 IsDebuggerPresent		failed	0	0
1620809433.629436 IsDebuggerPresent		failed	0	0
1620809434.129436 IsDebuggerPresent		failed	0	0
1620809434.629436 IsDebuggerPresent		failed	0	0
1620809435.129436 IsDebuggerPresent		failed	0	0
1620809435.629436 IsDebuggerPresent		failed	0	0
1620809436.129436 IsDebuggerPresent		failed	0	0
1620809436.629436 IsDebuggerPresent		failed	0	0
1620809437.129436 IsDebuggerPresent		failed	0	0
1620836967.647874 IsDebuggerPresent		failed	0	0
1620836967.647874 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620809371.567436 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 121 个事件)

Time & API	Arguments	Status	Return
1620809370.660436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x006d0000	success	0
1620809370.660436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007c0000	success	0
1620809371.098436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00b20000	success	0
1620809371.098436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success	0
1620809371.239436 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1620809371.489436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00d00000	success	0
1620809371.489436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e30000	success	0
1620809371.504436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056a000	success	0
1620809371.504436 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1620809371.504436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00562000	success	0
1620809371.957436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00572000	success	0
1620809372.207436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success	0
1620809372.207436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059b000	success	0
1620809372.223436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success	0
1620809372.364436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00573000	success	0
1620809372.457436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057c000	success	0
1620809372.942436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00574000	success	0
1620809372.957436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00576000	success	0
1620809373.051436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00577000	success	0
1620809373.067436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00770000	success	0
1620809373.176436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success	0
1620809373.176436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success	0
1620809373.285436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00586000	success	0
1620809373.348436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00771000	success	0
1620809373.817436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057a000	success	0
1620809373.957436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00578000	success	0
1620809374.129436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00579000	success	0
1620809374.192436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d00000	success	0
1620809374.207436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00773000	success	0
1620809374.270436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d01000	success	0
1620809374.285436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00774000	success	0
1620809374.317436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00777000	success	0
1620809412.332436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c61000	success	0
1620809412.567436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056c000	success	0
1620809412.629436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d02000	success	0
1620809412.629436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057d000	success	0
1620809412.645436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00778000	success	0
1620809412.754436 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 332288 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05080400	failed	3221225550
1620809420.879436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00779000	success	0
1620809420.879436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d03000	success	0
1620809420.879436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077a000	success	0
1620809420.895436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077b000	success	0
1620809420.957436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077c000	success	0
1620809421.082436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077d000	success	0
1620809421.176436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077e000	success	0
1620809421.239436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00730000	success	0
1620809421.239436 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00731000	success	0
1620809421.254436 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05080178	failed	3221225550
1620809421.254436 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x050801a0	failed	3221225550
1620809421.254436 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x050801c8	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.713674329214837

section

{'size_of_data': '0x0008c600', 'virtual_address': '0x00002000', 'entropy': 7.713674329214837, 'name': '.text', 'virtual_size': '0x0008c444'}

description

A section with a high entropy has been found

entropy

0.9964507542147294

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620809412.739436 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620809437.098436 NtAllocateVirtualMemory	process_identifier: 2240 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000070dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1620809437.098436 WriteProcessMemory	process_identifier: 2240 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELròÜ^àZ>y @ À@ìxOð H.textDY Z `.rsrcð\@@.reloc `@B process_handle: 0x000070dc base_address: 0x00400000	success	1
1620809437.114436 WriteProcessMemory	process_identifier: 2240 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNamemKjroSxgMaRphLnOgNnLbCgtDAf.exe(LegalCopyright h OriginalFilenamemKjroSxgMaRphLnOgNnLbCgtDAf.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000070dc base_address: 0x00448000	success	1
1620809437.114436 WriteProcessMemory	process_identifier: 2240 buffer: p@9 process_handle: 0x000070dc base_address: 0x0044a000	success	1
1620809437.114436 WriteProcessMemory	process_identifier: 2240 buffer: @ process_handle: 0x000070dc base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620809437.098436 WriteProcessMemory	process_identifier: 2240 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELròÜ^àZ>y @ À@ìxOð H.textDY Z `.rsrcð\@@.reloc `@B process_handle: 0x000070dc base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 called NtSetContextThread to modify thread in remote process 2240
1620809437.114436 NtSetContextThread	thread_handle: 0x00002278 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4487486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2240	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 resumed a thread in remote process 2240
1620809437.551436 NtResumeThread	thread_handle: 0x00002278 suspend_count: 1 process_identifier: 2240	success	0	0

Executed a process and injected code into it, probably while unpacking (19 个事件)

Time & API	Arguments	Status	Return
1620809371.504436 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2344	success	0
1620809371.535436 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2344	success	0
1620809371.676436 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2344	success	0
1620809421.567436 NtResumeThread	thread_handle: 0x00003c7c suspend_count: 1 process_identifier: 2344	success	0
1620809421.582436 NtResumeThread	thread_handle: 0x000109a0 suspend_count: 1 process_identifier: 2344	success	0
1620809437.098436 CreateProcessInternalW	thread_identifier: 1816 thread_handle: 0x00002278 process_identifier: 2240 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e739df7351d40a3ca22df1f8690ae392.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e739df7351d40a3ca22df1f8690ae392.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000070dc inherit_handles: 0	success	1
1620809437.098436 NtGetContextThread	thread_handle: 0x00002278	success	0
1620809437.098436 NtAllocateVirtualMemory	process_identifier: 2240 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000070dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620809437.098436 WriteProcessMemory	process_identifier: 2240 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELròÜ^àZ>y @ À@ìxOð H.textDY Z `.rsrcð\@@.reloc `@B process_handle: 0x000070dc base_address: 0x00400000	success	1
1620809437.098436 WriteProcessMemory	process_identifier: 2240 buffer: process_handle: 0x000070dc base_address: 0x00402000	success	1
1620809437.114436 WriteProcessMemory	process_identifier: 2240 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNamemKjroSxgMaRphLnOgNnLbCgtDAf.exe(LegalCopyright h OriginalFilenamemKjroSxgMaRphLnOgNnLbCgtDAf.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000070dc base_address: 0x00448000	success	1
1620809437.114436 WriteProcessMemory	process_identifier: 2240 buffer: p@9 process_handle: 0x000070dc base_address: 0x0044a000	success	1
1620809437.114436 WriteProcessMemory	process_identifier: 2240 buffer: @ process_handle: 0x000070dc base_address: 0x7efde008	success	1
1620809437.114436 NtSetContextThread	thread_handle: 0x00002278 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4487486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2240	success	0
1620809437.551436 NtResumeThread	thread_handle: 0x00002278 suspend_count: 1 process_identifier: 2240	success	0
1620809437.567436 NtResumeThread	thread_handle: 0x00009bc0 suspend_count: 1 process_identifier: 2344	success	0
1620836967.647874 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2240	success	0
1620836967.647874 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2240	success	0
1620836967.678874 NtResumeThread	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2240	success	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69068
FireEye	Generic.mg.e739df7351d40a3c
McAfee	Fareit-FXO!E739DF7351D4
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056b5be1 )
Alibaba	Trojan:MSIL/AgentTesla.885cf12b
K7GW	Trojan ( 0056b5be1 )
Cybereason	malicious.917bba
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Dropper.LokiBot-9157380-0
GData	Trojan.GenericKDZ.69068
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKDZ.69068
NANO-Antivirus	Trojan.Win32.Crypt.hpcmph
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Pws.577536.B
Ad-Aware	Trojan.GenericKDZ.69068
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Genome.tgiwm@0
F-Secure	Trojan.TR/Kryptik.ienly
DrWeb	Trojan.PWS.Siggen2.52692
Zillya	Trojan.Kryptik.Win32.2319573
TrendMicro	TROJ_FRS.VSNTGS20
Emsisoft	Trojan.GenericKDZ.69068 (B)
SentinelOne	DFI - Malicious PE
Cyren	W32/MSIL_Kryptik.BFY.gen!Eldorado
Avira	TR/Kryptik.ienly
Antiy-AVL	Trojan/MSIL.Crypt
Arcabit	Trojan.Generic.D10DCC
AegisLab	Trojan.MSIL.Crypt.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
AhnLab-V3	Trojan/Win32.MSILKrypt.R346182
ALYac	Trojan.GenericKDZ.69068
MAX	malware (ai score=100)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Spyware.AgentTesla
ESET-NOD32	a variant of MSIL/Kryptik.XCV
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.SMAUJ
Rising	Trojan.Crypt!8.2E3 (CLOUD)
Ikarus	Trojan.MSIL.Inject
eGambit	Unsafe.AI_Score_84%
Fortinet	MSIL/GenKryptik.EPNV!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:RATX-gen [Trj]

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-28 17:43:31

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	50005	239.255.255.250	3702
192.168.56.101	51966	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.