6.4
高危
53 个模型检测该样本为恶意!
重新分析
更多

2bb3ec5f6e8830a1b8e87a95bcb53406688386e7dd33149bb8117318f28faba9

ea8b22c4f7790cfb5dd8fa15f97ac4b7.exe

分析耗时

76s

最近分析

文件大小

704.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=87 AIDETECTVM ALI2000015 AMCH ANDROM CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMZL ENAG FAREIT GENERICKD HIGH CONFIDENCE HSENAA KRYPTIK LOKIBOT MALWARE1 NANOCORE R002C0DHH20 SCORE SGW@A4KQMFGI SPYBOTNET SUSGEN TSCOPE UNCLASSIFIEDMALWARE@0 UNSAFE X2091 YVIV ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!EA8B22C4F779 20200910 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Avast Win32:Trojan-gen 20200910 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200910 2013.8.14.323
Tencent Win32.Backdoor.Androm.Amch 20200910 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1620817409.433874
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620817409.558874
NtProtectVirtualMemory
process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 81920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0047a000
success 0 0
1620817409.558874
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1620817415.667999
NtAllocateVirtualMemory
process_identifier: 2116
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620817410.464999
NtProtectVirtualMemory
process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00410000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.1856920102744475 section {'size_of_data': '0x00016400', 'virtual_address': '0x0009f000', 'entropy': 7.1856920102744475, 'name': '.rsrc', 'virtual_size': '0x0001631c'} description A section with a high entropy has been found
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2316 called NtSetContextThread to modify thread in remote process 2116
Time & API Arguments Status Return Repeated
1620817409.948874
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199900
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2116
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2316 resumed a thread in remote process 2116
Time & API Arguments Status Return Repeated
1620817410.214874
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2116
success 0 0
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1620817409.917874
CreateProcessInternalW
thread_identifier: 2984
thread_handle: 0x000000f8
process_identifier: 2116
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ea8b22c4f7790cfb5dd8fa15f97ac4b7.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620817409.917874
NtUnmapViewOfSection
process_identifier: 2116
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620817409.948874
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 2116
commit_size: 57344
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 57344
base_address: 0x00400000
success 0 0
1620817409.948874
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1620817409.948874
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199900
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2116
success 0 0
1620817410.214874
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2116
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb BackDoor.SpyBotNET.25
MicroWorld-eScan Trojan.GenericKD.34372372
FireEye Generic.mg.ea8b22c4f7790cfb
CAT-QuickHeal Backdoor.Androm
Qihoo-360 Win32/Backdoor.650
McAfee Fareit-FPQ!EA8B22C4F779
Cylance Unsafe
Zillya Backdoor.Androm.Win32.74073
K7AntiVirus Trojan ( 0056c99c1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056c99c1 )
Cybereason malicious.325b39
Arcabit Trojan.Generic.D20C7B14
TrendMicro TROJ_GEN.R002C0DHH20
BitDefenderTheta Gen:NN.ZelphiF.34216.SGW@a4KQMfgi
Cyren W32/Injector.YVIV-4845
Symantec Infostealer.Lokibot!43
TrendMicro-HouseCall TROJ_GEN.R002C0DHH20
Paloalto generic.ml
ClamAV Win.Keylogger.AgentTesla-9372622-1
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Trojan.GenericKD.34372372
NANO-Antivirus Trojan.Win32.Androm.hsenaa
Avast Win32:Trojan-gen
Rising Trojan.Kryptik!1.CAC0 (CLASSIC)
Ad-Aware Trojan.GenericKD.34372372
Comodo .UnclassifiedMalware@0
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
Sophos Mal/Generic-S
Webroot W32.Trojan.Gen
Antiy-AVL Trojan/Win32.Injector
Microsoft Trojan:Win32/NanoCore.VD!MTB
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Trojan.GenericKD.34372372
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2091
VBA32 TScope.Trojan.Delf
ALYac Trojan.GenericKD.34372372
MAX malware (ai score=87)
Malwarebytes Trojan.MalPack.DLF
APEX Malicious
ESET-NOD32 a variant of Win32/Injector.ENAG
Tencent Win32.Backdoor.Androm.Amch
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_84%
Fortinet W32/Injector.EMZL!tr
AVG Win32:Trojan-gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x491178 VirtualFree
0x49117c VirtualAlloc
0x491180 LocalFree
0x491184 LocalAlloc
0x491188 GetVersion
0x49118c GetCurrentThreadId
0x491198 VirtualQuery
0x49119c WideCharToMultiByte
0x4911a4 MultiByteToWideChar
0x4911a8 lstrlenA
0x4911ac lstrcpynA
0x4911b0 LoadLibraryExA
0x4911b4 GetThreadLocale
0x4911b8 GetStartupInfoA
0x4911bc GetProcAddress
0x4911c0 GetModuleHandleA
0x4911c4 GetModuleFileNameA
0x4911c8 GetLocaleInfoA
0x4911cc GetLastError
0x4911d4 GetCommandLineA
0x4911d8 FreeLibrary
0x4911dc FindFirstFileA
0x4911e0 FindClose
0x4911e4 ExitProcess
0x4911e8 WriteFile
0x4911f0 RtlUnwind
0x4911f4 RaiseException
0x4911f8 GetStdHandle
Library user32.dll:
0x491200 GetKeyboardType
0x491204 LoadStringA
0x491208 MessageBoxA
0x49120c CharNextA
Library advapi32.dll:
0x491214 RegQueryValueExA
0x491218 RegOpenKeyExA
0x49121c RegCloseKey
Library oleaut32.dll:
0x491224 SysFreeString
0x491228 SysReAllocStringLen
0x49122c SysAllocStringLen
Library kernel32.dll:
0x491234 TlsSetValue
0x491238 TlsGetValue
0x49123c LocalAlloc
0x491240 GetModuleHandleA
Library advapi32.dll:
0x491248 RegQueryValueExA
0x49124c RegOpenKeyExA
0x491250 RegCloseKey
Library kernel32.dll:
0x491258 lstrcpyA
0x49125c WriteFile
0x491260 WinExec
0x491264 WaitForSingleObject
0x491268 VirtualQuery
0x49126c VirtualProtect
0x491270 VirtualAlloc
0x491274 Sleep
0x491278 SizeofResource
0x49127c SetThreadLocale
0x491280 SetFilePointer
0x491284 SetEvent
0x491288 SetErrorMode
0x49128c SetEndOfFile
0x491290 ResetEvent
0x491294 ReadFile
0x491298 MultiByteToWideChar
0x49129c MulDiv
0x4912a0 LockResource
0x4912a4 LoadResource
0x4912a8 LoadLibraryA
0x4912b4 GlobalUnlock
0x4912b8 GlobalReAlloc
0x4912bc GlobalHandle
0x4912c0 GlobalLock
0x4912c4 GlobalFree
0x4912c8 GlobalFindAtomA
0x4912cc GlobalDeleteAtom
0x4912d0 GlobalAlloc
0x4912d4 GlobalAddAtomA
0x4912dc GetVersionExA
0x4912e0 GetVersion
0x4912e4 GetTickCount
0x4912e8 GetThreadLocale
0x4912f0 GetSystemInfo
0x4912f4 GetStringTypeExA
0x4912f8 GetStdHandle
0x4912fc GetProcAddress
0x491300 GetModuleHandleA
0x491304 GetModuleFileNameA
0x491308 GetLocaleInfoA
0x49130c GetLocalTime
0x491310 GetLastError
0x491314 GetFullPathNameA
0x491318 GetFileAttributesA
0x49131c GetDiskFreeSpaceA
0x491320 GetDateFormatA
0x491324 GetCurrentThreadId
0x491328 GetCurrentProcessId
0x49132c GetCPInfo
0x491330 GetACP
0x491334 FreeResource
0x49133c InterlockedExchange
0x491344 FreeLibrary
0x491348 FormatMessageA
0x49134c FindResourceA
0x491350 FindNextFileA
0x491354 FindFirstFileA
0x491358 FindClose
0x491368 EnumCalendarInfoA
0x491374 CreateThread
0x491378 CreateFileA
0x49137c CreateEventA
0x491380 CompareStringA
0x491384 CloseHandle
Library version.dll:
0x49138c VerQueryValueA
0x491394 GetFileVersionInfoA
Library gdi32.dll:
0x49139c UnrealizeObject
0x4913a0 StretchBlt
0x4913a4 SetWindowOrgEx
0x4913a8 SetViewportOrgEx
0x4913ac SetTextColor
0x4913b0 SetStretchBltMode
0x4913b4 SetROP2
0x4913b8 SetPixel
0x4913bc SetDIBColorTable
0x4913c0 SetBrushOrgEx
0x4913c4 SetBkMode
0x4913c8 SetBkColor
0x4913cc SelectPalette
0x4913d0 SelectObject
0x4913d4 SelectClipRgn
0x4913d8 SaveDC
0x4913dc RestoreDC
0x4913e0 Rectangle
0x4913e4 RectVisible
0x4913e8 RealizePalette
0x4913ec PatBlt
0x4913f0 MoveToEx
0x4913f4 MaskBlt
0x4913f8 LineTo
0x4913fc IntersectClipRect
0x491400 GetWindowOrgEx
0x491404 GetTextMetricsA
0x491410 GetStockObject
0x491414 GetPixel
0x491418 GetPaletteEntries
0x49141c GetObjectA
0x491420 GetDeviceCaps
0x491424 GetDIBits
0x491428 GetDIBColorTable
0x49142c GetDCOrgEx
0x491434 GetClipBox
0x491438 GetBrushOrgEx
0x49143c GetBitmapBits
0x491440 ExtTextOutA
0x491444 ExcludeClipRect
0x491448 DeleteObject
0x49144c DeleteDC
0x491450 CreateSolidBrush
0x491454 CreatePenIndirect
0x491458 CreatePalette
0x491460 CreateFontIndirectA
0x491464 CreateDIBitmap
0x491468 CreateDIBSection
0x49146c CreateCompatibleDC
0x491474 CreateBrushIndirect
0x491478 CreateBitmap
0x49147c BitBlt
Library user32.dll:
0x491484 CreateWindowExA
0x491488 WindowFromPoint
0x49148c WinHelpA
0x491490 WaitMessage
0x491494 UpdateWindow
0x491498 UnregisterClassA
0x49149c UnhookWindowsHookEx
0x4914a0 TranslateMessage
0x4914a8 TrackPopupMenu
0x4914b0 ShowWindow
0x4914b4 ShowScrollBar
0x4914b8 ShowOwnedPopups
0x4914bc ShowCursor
0x4914c0 SetWindowsHookExA
0x4914c4 SetWindowTextA
0x4914c8 SetWindowPos
0x4914cc SetWindowPlacement
0x4914d0 SetWindowLongA
0x4914d4 SetTimer
0x4914d8 SetScrollRange
0x4914dc SetScrollPos
0x4914e0 SetScrollInfo
0x4914e4 SetRect
0x4914e8 SetPropA
0x4914ec SetParent
0x4914f0 SetMenuItemInfoA
0x4914f4 SetMenu
0x4914f8 SetForegroundWindow
0x4914fc SetFocus
0x491500 SetCursor
0x491504 SetClassLongA
0x491508 SetCapture
0x49150c SetActiveWindow
0x491510 SendMessageA
0x491514 ScrollWindow
0x491518 ScreenToClient
0x49151c RemovePropA
0x491520 RemoveMenu
0x491524 ReleaseDC
0x491528 ReleaseCapture
0x491534 RegisterClassA
0x491538 RedrawWindow
0x49153c PtInRect
0x491540 PostQuitMessage
0x491544 PostMessageA
0x491548 PeekMessageA
0x49154c OffsetRect
0x491550 OemToCharA
0x491554 MessageBoxA
0x491558 MapWindowPoints
0x49155c MapVirtualKeyA
0x491560 LoadStringA
0x491564 LoadKeyboardLayoutA
0x491568 LoadIconA
0x49156c LoadCursorA
0x491570 LoadBitmapA
0x491574 KillTimer
0x491578 IsZoomed
0x49157c IsWindowVisible
0x491580 IsWindowEnabled
0x491584 IsWindow
0x491588 IsRectEmpty
0x49158c IsIconic
0x491590 IsDialogMessageA
0x491594 IsChild
0x491598 InvalidateRect
0x49159c IntersectRect
0x4915a0 InsertMenuItemA
0x4915a4 InsertMenuA
0x4915a8 InflateRect
0x4915b0 GetWindowTextA
0x4915b4 GetWindowRect
0x4915b8 GetWindowPlacement
0x4915bc GetWindowLongA
0x4915c0 GetWindowDC
0x4915c4 GetTopWindow
0x4915c8 GetSystemMetrics
0x4915cc GetSystemMenu
0x4915d0 GetSysColorBrush
0x4915d4 GetSysColor
0x4915d8 GetSubMenu
0x4915dc GetScrollRange
0x4915e0 GetScrollPos
0x4915e4 GetScrollInfo
0x4915e8 GetPropA
0x4915ec GetParent
0x4915f0 GetWindow
0x4915f4 GetMenuStringA
0x4915f8 GetMenuState
0x4915fc GetMenuItemInfoA
0x491600 GetMenuItemID
0x491604 GetMenuItemCount
0x491608 GetMenu
0x49160c GetLastActivePopup
0x491610 GetKeyboardState
0x491618 GetKeyboardLayout
0x49161c GetKeyState
0x491620 GetKeyNameTextA
0x491624 GetIconInfo
0x491628 GetForegroundWindow
0x49162c GetFocus
0x491630 GetDlgItem
0x491634 GetDesktopWindow
0x491638 GetDCEx
0x49163c GetDC
0x491640 GetCursorPos
0x491644 GetCursor
0x491648 GetClientRect
0x49164c GetClassNameA
0x491650 GetClassInfoA
0x491654 GetCapture
0x491658 GetActiveWindow
0x49165c FrameRect
0x491660 FindWindowA
0x491664 FillRect
0x491668 EqualRect
0x49166c EnumWindows
0x491670 EnumThreadWindows
0x491674 EndPaint
0x491678 EndDeferWindowPos
0x49167c EnableWindow
0x491680 EnableScrollBar
0x491684 EnableMenuItem
0x491688 DrawTextA
0x49168c DrawMenuBar
0x491690 DrawIconEx
0x491694 DrawIcon
0x491698 DrawFrameControl
0x49169c DrawFocusRect
0x4916a0 DrawEdge
0x4916a4 DispatchMessageA
0x4916a8 DestroyWindow
0x4916ac DestroyMenu
0x4916b0 DestroyIcon
0x4916b4 DestroyCursor
0x4916b8 DeleteMenu
0x4916bc DeferWindowPos
0x4916c0 DefWindowProcA
0x4916c4 DefMDIChildProcA
0x4916c8 DefFrameProcA
0x4916cc CreatePopupMenu
0x4916d0 CreateMenu
0x4916d4 CreateIcon
0x4916d8 ClientToScreen
0x4916dc CheckMenuItem
0x4916e0 CallWindowProcA
0x4916e4 CallNextHookEx
0x4916e8 BeginPaint
0x4916ec BeginDeferWindowPos
0x4916f0 CharNextA
0x4916f4 CharLowerBuffA
0x4916f8 CharLowerA
0x4916fc CharToOemA
0x491700 AdjustWindowRectEx
Library kernel32.dll:
0x49170c Sleep
Library oleaut32.dll:
0x491714 SafeArrayPtrOfIndex
0x491718 SafeArrayGetUBound
0x49171c SafeArrayGetLBound
0x491720 SafeArrayCreate
0x491724 VariantChangeType
0x491728 VariantCopy
0x49172c VariantClear
0x491730 VariantInit
Library ole32.dll:
0x491738 CoCreateInstance
0x49173c CoUninitialize
0x491740 CoInitialize
Library oleaut32.dll:
0x491748 CreateErrorInfo
0x49174c GetErrorInfo
0x491750 SetErrorInfo
0x491754 SysFreeString
Library comctl32.dll:
0x491764 ImageList_Write
0x491768 ImageList_Read
0x491778 ImageList_DragMove
0x49177c ImageList_DragLeave
0x491780 ImageList_DragEnter
0x491784 ImageList_EndDrag
0x491788 ImageList_BeginDrag
0x49178c ImageList_Remove
0x491790 ImageList_DrawEx
0x491794 ImageList_Replace
0x491798 ImageList_Draw
0x4917a8 ImageList_Add
0x4917b0 ImageList_Destroy
0x4917b4 ImageList_Create
Library comdlg32.dll:
0x4917bc GetOpenFileNameA
Library user32.dll:
0x4917c4 DdeCmpStringHandles
0x4917c8 DdeFreeStringHandle
0x4917cc DdeQueryStringA
0x4917d4 DdeGetLastError
0x4917d8 DdeFreeDataHandle
0x4917dc DdeUnaccessData
0x4917e0 DdeAccessData
0x4917e4 DdeCreateDataHandle
0x4917ec DdeNameService
0x4917f0 DdePostAdvise
0x4917f4 DdeSetUserHandle
0x4917f8 DdeQueryConvInfo
0x4917fc DdeDisconnect
0x491800 DdeConnect
0x491804 DdeUninitialize
0x491808 DdeInitializeA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.