6.6
高危
62 个模型检测该样本为恶意!
重新分析
更多

8357119ef28bc4518732db5fea2e1aae12a779c36c3beb0a732a224f460abddb

ebf459ab9f9e3280e01aa2afc78235cb.exe

分析耗时

25s

最近分析

文件大小

706.5KB
静态报毒 动态报毒 AI SCORE=85 ALI2000015 APCU BTOOMO CLASSIC CONFIDENCE DDEG DELF DELFINJECT DELPHILESS EIQBZ ELZG EMHC FAREIT FORMBOOK GENERICKDZ GENETIC HIGH CONFIDENCE IGENT KRYPTIK MALWARE@#1ANMTT1RV2XQO SCORE SGX@AEUFRXOI SUSPICIOUS PE THFOIBO TSCOPE UNSAFE X2066 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200615 18.4.3895.0
Kingsoft 20200615 2013.8.14.323
McAfee Fareit-FTB!EBF459AB9F9E 20200615 6.0.6.653
Tencent Win32.Trojan.Kryptik.Apcu 20200615 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619999688.599588
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49020468
registers.edi: 0
registers.eax: 0
registers.ebp: 49020808
registers.edx: 48
registers.ebx: 0
registers.esi: 0
registers.ecx: 625
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b3 84 00 00 e9
exception.symbol: ebf459ab9f9e3280e01aa2afc78235cb+0x648a9
exception.instruction: div eax
exception.module: ebf459ab9f9e3280e01aa2afc78235cb.exe
exception.exception_code: 0xc0000094
exception.offset: 411817
exception.address: 0x4648a9
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1619999688.443588
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619999688.599588
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00464000
success 0 0
1619999688.599588
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00630000
success 0 0
1620031737.89075
NtAllocateVirtualMemory
process_identifier: 912
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00830000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.404817887394516 section {'size_of_data': '0x00039200', 'virtual_address': '0x0007e000', 'entropy': 7.404817887394516, 'name': '.rsrc', 'virtual_size': '0x0003902c'} description A section with a high entropy has been found
entropy 0.324113475177305 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 784 called NtSetContextThread to modify thread in remote process 912
Time & API Arguments Status Return Repeated
1619999689.068588
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306624
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 912
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 784 resumed a thread in remote process 912
Time & API Arguments Status Return Repeated
1619999689.568588
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 912
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1619999689.037588
CreateProcessInternalW
thread_identifier: 1060
thread_handle: 0x000000fc
process_identifier: 912
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ebf459ab9f9e3280e01aa2afc78235cb.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619999689.037588
NtUnmapViewOfSection
process_identifier: 912
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619999689.037588
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 912
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619999689.053588
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619999689.068588
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306624
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 912
success 0 0
1619999689.568588
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 912
success 0 0
File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)
MicroWorld-eScan Gen:Variant.Zusy.304491
FireEye Generic.mg.ebf459ab9f9e3280
CAT-QuickHeal Trojan.Kryptik
ALYac Gen:Variant.Zusy.304491
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056739d1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056739d1 )
Cybereason malicious.74e119
Arcabit Trojan.Zusy.D4A56B
TrendMicro TrojanSpy.Win32.FORMBOOK.THFOIBO
F-Prot W32/Injector.JEB
Symantec Trojan.Gen.2
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Generickdz-7944944-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.304491
AegisLab Riskware.Win32.Zusy.1!c
Avast Win32:Malware-gen
Rising Trojan.Kryptik!1.C71C (CLASSIC)
Ad-Aware Gen:Variant.Zusy.304491
Emsisoft Gen:Variant.Zusy.304491 (B)
Comodo Malware@#1anmtt1rv2xqo
F-Secure Trojan.TR/Injector.eiqbz
DrWeb Trojan.Encoder.3953
Zillya Trojan.Injector.Win32.740330
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Fareit.bc
Trapmine suspicious.low.ml.score
Sophos Mal/Fareit-AA
Ikarus Trojan.Inject
Cyren W32/Trojan.DDEG-8223
Jiangmin Trojan.Kryptik.axn
Avira TR/Injector.eiqbz
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/FormBook.CM!MTB
Endgame malicious (high confidence)
ViRobot Trojan.Win32.Z.Zusy.723456.C
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.304491
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
McAfee Fareit-FTB!EBF459AB9F9E
MAX malware (ai score=85)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x47113c VirtualFree
0x471140 VirtualAlloc
0x471144 LocalFree
0x471148 LocalAlloc
0x47114c GetVersion
0x471150 GetCurrentThreadId
0x47115c VirtualQuery
0x471160 WideCharToMultiByte
0x471164 MultiByteToWideChar
0x471168 lstrlenA
0x47116c lstrcpynA
0x471170 LoadLibraryExA
0x471174 GetThreadLocale
0x471178 GetStartupInfoA
0x47117c GetProcAddress
0x471180 GetModuleHandleA
0x471184 GetModuleFileNameA
0x471188 GetLocaleInfoA
0x47118c GetCommandLineA
0x471190 FreeLibrary
0x471194 FindFirstFileA
0x471198 FindClose
0x47119c ExitProcess
0x4711a0 WriteFile
0x4711a8 RtlUnwind
0x4711ac RaiseException
0x4711b0 GetStdHandle
Library user32.dll:
0x4711b8 GetKeyboardType
0x4711bc LoadStringA
0x4711c0 MessageBoxA
0x4711c4 CharNextA
Library advapi32.dll:
0x4711cc RegQueryValueExA
0x4711d0 RegOpenKeyExA
0x4711d4 RegCloseKey
Library oleaut32.dll:
0x4711dc SysFreeString
0x4711e0 SysReAllocStringLen
0x4711e4 SysAllocStringLen
Library kernel32.dll:
0x4711ec TlsSetValue
0x4711f0 TlsGetValue
0x4711f4 LocalAlloc
0x4711f8 GetModuleHandleA
Library advapi32.dll:
0x471200 RegQueryValueExA
0x471204 RegOpenKeyExA
0x471208 RegCloseKey
Library kernel32.dll:
0x471210 lstrcpyA
0x471214 WriteFile
0x47121c WaitForSingleObject
0x471220 VirtualQuery
0x471224 VirtualAlloc
0x471228 Sleep
0x47122c SizeofResource
0x471230 SetThreadLocale
0x471234 SetFilePointer
0x471238 SetEvent
0x47123c SetErrorMode
0x471240 SetEndOfFile
0x471244 ResetEvent
0x471248 ReadFile
0x47124c MulDiv
0x471250 LockResource
0x471254 LoadResource
0x471258 LoadLibraryA
0x471264 GlobalUnlock
0x471268 GlobalReAlloc
0x47126c GlobalHandle
0x471270 GlobalLock
0x471274 GlobalFree
0x471278 GlobalFindAtomA
0x47127c GlobalDeleteAtom
0x471280 GlobalAlloc
0x471284 GlobalAddAtomA
0x471288 GetVersionExA
0x47128c GetVersion
0x471290 GetTickCount
0x471294 GetThreadLocale
0x47129c GetSystemTime
0x4712a0 GetSystemInfo
0x4712a4 GetStringTypeExA
0x4712a8 GetStdHandle
0x4712ac GetProcAddress
0x4712b0 GetModuleHandleA
0x4712b4 GetModuleFileNameA
0x4712b8 GetLocaleInfoA
0x4712bc GetLocalTime
0x4712c0 GetLastError
0x4712c4 GetFullPathNameA
0x4712c8 GetFileAttributesA
0x4712cc GetDiskFreeSpaceA
0x4712d0 GetDateFormatA
0x4712d4 GetCurrentThreadId
0x4712d8 GetCurrentProcessId
0x4712dc GetCPInfo
0x4712e0 GetACP
0x4712e4 FreeResource
0x4712e8 InterlockedExchange
0x4712ec FreeLibrary
0x4712f0 FormatMessageA
0x4712f4 FindResourceA
0x4712f8 FindFirstFileA
0x4712fc FindClose
0x471308 ExitThread
0x47130c EnumCalendarInfoA
0x471318 CreateThread
0x47131c CreateFileA
0x471320 CreateEventA
0x471324 CompareStringA
0x471328 CloseHandle
Library version.dll:
0x471330 VerQueryValueA
0x471338 GetFileVersionInfoA
Library gdi32.dll:
0x471340 UnrealizeObject
0x471344 StretchBlt
0x471348 SetWindowOrgEx
0x47134c SetWinMetaFileBits
0x471350 SetViewportOrgEx
0x471354 SetTextColor
0x471358 SetStretchBltMode
0x47135c SetROP2
0x471360 SetPixel
0x471364 SetEnhMetaFileBits
0x471368 SetDIBColorTable
0x47136c SetBrushOrgEx
0x471370 SetBkMode
0x471374 SetBkColor
0x471378 SelectPalette
0x47137c SelectObject
0x471380 SelectClipRgn
0x471384 SaveDC
0x471388 RestoreDC
0x47138c Rectangle
0x471390 RectVisible
0x471394 RealizePalette
0x471398 Polyline
0x47139c PlayEnhMetaFile
0x4713a0 PatBlt
0x4713a4 MoveToEx
0x4713a8 MaskBlt
0x4713ac LineTo
0x4713b0 IntersectClipRect
0x4713b4 GetWindowOrgEx
0x4713b8 GetWinMetaFileBits
0x4713bc GetTextMetricsA
0x4713c8 GetStockObject
0x4713cc GetPixel
0x4713d0 GetPaletteEntries
0x4713d4 GetObjectA
0x4713e0 GetEnhMetaFileBits
0x4713e4 GetDeviceCaps
0x4713e8 GetDIBits
0x4713ec GetDIBColorTable
0x4713f0 GetDCOrgEx
0x4713f8 GetClipRgn
0x4713fc GetClipBox
0x471400 GetBrushOrgEx
0x471404 GetBitmapBits
0x471408 ExcludeClipRect
0x47140c DeleteObject
0x471410 DeleteEnhMetaFile
0x471414 DeleteDC
0x471418 CreateSolidBrush
0x47141c CreateRectRgn
0x471420 CreatePenIndirect
0x471424 CreatePen
0x471428 CreatePalette
0x471430 CreateFontIndirectA
0x471434 CreateDIBitmap
0x471438 CreateDIBSection
0x47143c CreateCompatibleDC
0x471444 CreateBrushIndirect
0x471448 CreateBitmap
0x47144c CopyEnhMetaFileA
0x471450 BitBlt
Library user32.dll:
0x471458 CreateWindowExA
0x47145c WindowFromPoint
0x471460 WinHelpA
0x471464 WaitMessage
0x471468 ValidateRect
0x47146c UpdateWindow
0x471470 UnregisterClassA
0x471474 UnhookWindowsHookEx
0x471478 TranslateMessage
0x471480 TrackPopupMenu
0x471488 ShowWindow
0x47148c ShowScrollBar
0x471490 ShowOwnedPopups
0x471494 ShowCursor
0x471498 SetWindowsHookExA
0x47149c SetWindowTextA
0x4714a0 SetWindowPos
0x4714a4 SetWindowPlacement
0x4714a8 SetWindowLongA
0x4714ac SetTimer
0x4714b0 SetScrollRange
0x4714b4 SetScrollPos
0x4714b8 SetScrollInfo
0x4714bc SetRect
0x4714c0 SetPropA
0x4714c4 SetParent
0x4714c8 SetMenuItemInfoA
0x4714cc SetMenu
0x4714d0 SetKeyboardState
0x4714d4 SetForegroundWindow
0x4714d8 SetFocus
0x4714dc SetCursor
0x4714e0 SetClipboardData
0x4714e4 SetClassLongA
0x4714e8 SetCapture
0x4714ec SetActiveWindow
0x4714f0 SendMessageA
0x4714f4 ScrollWindow
0x4714f8 ScreenToClient
0x4714fc RemovePropA
0x471500 RemoveMenu
0x471504 ReleaseDC
0x471508 ReleaseCapture
0x471514 RegisterClassA
0x471518 RedrawWindow
0x47151c PtInRect
0x471520 PostQuitMessage
0x471524 PostMessageA
0x471528 PeekMessageA
0x47152c OpenClipboard
0x471530 OffsetRect
0x471534 OemToCharA
0x471538 MessageBoxA
0x47153c MessageBeep
0x471540 MapWindowPoints
0x471544 MapVirtualKeyA
0x471548 LoadStringA
0x47154c LoadKeyboardLayoutA
0x471550 LoadIconA
0x471554 LoadCursorA
0x471558 LoadBitmapA
0x47155c KillTimer
0x471560 IsZoomed
0x471564 IsWindowVisible
0x471568 IsWindowEnabled
0x47156c IsWindow
0x471570 IsRectEmpty
0x471574 IsIconic
0x471578 IsDialogMessageA
0x47157c IsChild
0x471580 IsCharAlphaNumericA
0x471584 IsCharAlphaA
0x471588 InvalidateRect
0x47158c IntersectRect
0x471590 InsertMenuItemA
0x471594 InsertMenuA
0x471598 InflateRect
0x4715a0 GetWindowTextA
0x4715a4 GetWindowRect
0x4715a8 GetWindowPlacement
0x4715ac GetWindowLongA
0x4715b0 GetWindowDC
0x4715b4 GetTopWindow
0x4715b8 GetSystemMetrics
0x4715bc GetSystemMenu
0x4715c0 GetSysColorBrush
0x4715c4 GetSysColor
0x4715c8 GetSubMenu
0x4715cc GetScrollRange
0x4715d0 GetScrollPos
0x4715d4 GetScrollInfo
0x4715d8 GetPropA
0x4715dc GetParent
0x4715e0 GetWindow
0x4715e4 GetMenuStringA
0x4715e8 GetMenuState
0x4715ec GetMenuItemInfoA
0x4715f0 GetMenuItemID
0x4715f4 GetMenuItemCount
0x4715f8 GetMenu
0x4715fc GetLastActivePopup
0x471600 GetKeyboardState
0x471608 GetKeyboardLayout
0x47160c GetKeyState
0x471610 GetKeyNameTextA
0x471614 GetIconInfo
0x471618 GetForegroundWindow
0x47161c GetFocus
0x471620 GetDlgItem
0x471624 GetDesktopWindow
0x471628 GetDCEx
0x47162c GetDC
0x471630 GetCursorPos
0x471634 GetCursor
0x471638 GetClipboardData
0x47163c GetClientRect
0x471640 GetClassNameA
0x471644 GetClassInfoA
0x471648 GetCapture
0x47164c GetActiveWindow
0x471650 FrameRect
0x471654 FindWindowA
0x471658 FillRect
0x47165c EqualRect
0x471660 EnumWindows
0x471664 EnumThreadWindows
0x47166c EndPaint
0x471670 EndDeferWindowPos
0x471674 EnableWindow
0x471678 EnableScrollBar
0x47167c EnableMenuItem
0x471680 EmptyClipboard
0x471684 DrawTextA
0x471688 DrawMenuBar
0x47168c DrawIconEx
0x471690 DrawIcon
0x471694 DrawFrameControl
0x471698 DrawFocusRect
0x47169c DrawEdge
0x4716a0 DispatchMessageA
0x4716a4 DestroyWindow
0x4716a8 DestroyMenu
0x4716ac DestroyIcon
0x4716b0 DestroyCursor
0x4716b4 DeleteMenu
0x4716b8 DeferWindowPos
0x4716bc DefWindowProcA
0x4716c0 DefMDIChildProcA
0x4716c4 DefFrameProcA
0x4716c8 CreatePopupMenu
0x4716cc CreateMenu
0x4716d0 CreateIcon
0x4716d4 CloseClipboard
0x4716d8 ClientToScreen
0x4716dc CheckMenuItem
0x4716e0 CallWindowProcA
0x4716e4 CallNextHookEx
0x4716e8 BeginPaint
0x4716ec BeginDeferWindowPos
0x4716f0 CharNextA
0x4716f4 CharLowerBuffA
0x4716f8 CharLowerA
0x4716fc CharUpperBuffA
0x471700 CharToOemA
0x471704 AdjustWindowRectEx
Library kernel32.dll:
0x471710 Sleep
Library oleaut32.dll:
0x471718 SafeArrayPtrOfIndex
0x47171c SafeArrayGetUBound
0x471720 SafeArrayGetLBound
0x471724 SafeArrayCreate
0x471728 VariantChangeType
0x47172c VariantCopy
0x471730 VariantClear
0x471734 VariantInit
Library comctl32.dll:
0x471744 ImageList_Write
0x471748 ImageList_Read
0x471758 ImageList_DragMove
0x47175c ImageList_DragLeave
0x471760 ImageList_DragEnter
0x471764 ImageList_EndDrag
0x471768 ImageList_BeginDrag
0x47176c ImageList_Remove
0x471770 ImageList_DrawEx
0x471774 ImageList_Replace
0x471778 ImageList_Draw
0x471788 ImageList_Add
0x471790 ImageList_Destroy
0x471794 ImageList_Create
0x471798 InitCommonControls
Library comdlg32.dll:
0x4717a0 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.