SmartHawk

7.8

高危

56 个模型检测该样本为恶意！

重新分析

下载样本

19a91d4da28ec0e1ff9833b7ec7f97dba9cdacc5c642eded55d7eff8068aeff5

01826dbc075b6a2998bd6769121fd9a2.exe

分析耗时

88s

最近分析

文件大小

100.0KB

静态报毒动态报毒 AAFI AGEN AI SCORE=85 AIDETECTVM ATTRIBUTE CLASSIC CONFIDENCE FSMZ GENERICKD GU0@AOJTRQOJ HDTM HDWC HIGH CONFIDENCE HIGHCONFIDENCE HIPKJVPXCQY HKZBBG HPGEN INJECT3 KCLOUD KRYPTIK MALWARE1 MALWARE@#2CLU3NO60MHC0 QVM10 SCORE STATIC AI SUSPICIOUS PE TRICKBOT TROJANX UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Trickbot.45a898b0	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20201210	21.1.5827.0
Kingsoft	Win32.Troj.Inject.(kcloud)	20201211	2017.9.26.565
McAfee	Trickbot-FSMZ!01826DBC075B	20201211	6.0.6.653
Tencent	Win32.Trojan.Inject.Dks	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_70% (W)	20190702	1.0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619164628.05975 GlobalMemoryStatusEx		success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

DEC

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619164627.91975 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0110d000	success	0	0
1619164628.904375 NtProtectVirtualMemory	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success	0	0

Foreign language identified in PE resource (1 个事件)

name

RT_VERSION

language

LANG_CHINESE

offset

0x0001c850

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000002e0

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01826dbc075b6a2998bd6769121fd9a2.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01826dbc075b6a2998bd6769121fd9a2.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619164629.076375 NtProtectVirtualMemory	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x00360000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.94303563710202

section

{'size_of_data': '0x00008e00', 'virtual_address': '0x00014000', 'entropy': 7.94303563710202, 'name': '.rsrc', 'virtual_size': '0x00008cad'}

description

A section with a high entropy has been found

entropy

0.35858585858585856

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01826dbc075b6a2998bd6769121fd9a2.exe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1432 called NtSetContextThread to modify thread in remote process 2248
1619164628.41975 NtSetContextThread	thread_handle: 0x000000e4 registers.eip: 2010382788 registers.esp: 2947828 registers.edi: 0 registers.eax: 4255744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2248	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

Executed a process and injected code into it, probably while unpacking (4 个事件)

Time & API	Arguments	Status	Return
1619164628.10675 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 1432	success	0
1619164628.32575 CreateProcessInternalW	thread_identifier: 648 thread_handle: 0x000000e4 process_identifier: 2248 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01826dbc075b6a2998bd6769121fd9a2.exe track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01826dbc075b6a2998bd6769121fd9a2.exe" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01826dbc075b6a2998bd6769121fd9a2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000000e8 inherit_handles: 0	success	1
1619164628.32575 NtGetContextThread	thread_handle: 0x000000e4	success	0
1619164628.41975 NtSetContextThread	thread_handle: 0x000000e4 registers.eip: 2010382788 registers.esp: 2947828 registers.edi: 0 registers.eax: 4255744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2248	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43279787
FireEye	Generic.mg.01826dbc075b6a29
ALYac	Trojan.GenericKD.43279787
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2039958
Sangfor	Malware
K7AntiVirus	Trojan ( 00567ed51 )
Alibaba	Trojan:Win32/Trickbot.45a898b0
K7GW	Trojan ( 00567ed51 )
Cybereason	malicious.66b604
Arcabit	Trojan.Generic.D29465AB
BitDefenderTheta	Gen:NN.ZexaF.34670.gu0@aOJtRqoj
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Inject.pef
BitDefender	Trojan.GenericKD.43279787
NANO-Antivirus	Trojan.Win32.Inject3.hkzbbg
Avast	Win32:TrojanX-gen [Trj]
Rising	Trojan.Kryptik!1.C772 (CLASSIC)
Ad-Aware	Trojan.GenericKD.43279787
TACHYON	Trojan/W32.Agent.102400.EWB
Emsisoft	Trojan.GenericKD.43279787 (B)
Comodo	Malware@#2clu3no60mhc0
F-Secure	Heuristic.HEUR/AGEN.1135313
DrWeb	Trojan.Inject3.41071
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Mal_HPGen-37b
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Jiangmin	TrojanDownloader.Adload.aafi
Avira	HEUR/AGEN.1135313
Antiy-AVL	Trojan/Win32.Inject
Kingsoft	Win32.Troj.Inject.(kcloud)
Microsoft	Trojan:Win32/Trickbot.DSB!MTB
AegisLab	Riskware.Win32.Generic.1!c
ZoneAlarm	HEUR:Trojan.Win32.Inject.pef
GData	Trojan.GenericKD.43279787
Cynet	Malicious (score: 100)
McAfee	Trickbot-FSMZ!01826DBC075B
MAX	malware (ai score=85)
VBA32	Trojan.Trickbot
Malwarebytes	Trojan.Injector
ESET-NOD32	a variant of Win32/Kryptik.HDWC
TrendMicro-HouseCall	Mal_HPGen-37b
Tencent	Win32.Trojan.Inject.Dks
Yandex	Trojan.Kryptik!HIPKJvPXCqY

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-04 01:31:00

Imports

Library GLU32.dll:

• 0x40900c gluTessBeginPolygon

• 0x409010 gluTessEndPolygon

• 0x409014 gluGetTessProperty

• 0x409018 gluEndCurve

Library WININET.dll:

• 0x40914c InternetShowSecurityInfoByURL

• 0x409150 FindNextUrlCacheEntryExA

• 0x409154 InternetLockRequestFile

• 0x409158 InternetGetCertByURL

• 0x40915c DeleteUrlCacheContainerA

Library loadperf.dll:

• 0x409164 UnloadPerfCounterTextStringsA

• 0x409168 LoadPerfCounterTextStringsA

Library AVIFIL32.dll:

• 0x409000 EditStreamSetNameA

• 0x409004 EditStreamSetInfoA

Library MSVFW32.dll:

• 0x409140 ICInfo

• 0x409144 ICGetInfo

Library MSACM32.dll:

• 0x409128 acmMetrics

• 0x40912c acmFilterEnumA

• 0x409130 acmFilterTagEnumW

• 0x409134 acmStreamSize

• 0x409138 acmDriverRemove

Library KERNEL32.dll:

• 0x409020 SetStdHandle

• 0x409024 SetFilePointerEx

• 0x409028 GetConsoleCP

• 0x40902c FlushFileBuffers

• 0x409030 WriteConsoleW

• 0x409034 LCMapStringEx

• 0x409038 CloseHandle

• 0x40903c GetConsoleMode

• 0x409040 HeapSize

• 0x409044 GetStringTypeW

• 0x409048 HeapReAlloc

• 0x40904c VirtualProtect

• 0x409050 GetCommandLineA

• 0x409054 GetLastError

• 0x409058 SetLastError

• 0x40905c InterlockedIncrement

• 0x409060 InterlockedDecrement

• 0x409064 GetCurrentThreadId

• 0x409068 EncodePointer

• 0x40906c DecodePointer

• 0x409070 ExitProcess

• 0x409074 GetModuleHandleExW

• 0x409078 GetProcAddress

• 0x40907c MultiByteToWideChar

• 0x409080 GetStdHandle

• 0x409084 WriteFile

• 0x409088 GetModuleFileNameW

• 0x40908c GetProcessHeap

• 0x409090 GetFileType

• 0x409094 InitializeCriticalSectionAndSpinCount

• 0x409098 DeleteCriticalSection

• 0x40909c InitOnceExecuteOnce

• 0x4090a0 GetStartupInfoW

• 0x4090a4 GetModuleFileNameA

• 0x4090a8 QueryPerformanceCounter

• 0x4090ac GetSystemTimeAsFileTime

• 0x4090b0 GetTickCount64

• 0x4090b4 GetEnvironmentStringsW

• 0x4090b8 FreeEnvironmentStringsW

• 0x4090bc WideCharToMultiByte

• 0x4090c0 UnhandledExceptionFilter

• 0x4090c4 SetUnhandledExceptionFilter

• 0x4090c8 FlsAlloc

• 0x4090cc FlsGetValue

• 0x4090d0 FlsSetValue

• 0x4090d4 FlsFree

• 0x4090d8 GetCurrentProcess

• 0x4090dc TerminateProcess

• 0x4090e0 GetModuleHandleW

• 0x4090e4 EnterCriticalSection

• 0x4090e8 LeaveCriticalSection

• 0x4090ec HeapFree

• 0x4090f0 Sleep

• 0x4090f4 IsValidCodePage

• 0x4090f8 GetACP

• 0x4090fc GetOEMCP

• 0x409100 GetCPInfo

• 0x409104 IsDebuggerPresent

• 0x409108 IsProcessorFeaturePresent

• 0x40910c LoadLibraryExW

• 0x409110 OutputDebugStringW

• 0x409114 LoadLibraryW

• 0x409118 RtlUnwind

• 0x40911c HeapAlloc

• 0x409120 CreateFileW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	53945	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.