SmartHawk

3.2

中危

60 个模型检测该样本为恶意！

重新分析

下载样本

753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7

01d990c6411e9f8ab85888231a7e4417.exe

分析耗时

19s

最近分析

文件大小

418.5KB

静态报毒动态报毒 100% AGEN AI SCORE=80 AIDETECTVM AMGFA8JKLKLI ANDROM ARTEMIS AWTI BT3PG6 CONFIDENCE DELF DELPHILESS ELDORADO EMOY FAREIT GDSDA HIGH CONFIDENCE HNCNSH HPLOKI IGENT KRYPTIK LOKIBOT MALWARE2 MALWARE@#12ZV9S55CVWAV NANOCORE SCORE SIGGEN2 SMBD STATIC AI SUSPICIOUS PE TSCOPE TSPY UNSAFE X2085 ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Kryptik.d6c9904d	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Avast	Win32:Trojan-gen	20201210	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft		20201211	2017.9.26.565
McAfee	Artemis!01D990C6411E	20201211	6.0.6.653
Tencent	Win32.Trojan.Kryptik.Fif	20201211	1.0.0.1

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134515.824026 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35258180 registers.edi: 0 registers.eax: 0 registers.ebp: 35258248 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6 exception.instruction_r: f7 f0 89 c9 89 c9 89 c9 33 c0 5a 59 59 64 89 10 exception.symbol: 01d990c6411e9f8ab85888231a7e4417+0x5e00e exception.instruction: div eax exception.module: 01d990c6411e9f8ab85888231a7e4417.exe exception.exception_code: 0xc0000094 exception.offset: 385038 exception.address: 0x45e00e	success	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619134515.653026 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d0000	success
1619134515.824026 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0045e000	success
1619134515.824026 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00570000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.87497094481938

section

{'size_of_data': '0x00064a00', 'virtual_address': '0x00054000', 'entropy': 7.87497094481938, 'name': 'UPX1', 'virtual_size': '0x00065000'}

description

A section with a high entropy has been found

entropy

0.9640718562874252

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Siggen2.53596
MicroWorld-eScan	Trojan.Delf.FareIt.Gen.7
FireEye	Generic.mg.01d990c6411e9f8a
CAT-QuickHeal	Trojan.Multi
ALYac	Trojan.Delf.FareIt.Gen.7
Cylance	Unsafe
Zillya	Trojan.Injector.Win32.749171
Sangfor	Malware
K7AntiVirus	Trojan ( 0056a3e91 )
Alibaba	Trojan:Win32/Kryptik.d6c9904d
K7GW	Trojan ( 0056a3e91 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Delf.FareIt.Gen.7
BitDefenderTheta	Gen:NN.ZelphiF.34670.AmGfa8JKlKli
Cyren	W32/Injector.ABY.gen!Eldorado
Symantec	Trojan Horse
ESET-NOD32	a variant of Win32/Injector.EMOY
Zoner	Trojan.Win32.91490
TrendMicro-HouseCall	TSPY_HPLOKI.SMBD
Avast	Win32:Trojan-gen
ClamAV	Win.Dropper.Nanocore-8878336-0
Kaspersky	Trojan.Win32.Kryptik.apl
BitDefender	Trojan.Delf.FareIt.Gen.7
NANO-Antivirus	Trojan.Win32.Androm.hncnsh
Paloalto	generic.ml
Ad-Aware	Trojan.Delf.FareIt.Gen.7
Sophos	Mal/Generic-S
Comodo	Malware@#12zv9s55cvwav
F-Secure	Heuristic.HEUR/AGEN.1136559
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TSPY_HPLOKI.SMBD
McAfee-GW-Edition	Fareit-FVZ!C56DBA33BEA6
Emsisoft	Trojan.Delf.FareIt.Gen.7 (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Backdoor.Androm.awti
Webroot	W32.Trojan.Delf.FareIt.Gen
Avira	HEUR/AGEN.1136559
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Microsoft	PWS:Win32/Fareit.AQ!MTB
AegisLab	Trojan.Win32.Kryptik.4!c
ZoneAlarm	Trojan.Win32.Kryptik.apl
GData	Trojan.Delf.FareIt.Gen.7
Cynet	Malicious (score: 85)
AhnLab-V3	Suspicious/Win.Delphiless.X2085
Acronis	suspicious
McAfee	Artemis!01D990C6411E
VBA32	TScope.Trojan.Delf

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:

• 0x4bc9d0 LoadLibraryA

• 0x4bc9d4 GetProcAddress

• 0x4bc9d8 VirtualProtect

• 0x4bc9dc VirtualAlloc

• 0x4bc9e0 VirtualFree

• 0x4bc9e4 ExitProcess

Library advapi32.dll:

• 0x4bc9ec RegCloseKey

Library comctl32.dll:

• 0x4bc9f4 ImageList_Add

Library comdlg32.dll:

• 0x4bc9fc PrintDlgA

Library gdi32.dll:

• 0x4bca04 SaveDC

Library ole32.dll:

• 0x4bca0c CoInitialize

Library oleaut32.dll:

• 0x4bca14 VariantCopy

Library user32.dll:

• 0x4bca1c GetDC

Library version.dll:

• 0x4bca24 VerQueryValueA

Library winspool.drv:

• 0x4bca2c OpenPrinterA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.