SmartHawk

3.4

中危

61 个模型检测该样本为恶意！

重新分析

下载样本

76d8d849838fe256e86ccd0103c152ffa3e9a852eefbed9c089f369c0c829769

034a01bfafc6356c0efb47166d3d3921.exe

分析耗时

70s

最近分析

文件大小

72.5KB

静态报毒动态报毒 A + W32 AI SCORE=85 BANLOAD CLASSIC CONFIDENCE CSTQAJ DARKSHELL DUMPMODULEINFECTIOUSNME FAMVT FILEINFECTOR HIGH CONFIDENCE INFECTED JADTRE KA@558NXG KUDJ LOADER M1R5 MALICIOUS PE MIKCER NIMNUL OTWYCAL PATCHLOAD PCARRIER RAMNIT ROUE SCORE SMALL STATIC AI UNSAFE VJADTRE WALI WAPOMI 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Virus:Win32/Nimnul.256a647f	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu	Win32.Virus.Otwycal.d	20190318	1.0.0.2
Avast	Other:Malware-gen [Trj]	20201210	21.1.5827.0
McAfee	W32/Kudj	20201211	6.0.6.653
Tencent	Virus.Win32.Loader.aab	20201211	1.0.0.1

This executable has a PDB path (1 个事件)

pdb_path

C:\Jenkins\jobs\miktex-2.9\workspace\build-x86\binlib\fc-query.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	.gfids
section	.00cfg
section	DC\x9f\xd0\xa3u\x9e

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.934620103996107

section

{'size_of_data': '0x00004200', 'virtual_address': '0x00013000', 'entropy': 6.934620103996107, 'name': 'DC\\x9f\\xd0\\xa3u\\x9e', 'virtual_size': '0x00005000'}

description

A section with a high entropy has been found

entropy

0.23076923076923078

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Generates some ICMP traffic

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.VJadtre.3
FireEye	Generic.mg.034a01bfafc6356c
ALYac	Win32.VJadtre.3
Cylance	Unsafe
Zillya	Virus.Nimnul.Win32.5
K7AntiVirus	Virus ( 0040f7441 )
Alibaba	Virus:Win32/Nimnul.256a647f
K7GW	Virus ( 0040f7441 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Win32.VJadtre.3
Baidu	Win32.Virus.Otwycal.d
Cyren	W32/PatchLoad.E
Symantec	W32.Wapomi.C!inf
TotalDefense	Win32/Nimnul.A
APEX	Malicious
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Trojan.Downloader-64720
Kaspersky	Virus.Win32.Nimnul.f
BitDefender	Win32.VJadtre.3
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
Paloalto	generic.ml
AegisLab	Virus.Win32.Nimnul.m1R5
Rising	Virus.Roue!1.9E10 (CLASSIC)
Ad-Aware	Win32.VJadtre.3
TACHYON	Virus/W32.Ramnit.C
Emsisoft	Win32.VJadtre.3 (B)
Comodo	Virus.Win32.Wali.KA@558nxg
F-Secure	Malware.W32/Jadtre.B
DrWeb	BackDoor.Darkshell.246
VIPRE	Virus.Win32.Small.acea (v)
TrendMicro	PE_WAPOMI.BM
McAfee-GW-Edition	BehavesLike.Win32.Infected.lt
Sophos	ML/PE-A + W32/Nimnul-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Win32/Nimnul.f
Avira	W32/Jadtre.B
Antiy-AVL	Virus/Win32.Nimnul.f
Gridinsoft	Trojan.Heur!.03002201
Microsoft	Virus:Win32/Mikcer.B
ViRobot	Win32.Ramnit.F
ZoneAlarm	Virus.Win32.Nimnul.f
GData	Win32.Virus.Wapomi.A
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/VJadtre.Gen
McAfee	W32/Kudj
MAX	malware (ai score=85)
VBA32	Virus.Nimnul.19209
Zoner	Virus.Win32.23755

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-08-09 02:34:07

Imports

Library MiKTeX209-app.dll:

• 0x40d0a0 ?Finalize@Application@App@MiKTeX@@UAEXXZ

• 0x40d0a4 ??0Application@App@MiKTeX@@QAE@XZ

• 0x40d0a8 ?Sorry@Application@App@MiKTeX@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVMiKTeXException@Core@3@@Z

• 0x40d0ac ?Sorry@Application@App@MiKTeX@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVexception@5@@Z

• 0x40d0b0 ??1Application@App@MiKTeX@@UAE@XZ

• 0x40d0b4 ?Init@Application@App@MiKTeX@@UAEXAAV?$vector@PADV?$allocator@PAD@std@@@std@@@Z

Library MiKTeX209-fontconfig.dll:

• 0x40d0e8 FcConfigGetBlanks

• 0x40d0ec FcPatternDestroy

• 0x40d0f0 FcPatternFormat

• 0x40d0f4 FcStrFree

• 0x40d0f8 FcPatternPrint

• 0x40d0fc FcFini

• 0x40d100 FcFreeTypeQuery

Library MiKTeX209-getopt.dll:

• 0x40d134 MIKTEX_GETOPT_optarg

• 0x40d138 getopt_long

• 0x40d13c MIKTEX_GETOPT_optind

Library MiKTeX209-util.dll:

• 0x40d16c ?WideCharToUTF8@StringUtil@Util@MiKTeX@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PB_W@Z

Library MSVCP140.dll:

• 0x40d068 ?_Xlength_error@std@@YAXPBD@Z

• 0x40d06c ?_Xbad_alloc@std@@YAXXZ

• 0x40d070 ?_Xout_of_range@std@@YAXPBD@Z

Library VCRUNTIME140.dll:

• 0x40d19c _except_handler4_common

• 0x40d1a0 __std_type_info_destroy_list

• 0x40d1a4 memset

• 0x40d1a8 __std_exception_destroy

• 0x40d1ac __std_exception_copy

• 0x40d1b0 memcpy

• 0x40d1b4 __CxxFrameHandler3

• 0x40d1b8 _CxxThrowException

• 0x40d1bc memmove

Library api-ms-win-crt-runtime-l1-1-0.dll:

• 0x40d2bc _initterm

• 0x40d2c0 _initterm_e

• 0x40d2c4 _exit

• 0x40d2c8 _configure_narrow_argv

• 0x40d2cc __p___argc

• 0x40d2d0 _initialize_onexit_table

• 0x40d2d4 _c_exit

• 0x40d2d8 _register_thread_local_exe_atexit_callback

• 0x40d2dc _get_initial_wide_environment

• 0x40d2e0 _seh_filter_exe

• 0x40d2e4 _seh_filter_dll

• 0x40d2e8 terminate

• 0x40d2ec _controlfp_s

• 0x40d2f0 _cexit

• 0x40d2f4 _crt_at_quick_exit

• 0x40d2f8 _crt_atexit

• 0x40d2fc _execute_onexit_table

• 0x40d300 _initialize_wide_environment

• 0x40d304 _configure_wide_argv

• 0x40d308 __p___wargv

• 0x40d30c _register_onexit_function

• 0x40d310 exit

• 0x40d314 _invalid_parameter_noinfo_noreturn

• 0x40d318 _set_app_type

• 0x40d31c _initialize_narrow_environment

Library api-ms-win-crt-stdio-l1-1-0.dll:

• 0x40d360 __acrt_iob_func

• 0x40d364 __p__commode

• 0x40d368 _set_fmode

• 0x40d36c _setmode

• 0x40d370 __stdio_common_vfprintf

• 0x40d374 _fileno

Library api-ms-win-crt-convert-l1-1-0.dll:

• 0x40d1f0 atoi

Library api-ms-win-crt-heap-l1-1-0.dll:

• 0x40d220 malloc

• 0x40d224 free

• 0x40d228 _set_new_mode

• 0x40d22c _callnewh

Library api-ms-win-crt-math-l1-1-0.dll:

• 0x40d28c __setusermatherr

Library api-ms-win-crt-locale-l1-1-0.dll:

• 0x40d25c _configthreadlocale

Library api-ms-win-crt-string-l1-1-0.dll:

• 0x40d3a8 _strdup

Library KERNEL32.dll:

• 0x40d000 IsProcessorFeaturePresent

• 0x40d004 IsDebuggerPresent

• 0x40d008 UnhandledExceptionFilter

• 0x40d00c SetUnhandledExceptionFilter

• 0x40d010 GetStartupInfoW

• 0x40d014 GetModuleHandleW

• 0x40d018 InitializeSListHead

• 0x40d01c GetSystemTimeAsFileTime

• 0x40d020 GetCurrentThreadId

• 0x40d024 GetCurrentProcessId

• 0x40d028 QueryPerformanceCounter

• 0x40d02c TerminateProcess

• 0x40d030 GetCurrentProcess

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	51811	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	63430	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.