SmartHawk

3.0

中危

60 个模型检测该样本为恶意！

重新分析

下载样本

4f9269aa09bac3fb5604de2a84dff5e8e376aa3030cb8d4a7f14fe87eee817f4

059a8da68bcee1d596d3f445decf8795.exe

分析耗时

37s

最近分析

文件大小

235.5KB

静态报毒动态报毒 100% AI SCORE=84 AJZM ATTRIBUTE BCZIT BEHAVIOR CLASSIC CONFIDENCE FNWW GDSDA GENERICKD GLUPTEBA HIGH CONFIDENCE HIGHCONFIDENCE HSVXMU IGENERIC ILC8N6LUJ5I KRYPTIK MOKES OQW@A8XG5LAG PHORPIEXUPF PWSX R002C0PHN20 R348822 SCORE SIGGEN10 SOFTPULSE SUSPICIOUS PE UNSAFE URSNIF WACATAC YMACCO ZEXAF ZURGOP 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Packed-GBE!059A8DA68BCE	20201027	6.0.6.653
Alibaba	Backdoor:Win32/Mokes.e2c65f81	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201027	18.4.3895.0
Tencent	Win32.Backdoor.Mokes.Fig	20201027	1.0.0.1
Kingsoft		20201027	2013.8.14.323

This executable has a PDB path (1 个事件)

pdb_path

C:\zoyedi-rop.pdbserver\runtime\crypt\tmp_239236745\bin\yerawax.pdb`BÄ7BÔ7Bà7Bà:B

The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)

resource name	AFX_DIALOG_LAYOUT
resource name	NAKUREREKOMILI

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620143904.847502 NtProtectVirtualMemory	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x041ad000	success	0	0
1620143904.863502 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.283671786093103

section

{'size_of_data': '0x00020000', 'virtual_address': '0x00001000', 'entropy': 7.283671786093103, 'name': '.text', 'virtual_size': '0x0001feb9'}

description

A section with a high entropy has been found

entropy

0.5458422174840085

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.PhorpiexUPF.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34397669
FireEye	Generic.mg.059a8da68bcee1d5
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Packed-GBE!059A8DA68BCE
Cylance	Unsafe
Zillya	Downloader.Zurgop.Win32.2917
Sangfor	Malware
K7AntiVirus	Trojan ( 00569e421 )
Alibaba	Backdoor:Win32/Mokes.e2c65f81
K7GW	Trojan ( 00569e421 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D20CDDE5
Invincea	Mal/Generic-S
Cyren	W32/Trojan.FNWW-9058
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Glupteba-9488608-0
Kaspersky	Backdoor.Win32.Mokes.ajzm
BitDefender	Trojan.GenericKD.34397669
NANO-Antivirus	Trojan.Win32.Mokes.hsvxmu
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Backdoor.Mokes.Fig
Ad-Aware	Trojan.GenericKD.34397669
Emsisoft	Trojan.GenericKD.34397669 (B)
F-Secure	Trojan.TR/AD.Behavior.bczit
DrWeb	Trojan.Siggen10.6494
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PHN20
McAfee-GW-Edition	BehavesLike.Win32.SoftPulse.dh
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Jiangmin	Backdoor.Mokes.cod
Webroot	W32.Malware.Gen
Avira	TR/AD.Behavior.bczit
Antiy-AVL	Trojan[Downloader]/Win32.Zurgop
Microsoft	Trojan:Win32/Ymacco.AA4F
AegisLab	Trojan.Win32.Mokes.m!c
ZoneAlarm	Backdoor.Win32.Mokes.ajzm
GData	Trojan.GenericKD.34397669
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Agent.R348822
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34590.oqW@a8xg5LaG
ALYac	Trojan.GenericKD.34397669
MAX	malware (ai score=84)
VBA32	Trojan.Wacatac
Malwarebytes	Trojan.MalPack.GS

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-08-26 18:07:14

Imports

Library KERNEL32.dll:

• 0x421000 IsBadStringPtrW

• 0x421004 CreateHardLinkA

• 0x421008 GetSystemDefaultLCID

• 0x42100c GetModuleHandleW

• 0x421010 GetCurrencyFormatA

• 0x421014 GetCommandLineA

• 0x421018 GetUserGeoID

• 0x42101c GlobalAlloc

• 0x421020 FormatMessageW

• 0x421024 ReadFile

• 0x421028 lstrlenW

• 0x42102c FindNextVolumeMountPointW

• 0x421030 SetConsoleTitleA

• 0x421034 ReplaceFileA

• 0x421038 lstrcmpA

• 0x42103c GetLongPathNameW

• 0x421040 GetProcAddress

• 0x421044 GetTapeStatus

• 0x421048 OpenWaitableTimerW

• 0x42104c WritePrivateProfileStringA

• 0x421050 GetTapeParameters

• 0x421054 GlobalAddAtomW

• 0x421058 GetTempPathA

• 0x42105c OpenFileMappingA

• 0x421060 LocalFree

• 0x421064 LCMapStringW

• 0x421068 SetProcessAffinityMask

• 0x42106c WideCharToMultiByte

• 0x421070 InterlockedIncrement

• 0x421074 InterlockedDecrement

• 0x421078 InterlockedCompareExchange

• 0x42107c InterlockedExchange

• 0x421080 MultiByteToWideChar

• 0x421084 Sleep

• 0x421088 InitializeCriticalSection

• 0x42108c DeleteCriticalSection

• 0x421090 EnterCriticalSection

• 0x421094 LeaveCriticalSection

• 0x421098 GetLastError

• 0x42109c HeapFree

• 0x4210a0 TerminateProcess

• 0x4210a4 GetCurrentProcess

• 0x4210a8 UnhandledExceptionFilter

• 0x4210ac SetUnhandledExceptionFilter

• 0x4210b0 IsDebuggerPresent

• 0x4210b4 GetStartupInfoA

• 0x4210b8 GetCPInfo

• 0x4210bc RtlUnwind

• 0x4210c0 RaiseException

• 0x4210c4 LCMapStringA

• 0x4210c8 GetStringTypeW

• 0x4210cc SetHandleCount

• 0x4210d0 GetStdHandle

• 0x4210d4 GetFileType

• 0x4210d8 HeapAlloc

• 0x4210dc HeapCreate

• 0x4210e0 VirtualFree

• 0x4210e4 VirtualAlloc

• 0x4210e8 HeapReAlloc

• 0x4210ec TlsGetValue

• 0x4210f0 TlsAlloc

• 0x4210f4 TlsSetValue

• 0x4210f8 TlsFree

• 0x4210fc SetLastError

• 0x421100 GetCurrentThreadId

• 0x421104 HeapSize

• 0x421108 ExitProcess

• 0x42110c WriteFile

• 0x421110 GetModuleFileNameA

• 0x421114 FreeEnvironmentStringsA

• 0x421118 GetEnvironmentStrings

• 0x42111c FreeEnvironmentStringsW

• 0x421120 GetEnvironmentStringsW

• 0x421124 QueryPerformanceCounter

• 0x421128 GetTickCount

• 0x42112c GetCurrentProcessId

• 0x421130 GetSystemTimeAsFileTime

• 0x421134 GetStringTypeA

• 0x421138 GetACP

• 0x42113c GetOEMCP

• 0x421140 IsValidCodePage

• 0x421144 GetUserDefaultLCID

• 0x421148 GetLocaleInfoA

• 0x42114c EnumSystemLocalesA

• 0x421150 IsValidLocale

• 0x421154 InitializeCriticalSectionAndSpinCount

• 0x421158 SetFilePointer

• 0x42115c GetConsoleCP

• 0x421160 GetConsoleMode

• 0x421164 LoadLibraryA

• 0x421168 GetLocaleInfoW

• 0x42116c FlushFileBuffers

• 0x421170 SetStdHandle

• 0x421174 WriteConsoleA

• 0x421178 GetConsoleOutputCP

• 0x42117c WriteConsoleW

• 0x421180 CloseHandle

• 0x421184 CreateFileA

Library USER32.dll:

• 0x42118c GetCaretPos

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	53945	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.