SmartHawk

4.2

中危

47 个模型检测该样本为恶意！

重新分析

下载样本

d9dda49d34185e58c7eb02f024b9d7b47370b9b08bd86d0922e3a6a59475f1c3

09ba132d2ddb173b4a1e327003ca1a3c.exe

分析耗时

91s

最近分析

文件大小

57.0KB

静态报毒动态报毒 AI SCORE=89 AIDETECTVM ATTRIBUTE CLOUD CONFIDENCE COROXY DU0@AMALLQCI GDSDA HIGHCONFIDENCE HLCQWK MALICIOUS MALWAREB MULDROP12 PROXY R002C0WEU20 RAZY SCORE SUSPICIOUS PE SYBICI TROJANPROXY UNSAFE WACATAC YMACCO ZDEX ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic.hbg	20200616	6.0.6.653
Alibaba	Trojan:Win32/Sybici.f32f2cbd	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20200616	18.4.3895.0
Kingsoft		20200616	2013.8.14.323
Tencent	Win32.Trojan-proxy.Sybici.Hpi	20200616	1.0.0.1
CrowdStrike	win/malicious_confidence_70% (W)	20190702	1.0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134513.118307 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (6 个事件)

Time & API	Arguments	Status
1619134513.071307 NtProtectVirtualMemory	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00406000	success
1619134513.180307 NtAllocateVirtualMemory	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03f20000	success
1619134522.024307 NtAllocateVirtualMemory	process_identifier: 2248 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x04a40000	success
1619134522.024307 NtAllocateVirtualMemory	process_identifier: 2248 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x04a60000	success
1619134522.024307 NtProtectVirtualMemory	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619142796.365501 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004140000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates hidden or system file (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134532.368307 NtCreateFile	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000032c filepath: C:\Windows\Tasks\tndo.job desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Windows\Tasks\tndo.job create_options: 100 (FILE_NON_DIRECTORY_FILE\|FILE_SEQUENTIAL_ONLY\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 5 (FILE_SHARE_READ\|FILE_SHARE_DELETE)	success	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134532.196307 Process32NextW	process_name: 09ba132d2ddb173b4a1e327003ca1a3c.exe snapshot_handle: 0x00000310 process_identifier: 2248	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Windows\Tasks\tndo.job

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)

Bkav	W32.AIDetectVM.malwareB
MicroWorld-eScan	Gen:Variant.Razy.674990
CAT-QuickHeal	Trojan.Sybici
McAfee	RDN/Generic.hbg
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 00552ecd1 )
Alibaba	Trojan:Win32/Sybici.f32f2cbd
K7GW	Trojan ( 00552ecd1 )
Arcabit	Trojan.Razy.DA4CAE
Cyren	W32/Trojan.ZDEX-7922
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Coroxy.A
APEX	Malicious
Paloalto	generic.ml
GData	Gen:Variant.Razy.674990
Kaspersky	Trojan-Proxy.Win32.Sybici.nd
BitDefender	Gen:Variant.Razy.674990
NANO-Antivirus	Trojan.Win32.Coroxy.hlcqwk
AegisLab	Riskware.UKP.Generic.1!c
Avast	Win32:Trojan-gen
Rising	Trojan.Coroxy!8.10E83 (CLOUD)
Ad-Aware	Gen:Variant.Razy.674990
Sophos	Mal/Generic-S
DrWeb	Trojan.MulDrop12.43327
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WEU20
McAfee-GW-Edition	RDN/Generic.hbg
Emsisoft	Gen:Variant.Razy.674990 (B)
SentinelOne	DFI - Suspicious PE
Jiangmin	TrojanProxy.Sybici.br
Microsoft	Trojan:Win32/Ymacco.AAD9
ZoneAlarm	Trojan-Proxy.Win32.Sybici.nd
Cynet	Malicious (score: 100)
AhnLab-V3	Downloader/Win32.Agent.C4114229
BitDefenderTheta	Gen:NN.ZexaF.34128.du0@amAlLqci
ALYac	Trojan.Agent.Wacatac
VBA32	TrojanProxy.Sybici
Malwarebytes	Trojan.Crypt
TrendMicro-HouseCall	TROJ_GEN.R002C0WEU20
Tencent	Win32.Trojan-proxy.Sybici.Hpi
MAX	malware (ai score=89)
Fortinet	W32/Coroxy.A!tr
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_70% (W)
Qihoo-360	Win32/Trojan.Proxy.412

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-08 11:18:49

Imports

Library advapi32.dll:

• 0x408000 LogonUserW

• 0x408004 RegOpenKeyA

• 0x408008 WmiCloseBlock

• 0x40800c ImpersonateSelf

• 0x408010 QueryServiceLockStatusA

• 0x408014 CryptHashSessionKey

• 0x408018 LsaEnumerateAccounts

• 0x40801c CryptSetProviderExW

• 0x408020 CryptGenRandom

• 0x408024 RegisterEventSourceW

• 0x408028 SetSecurityDescriptorSacl

• 0x40802c DecryptFileW

• 0x408030 LsaClose

• 0x408034 LsaRemovePrivilegesFromAccount

Library inetcomm.dll:

• 0x40803c HrGetAttachIcon

• 0x408040 CreateRangeList

• 0x408044 MimeOleInetDateToFileTime

• 0x408048 HrAttachDataFromBodyPart

• 0x40804c HrAthGetFileName

• 0x408050 CreateSMTPTransport

• 0x408054 MimeOleGetPropertySchema

• 0x408058 HrGetAttachIconByFile

• 0x40805c MimeOleCreateMessage

• 0x408060 HrAttachDataFromFile

• 0x408064 HrFreeAttachData

• 0x408068 MimeOleSetCompatMode

• 0x40806c HrDoAttachmentVerb

• 0x408070 HrAthGetFileNameW

Library kernel32.dll:

• 0x408078 GetModuleFileNameA

• 0x40807c SetLastError

• 0x408080 WriteConsoleW

• 0x408084 LCMapStringA

• 0x408088 CloseHandle

• 0x40808c SetStdHandle

• 0x408090 VirtualAlloc

• 0x408094 LCMapStringW

• 0x408098 ReadFile

• 0x40809c CreateEventW

• 0x4080a0 HeapSize

• 0x4080a4 GetCommandLineA

• 0x4080a8 LoadLibraryA

• 0x4080ac WriteConsoleA

• 0x4080b0 GetEnvironmentVariableW

• 0x4080b4 GetConsoleOutputCP

• 0x4080b8 CreateFileA

• 0x4080bc GetSystemTimeAsFileTime

• 0x4080c0 HeapCreate

• 0x4080c4 GetPriorityClass

• 0x4080c8 SwitchToThread

• 0x4080cc GetVolumePathNameW

• 0x4080d0 IsValidCodePage

• 0x4080d4 SetFilePointer

• 0x4080d8 QueryPerformanceCounter

• 0x4080dc UnhandledExceptionFilter

• 0x4080e0 GetOEMCP

• 0x4080e4 HeapFree

• 0x4080e8 HeapAlloc

• 0x4080ec GetStartupInfoA

• 0x4080f0 GetStringTypeW

• 0x4080f4 GetStdHandle

• 0x4080f8 EnterCriticalSection

• 0x4080fc GetEnvironmentStringsW

• 0x408100 ResetEvent

• 0x408104 HeapReAlloc

• 0x408108 TlsGetValue

• 0x40810c MoveFileA

• 0x408110 FreeEnvironmentStringsW

• 0x408114 WriteFile

• 0x408118 TlsAlloc

• 0x40811c DeleteCriticalSection

• 0x408120 MultiByteToWideChar

• 0x408124 SetHandleCount

• 0x408128 InitializeCriticalSection

• 0x40812c GetEnvironmentStrings

• 0x408130 GetConsoleMode

• 0x408134 GetFileType

• 0x408138 GetCurrentProcess

• 0x40813c GetCurrentProcessId

• 0x408140 LeaveCriticalSection

• 0x408144 TlsFree

• 0x408148 TerminateProcess

• 0x40814c GlobalAlloc

• 0x408150 RegisterWowExec

• 0x408154 GetStringTypeA

• 0x408158 GetNamedPipeInfo

• 0x40815c GetCPInfo

• 0x408160 GetLocaleInfoA

• 0x408164 GetVersionExA

• 0x408168 GetLastError

• 0x40816c GetProcessHeap

• 0x408170 GetConsoleCP

• 0x408174 ActivateActCtx

• 0x408178 GetModuleHandleA

• 0x40817c FlushFileBuffers

• 0x408180 FreeEnvironmentStringsA

• 0x408184 WideCharToMultiByte

• 0x408188 GetCurrentThreadId

• 0x40818c GetVersion

• 0x408190 InterlockedDecrement

• 0x408194 ExitProcess

• 0x408198 HeapDestroy

• 0x40819c InterlockedIncrement

• 0x4081a0 RtlUnwind

• 0x4081a4 GetACP

• 0x4081a8 SetUnhandledExceptionFilter

• 0x4081ac IsDebuggerPresent

• 0x4081b0 VirtualFree

• 0x4081b4 GetProcAddress

• 0x4081b8 TlsSetValue

• 0x4081bc VirtualProtect

• 0x4081c0 GetTickCount

• 0x4081c4 Sleep

Library shell32.dll:

• 0x4081cc ShellAboutA

• 0x4081d0 SHFileOperationA

• 0x4081d4 SHBrowseForFolderW

• 0x4081d8 SHFileOperationW

• 0x4081dc SHEnableServiceObject

• 0x4081e0 FindExecutableW

• 0x4081e4 SHCreateQueryCancelAutoPlayMoniker

• 0x4081e8 SHBindToParent

• 0x4081ec SHGetInstanceExplorer

• 0x4081f0 CommandLineToArgvW

• 0x4081f4 SHUpdateRecycleBinIcon

• 0x4081f8 SHGetSettings

• 0x4081fc SHGetPathFromIDListA

Library user32.dll:

• 0x408204 CharLowerBuffW

• 0x408208 OpenWindowStationW

• 0x40820c EndTask

• 0x408210 DlgDirSelectComboBoxExA

• 0x408214 RegisterRawInputDevices

• 0x408218 UnregisterUserApiHook

• 0x40821c EnumWindows

• 0x408220 DefMDIChildProcA

• 0x408224 LoadImageW

• 0x408228 VkKeyScanExW

• 0x40822c DdeFreeDataHandle

• 0x408230 CallMsgFilterA

• 0x408234 CtxInitUser32

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	216.58.200.238
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.