SmartHawk

4.6

中危

67 个模型检测该样本为恶意！

重新分析

下载样本

ee57f8e4794af9a3be5f3188019810007dde00d823ef3d270e5f8e03144f452d

22d757e5517850e3cd24b59625e467a4.exe

分析耗时

82s

最近分析

文件大小

110.0KB

静态报毒动态报毒 100% A@3YPG AI SCORE=99 APANAS CMRTAZO1ZP5V CONFIDENCE DELF FILEINFECTOR FMOBYW HIGH HIGH CONFIDENCE HLLP K2NLMADA4MUNUKQ MALICIOUS PE NESHTA NESHUTA OBIX POLESKA RDMK REBHIP SCORE TN9H UNSAFE WINLOCK 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/Generic.t.c	20200709	6.0.6.653
Alibaba	Virus:Win32/Neshta.67972099	20190527	0.3.0.5
Baidu	Win32.Virus.Neshta.a	20190318	1.0.0.2
Avast	Win32:Apanas [Trj]	20200709	18.4.3895.0
Kingsoft	Win32.Neshta.nl.30720	20200709	2013.8.14.323
Tencent	Virus.Win32.Neshta.a	20200709	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119622.523422 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

One or more processes crashed (8 个事件)

Time & API	Arguments	Status
1620119622.413422 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4294967295 registers.eax: 1638340 registers.ebp: 52046 registers.edx: 1983915168 registers.ebx: 4261453 registers.esi: 1983119360 registers.ecx: 4294967295 exception.instruction_r: f3 ae 68 b9 13 00 00 00 e8 00 00 00 00 5f 83 ef exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x1064a exception.instruction: scasb al, byte ptr es:[edi] exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000005 exception.offset: 67146 exception.address: 0x41064a	success
1620119622.413422 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4377696 registers.eax: 0 registers.ebp: 52046 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 3932160 registers.ecx: 3249209344 exception.instruction_r: f6 f3 c3 8d b5 cc d1 3f 00 ba e7 1a 00 00 eb 01 exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x1084a exception.instruction: div bl exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000094 exception.offset: 67658 exception.address: 0x41084a	success
1620119622.429422 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4262947 registers.eax: 4271872 registers.ebp: 52046 registers.edx: 3833646782 registers.ebx: 0 registers.esi: 4262070 registers.ecx: 0 exception.instruction_r: fb ff ff 89 1b e8 95 ff ff ff eb 01 e8 8d bd d5 exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x1300b exception.instruction: sti exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000096 exception.offset: 77835 exception.address: 0x41300b	success
1620119622.429422 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4262947 registers.eax: 4271872 registers.ebp: 52046 registers.edx: 3833646782 registers.ebx: 0 registers.esi: 4262070 registers.ecx: 0 exception.instruction_r: fb ff ff 89 1b e8 95 ff ff ff eb 01 e8 8d bd d5 exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x1300b exception.instruction: sti exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000096 exception.offset: 77835 exception.address: 0x41300b	success
1620119622.429422 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7534482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 registers.esp: 1636464 registers.edi: 0 registers.eax: 0 registers.ebp: 1636496 registers.edx: 1638236 registers.ebx: 0 registers.esi: 0 registers.ecx: 4272063 exception.instruction_r: d7 e8 12 00 00 00 ff 64 24 fc ff 8b 64 24 08 2b exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x12fcf exception.instruction: xlatb exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000005 exception.offset: 77775 exception.address: 0x412fcf	success
1620119622.429422 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4215808 registers.eax: 4925520 registers.ebp: 52046 registers.edx: 4194928 registers.ebx: 4294967295 registers.esi: 0 registers.ecx: 0 exception.instruction_r: d7 6a f9 5a 59 e8 04 00 00 00 f3 ff e1 68 58 03 exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x12b75 exception.instruction: xlatb exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000005 exception.offset: 76661 exception.address: 0x412b75	success
1620119622.429422 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 0 registers.eax: 0 registers.ebp: 52046 registers.edx: 4262800 registers.ebx: 27 registers.esi: 0 registers.ecx: 4269524 exception.instruction_r: 89 18 e9 76 17 00 00 eb 01 68 69 d9 02 20 1e 00 exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x10c00 exception.instruction: mov dword ptr [eax], ebx exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc0000005 exception.offset: 68608 exception.address: 0x410c00	success
1620119622.429422 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4194896 registers.eax: 255 registers.ebp: 52046 registers.edx: 4270669 registers.ebx: 0 registers.esi: 4194775 registers.ecx: 429 exception.instruction_r: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff exception.symbol: 22d757e5517850e3cd24b59625e467a4+0x1d7 exception.address: 0x4001d7 exception.module: 22d757e5517850e3cd24b59625e467a4.exe exception.exception_code: 0xc000001d exception.offset: 471	success

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119622.429422 NtProtectVirtualMemory	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success	0	0
1620119622.429422 NtAllocateVirtualMemory	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00430000	success	0	0

Creates executable files on the filesystem (34 个事件)

file	C:\Python27\Scripts\pip.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w64.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdate.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-64.exe
file	C:\Windows\svchost.com
file	C:\Python27\Scripts\easy_install.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0-amd64.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Wintup.exe
file	C:\Python27\Scripts\easy_install-2.7.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-64.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateComRegisterShell64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3582-490\22d757e5517850e3cd24b59625e467a4.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateOnDemand.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleCrashHandler64.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateCore.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleCrashHandler.exe
file	C:\Python27\Scripts\pip2.exe
file	C:\Python27\Scripts\pip2.7.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\tmpsij43m\bin\Procmon.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateSetup.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Windows_Activator\Windows Activator.exe

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3582-490\22d757e5517850e3cd24b59625e467a4.exe

Drops an executable to the user AppData folder (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3582-490\22d757e5517850e3cd24b59625e467a4.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Wintup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Windows_Activator\Windows Activator.exe

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

reg_value

C:\Windows\svchost.com "%1" %*

File has been identified by 67 AntiVirus engines on VirusTotal as malicious (50 out of 67 个事件)

Bkav	W32.Poleska.PE
MicroWorld-eScan	Win32.Neshta.A
FireEye	Generic.mg.22d757e5517850e3
CAT-QuickHeal	W32.Neshta.A
McAfee	W32/Generic.t.c
VIPRE	Virus.Win32.Neshta.a (v)
Sangfor	Malware
K7AntiVirus	Virus ( 00556e571 )
Alibaba	Virus:Win32/Neshta.67972099
K7GW	Virus ( 00556e571 )
Cybereason	malicious.551785
Arcabit	Win32.Neshta.A
Invincea	heuristic
Baidu	Win32.Virus.Neshta.a
F-Prot	W32/Neshta.C
Symantec	W32.Neshuta
TotalDefense	Win32/Neshta.A
APEX	Malicious
Avast	Win32:Apanas [Trj]
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
BitDefender	Win32.Neshta.A
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
Paloalto	generic.ml
AegisLab	Virus.Win32.Neshta.tn9H
Rising	Worm.Rebhip!1.A338 (RDMK:cmRtazo1Zp5v/K2NlMADa4MUnUKQ)
Ad-Aware	Win32.Neshta.A
Emsisoft	Win32.Neshta.A (B)
Comodo	Win32.Neshta.A@3ypg
F-Secure	Malware.W32/Delf.I
DrWeb	Win32.HLLP.Neshta
Zillya	Virus.Neshta.Win32.1
TrendMicro	PE_NESHTA.A
Trapmine	malicious.high.ml.score
Sophos	W32/Neshta-D
SentinelOne	DFI - Malicious PE
Cyren	W32/Trojan.OBIX-2981
Jiangmin	Virus.Neshta.a
Avira	W32/Delf.I
MAX	malware (ai score=99)
Antiy-AVL	Virus/Win32.Neshta.a
Kingsoft	Win32.Neshta.nl.30720
Microsoft	Virus:Win32/Neshta.A
Endgame	malicious (high confidence)
ViRobot	Win32.Neshta.Gen.A
ZoneAlarm	Virus.Win32.Neshta.a
GData	Win32.Neshta.A
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Neshta
Acronis	suspicious

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x4150dc DeleteCriticalSection

• 0x4150e0 LeaveCriticalSection

• 0x4150e4 EnterCriticalSection

• 0x4150e8 InitializeCriticalSection

• 0x4150ec VirtualFree

• 0x4150f0 VirtualAlloc

• 0x4150f4 LocalFree

• 0x4150f8 LocalAlloc

• 0x4150fc GetVersion

• 0x415100 GetCurrentThreadId

• 0x415104 GetThreadLocale

• 0x415108 GetStartupInfoA

• 0x41510c GetLocaleInfoA

• 0x415110 GetCommandLineA

• 0x415114 FreeLibrary

• 0x415118 ExitProcess

• 0x41511c WriteFile

• 0x415120 UnhandledExceptionFilter

• 0x415124 RtlUnwind

• 0x415128 RaiseException

• 0x41512c GetStdHandle

Library user32.dll:

• 0x415134 GetKeyboardType

• 0x415138 MessageBoxA

Library advapi32.dll:

• 0x415140 RegQueryValueExA

• 0x415144 RegOpenKeyExA

• 0x415148 RegCloseKey

Library oleaut32.dll:

• 0x415150 SysFreeString

• 0x415154 SysReAllocStringLen

Library kernel32.dll:

• 0x41515c TlsSetValue

• 0x415160 TlsGetValue

• 0x415164 LocalAlloc

• 0x415168 GetModuleHandleA

Library advapi32.dll:

• 0x415170 RegSetValueExA

• 0x415174 RegOpenKeyExA

• 0x415178 RegCloseKey

Library kernel32.dll:

• 0x415180 WriteFile

• 0x415184 WinExec

• 0x415188 SetFilePointer

• 0x41518c SetFileAttributesA

• 0x415190 SetEndOfFile

• 0x415194 SetCurrentDirectoryA

• 0x415198 ReleaseMutex

• 0x41519c ReadFile

• 0x4151a0 GetWindowsDirectoryA

• 0x4151a4 GetTempPathA

• 0x4151a8 GetShortPathNameA

• 0x4151ac GetModuleFileNameA

• 0x4151b0 GetLogicalDriveStringsA

• 0x4151b4 GetLocalTime

• 0x4151b8 GetLastError

• 0x4151bc GetFileSize

• 0x4151c0 GetFileAttributesA

• 0x4151c4 GetDriveTypeA

• 0x4151c8 GetCommandLineA

• 0x4151cc FreeLibrary

• 0x4151d0 FindNextFileA

• 0x4151d4 FindFirstFileA

• 0x4151d8 FindClose

• 0x4151dc DeleteFileA

• 0x4151e0 CreateMutexA

• 0x4151e4 CreateFileA

• 0x4151e8 CreateDirectoryA

• 0x4151ec CloseHandle

Library gdi32.dll:

• 0x4151f4 StretchDIBits

• 0x4151f8 SetDIBits

• 0x4151fc SelectObject

• 0x415200 GetObjectA

• 0x415204 GetDIBits

• 0x415208 DeleteObject

• 0x41520c DeleteDC

• 0x415210 CreateSolidBrush

• 0x415214 CreateDIBSection

• 0x415218 CreateCompatibleDC

• 0x41521c CreateCompatibleBitmap

• 0x415220 BitBlt

Library user32.dll:

• 0x415228 ReleaseDC

• 0x41522c GetSysColor

• 0x415230 GetIconInfo

• 0x415234 GetDC

• 0x415238 FillRect

• 0x41523c DestroyIcon

• 0x415240 CopyImage

• 0x415244 CharLowerBuffA

Library shell32.dll:

• 0x41524c ShellExecuteA

• 0x415250 ExtractIconA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.