SmartHawk

3.4

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

854cd8ed0a2fb46f52cf610b77191562496c88eafa088cd2980d9c21bc3e8aa1

286af786afbe8d885af18da63f99ab65.exe

分析耗时

94s

最近分析

文件大小

15.3MB

静态报毒动态报毒 100% AI SCORE=88 ATBH BAKB BZKEM CLASSIC CONFIDENCE FILEINFECTOR GEN2 HLLP KASHU KUKU MALICIOUS PE MALWARE@#1WJYXXSZKK5OZ POLY2 SALICODE SALITY SCORE SECTOR STATIC AI TUTU UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Virus:Win32/Sality.ebde8f48	20190527	0.3.0.5
Tencent	Virus.Win32.TuTu.Gen.200004	20201211	1.0.0.1
Baidu	Win32.Virus.Sality.gen	20190318	1.0.0.2
Kingsoft		20201211	2017.9.26.565
McAfee	W32/Sality.gen.z	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

FlashPlayer.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.rodata

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.487480244683949

section

{'size_of_data': '0x000d7e00', 'virtual_address': '0x00c27000', 'entropy': 7.487480244683949, 'name': '.data', 'virtual_size': '0x001c90e8'}

description

A section with a high entropy has been found

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.Sality.PE
DrWeb	Win32.Sector.30
MicroWorld-eScan	Win32.Sality.3
FireEye	Generic.mg.286af786afbe8d88
CAT-QuickHeal	W32.Sality.U
Cylance	Unsafe
Zillya	Virus.Sality.Win32.25
Sangfor	Malware
K7AntiVirus	Virus ( f10001071 )
Alibaba	Virus:Win32/Sality.ebde8f48
K7GW	Virus ( f10001071 )
Cybereason	malicious.6afbe8
Arcabit	Win32.Sality.3
BitDefenderTheta	AI:FileInfector.A5ECCBAB0E
Cyren	W32/Sality.gen2
Symantec	W32.Sality.AE
TotalDefense	Win32/Sality.AA
Zoner	Trojan.Win32.Sality.22009
TrendMicro-HouseCall	PE_SALITY.ER
Paloalto	generic.ml
Kaspersky	Virus.Win32.Sality.gen
BitDefender	Win32.Sality.3
NANO-Antivirus	Virus.Win32.Sality.bzkem
ViRobot	Win32.Sality.Gen.A
Tencent	Virus.Win32.TuTu.Gen.200004
Ad-Aware	Win32.Sality.3
Emsisoft	Win32.Sality.3 (B)
Comodo	Malware@#1wjyxxszkk5oz
F-Secure	Malware.W32/Sality.AT
Baidu	Win32.Virus.Sality.gen
VIPRE	Virus.Win32.Sality.atbh (v)
TrendMicro	PE_SALITY.ER
McAfee-GW-Edition	W32/Sality.gen.z
Sophos	Mal/Sality-D
Ikarus	Virus.Win32.Sality
Jiangmin	Win32/HLLP.Kuku.poly2
Avira	W32/Sality.AT
Antiy-AVL	Virus/Win32.Sality.gen
Microsoft	Virus:Win32/Sality.AT
AegisLab	Virus.Win32.Sality.v!c
ZoneAlarm	Virus.Win32.Sality.gen
GData	Win32.Sality.3
Cynet	Malicious (score: 85)
AhnLab-V3	Win32/Kashu.E
McAfee	W32/Sality.gen.z
MAX	malware (ai score=88)
VBA32	Virus.Win32.Sality.bakb
APEX	Malicious
ESET-NOD32	Win32/Sality.NBA
Rising	Virus.Sality!1.A5BD (CLASSIC)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2017-03-01 06:15:48

Imports

Library KERNEL32.dll:

• 0xe1006c ReadFile

• 0xe10070 SetFilePointer

• 0xe10074 GetFileSize

• 0xe10078 CreateFileW

• 0xe1007c GetModuleFileNameA

• 0xe10080 GetCommandLineW

• 0xe10084 SetEndOfFile

• 0xe10088 WriteFile

• 0xe1008c CreateFileA

• 0xe10090 GetFileAttributesA

• 0xe10094 GetStartupInfoW

• 0xe10098 GetCommandLineA

• 0xe1009c ExitProcess

• 0xe100a0 RemoveDirectoryW

• 0xe100a4 CopyFileW

• 0xe100a8 GetModuleFileNameW

• 0xe100ac GetCPInfo

• 0xe100b0 GetACP

• 0xe100b4 IsDBCSLeadByte

• 0xe100b8 HeapSize

• 0xe100bc DeviceIoControl

• 0xe100c0 CreateProcessA

• 0xe100c4 GetTempPathA

• 0xe100c8 FindNextFileW

• 0xe100cc GetSystemWow64DirectoryW

• 0xe100d0 ExpandEnvironmentStringsA

• 0xe100d4 WideCharToMultiByte

• 0xe100d8 MultiByteToWideChar

• 0xe100dc lstrlenW

• 0xe100e0 GetLongPathNameW

• 0xe100e4 CreateProcessW

• 0xe100e8 GetTempFileNameA

• 0xe100ec CreateDirectoryA

• 0xe100f0 DeleteFileA

• 0xe100f4 GetFileAttributesW

• 0xe100f8 CreateMutexA

• 0xe100fc SetFilePointerEx

• 0xe10100 GetFileSizeEx

• 0xe10104 GetFileAttributesExW

• 0xe10108 GetFileInformationByHandle

• 0xe1010c GetVolumeInformationW

• 0xe10110 MoveFileExW

• 0xe10114 GetCurrentDirectoryW

• 0xe10118 SetCurrentDirectoryW

• 0xe1011c GetFullPathNameW

• 0xe10120 ExpandEnvironmentStringsW

• 0xe10124 OutputDebugStringA

• 0xe10128 LoadLibraryA

• 0xe1012c GetSystemDirectoryA

• 0xe10130 FreeLibrary

• 0xe10134 GetVersionExW

• 0xe10138 GetCurrentProcess

• 0xe1013c VirtualQuery

• 0xe10140 ExitThread

• 0xe10144 GetUserDefaultLangID

• 0xe10148 GetUserDefaultUILanguage

• 0xe1014c VerifyVersionInfoW

• 0xe10150 VerSetConditionMask

• 0xe10154 GlobalFree

• 0xe10158 CreateThread

• 0xe1015c LockResource

• 0xe10160 LoadResource

• 0xe10164 FindResourceExA

• 0xe10168 FindResourceExW

• 0xe1016c GlobalAlloc

• 0xe10170 GlobalUnlock

• 0xe10174 GlobalLock

• 0xe10178 QueryPerformanceCounter

• 0xe1017c QueryPerformanceFrequency

• 0xe10180 GlobalSize

• 0xe10184 QueueUserAPC

• 0xe10188 OpenThread

• 0xe1018c SleepEx

• 0xe10190 SetUnhandledExceptionFilter

• 0xe10194 GetCurrentProcessId

• 0xe10198 GetProcessTimes

• 0xe1019c RaiseException

• 0xe101a0 FlushInstructionCache

• 0xe101a4 SetLastError

• 0xe101a8 TerminateThread

• 0xe101ac CreateEventW

• 0xe101b0 SetEvent

• 0xe101b4 ResetEvent

• 0xe101b8 WaitForMultipleObjects

• 0xe101bc CreateWaitableTimerW

• 0xe101c0 GetTickCount

• 0xe101c4 SetThreadPriority

• 0xe101c8 GetTimeZoneInformation

• 0xe101cc GetSystemTime

• 0xe101d0 SystemTimeToFileTime

• 0xe101d4 DebugBreak

• 0xe101d8 GetModuleHandleW

• 0xe101dc LCMapStringW

• 0xe101e0 GetExitCodeThread

• 0xe101e4 DuplicateHandle

• 0xe101e8 GetCurrentThread

• 0xe101ec MapViewOfFile

• 0xe101f0 UnmapViewOfFile

• 0xe101f4 CompareFileTime

• 0xe101f8 ReleaseMutex

• 0xe101fc CreateFileMappingA

• 0xe10200 ReleaseSemaphore

• 0xe10204 CreateSemaphoreW

• 0xe10208 SetThreadAffinityMask

• 0xe1020c CreateEventA

• 0xe10210 CreateWaitableTimerA

• 0xe10214 SetWaitableTimer

• 0xe10218 CancelWaitableTimer

• 0xe1021c InterlockedExchangeAdd

• 0xe10220 GetVersionExA

• 0xe10224 GetVersion

• 0xe10228 VirtualAlloc

• 0xe1022c VirtualFree

• 0xe10230 FlushFileBuffers

• 0xe10234 GlobalMemoryStatusEx

• 0xe10238 IsDebuggerPresent

• 0xe1023c SetSystemTime

• 0xe10240 FileTimeToSystemTime

• 0xe10244 TlsAlloc

• 0xe10248 TlsFree

• 0xe1024c ResumeThread

• 0xe10250 CreateTimerQueueTimer

• 0xe10254 DeleteTimerQueueTimer

• 0xe10258 CreateSemaphoreA

• 0xe1025c HeapAlloc

• 0xe10260 HeapFree

• 0xe10264 HeapUnlock

• 0xe10268 HeapWalk

• 0xe1026c HeapLock

• 0xe10270 HeapCreate

• 0xe10274 HeapDestroy

• 0xe10278 VirtualProtect

• 0xe1027c GetNumberFormatW

• 0xe10280 GetCurrencyFormatW

• 0xe10284 CompareStringW

• 0xe10288 GetDateFormatW

• 0xe1028c GetTimeFormatW

• 0xe10290 GetUserDefaultLCID

• 0xe10294 EnumSystemLocalesW

• 0xe10298 GetProcessHeap

• 0xe1029c GetProcessAffinityMask

• 0xe102a0 IsProcessorFeaturePresent

• 0xe102a4 GetStartupInfoA

• 0xe102a8 RtlUnwind

• 0xe102ac UnhandledExceptionFilter

• 0xe102b0 GetSystemTimeAsFileTime

• 0xe102b4 HeapReAlloc

• 0xe102b8 GetStdHandle

• 0xe102bc TerminateProcess

• 0xe102c0 FreeEnvironmentStringsA

• 0xe102c4 GetEnvironmentStrings

• 0xe102c8 FreeEnvironmentStringsW

• 0xe102cc GetEnvironmentStringsW

• 0xe102d0 SetHandleCount

• 0xe102d4 GetFileType

• 0xe102d8 GetOEMCP

• 0xe102dc IsValidCodePage

• 0xe102e0 LCMapStringA

• 0xe102e4 GetConsoleCP

• 0xe102e8 GetConsoleMode

• 0xe102ec SetConsoleCtrlHandler

• 0xe102f0 InitializeCriticalSectionAndSpinCount

• 0xe102f4 SetStdHandle

• 0xe102f8 GetLocaleInfoA

• 0xe102fc GetStringTypeA

• 0xe10300 GetStringTypeW

• 0xe10304 WriteConsoleA

• 0xe10308 GetConsoleOutputCP

• 0xe1030c WriteConsoleW

• 0xe10310 CompareStringA

• 0xe10314 SetEnvironmentVariableA

• 0xe10318 LocalAlloc

• 0xe1031c GlobalMemoryStatus

• 0xe10320 FlushConsoleInputBuffer

• 0xe10324 GetProcAddress

• 0xe10328 WaitForSingleObject

• 0xe1032c GetExitCodeProcess

• 0xe10330 CloseHandle

• 0xe10334 FindFirstFileW

• 0xe10338 FindClose

• 0xe1033c GetSystemDirectoryW

• 0xe10340 LoadLibraryW

• 0xe10344 GetModuleHandleA

• 0xe10348 GetTempPathW

• 0xe1034c GetTempFileNameW

• 0xe10350 GetLastError

• 0xe10354 DeleteFileW

• 0xe10358 CreateDirectoryW

• 0xe1035c GetSystemInfo

• 0xe10360 SwitchToThread

• 0xe10364 TlsGetValue

• 0xe10368 TlsSetValue

• 0xe1036c GetCurrentThreadId

• 0xe10370 LeaveCriticalSection

• 0xe10374 ReadConsoleInputA

• 0xe10378 SetConsoleMode

• 0xe1037c FindFirstFileA

• 0xe10380 EnterCriticalSection

• 0xe10384 TryEnterCriticalSection

• 0xe10388 DeleteCriticalSection

• 0xe1038c InitializeCriticalSection

• 0xe10390 InterlockedDecrement

• 0xe10394 InterlockedIncrement

• 0xe10398 InterlockedExchange

• 0xe1039c InterlockedCompareExchange

• 0xe103a0 GetLocaleInfoW

• 0xe103a4 Sleep

• 0xe103a8 FileTimeToLocalFileTime

• 0xe103ac GetDriveTypeA

• 0xe103b0 GetFullPathNameA

• 0xe103b4 PeekNamedPipe

• 0xe103b8 GetCurrentDirectoryA

Library ADVAPI32.dll:

• 0xe10000 CryptEncrypt

• 0xe10004 CryptDestroyKey

• 0xe10008 CryptImportKey

• 0xe1000c CryptSetKeyParam

• 0xe10010 CryptGetHashParam

• 0xe10014 CryptHashData

• 0xe10018 CryptDestroyHash

• 0xe1001c CryptAcquireContextA

• 0xe10020 CryptCreateHash

• 0xe10024 RegisterEventSourceA

• 0xe10028 ReportEventA

• 0xe1002c DeregisterEventSource

• 0xe10030 RegOpenKeyA

• 0xe10034 CryptAcquireContextW

• 0xe10038 CryptGenRandom

• 0xe1003c CryptReleaseContext

• 0xe10040 RegOpenKeyExA

• 0xe10044 RegQueryValueExW

• 0xe10048 RegSetValueExW

• 0xe1004c RegCreateKeyExW

• 0xe10050 RegSetValueExA

• 0xe10054 RegQueryValueExA

• 0xe10058 RegCloseKey

• 0xe1005c RegCreateKeyExA

• 0xe10060 RegOpenKeyExW

• 0xe10064 CryptDecrypt

Exports

Ordinal	Address	Name
1	0x940ac0	IAEModule_AEModule_PutKernel
2	0x9421f0	IAEModule_IAEKernel_LoadModule
3	0x942260	IAEModule_IAEKernel_UnloadModule
4	0x41f5da	_WinMainSandboxed@20

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 172.217.24.14	172.217.24.14
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.