SmartHawk

5.8

高危

50 个模型检测该样本为恶意！

重新分析

下载样本

08c0f4831d9f0e3d57fbb7290e5fde4a50598b50676f76aaee3db9c079d500bc

28b568e034c39c674f71c621dbe251ae.exe

分析耗时

86s

最近分析

文件大小

317.0KB

静态报毒动态报毒 AI SCORE=83 AIDETECTVM ATTRIBUTE B4G9EPJNAIN BABYLONRAT BLUTEAL CH@5Y3Z3Q CONFIDENCE DODIW FILEREPMALWARE GENERICKD GENERICRXAA HIGH CONFIDENCE HIGHCONFIDENCE HLIDGK HTCN LARBY LETHIC MALICIOUS PE MALWARE1 MBL2 R339085 RULVC SCORE STATIC AI SYSN TMGFAKUJ7Q UNSAFE WEBPICK ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:Win32/Larby.5da177fc	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast		20201210	21.1.5827.0
Tencent	Win32.Trojan-spy.Larby.Htcn	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
McAfee	GenericRXAA-FA!28B568E034C3	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 个事件)

description

28b568e034c39c674f71c621dbe251ae.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.998133428009646

section

{'size_of_data': '0x0004ec00', 'virtual_address': '0x00072000', 'entropy': 7.998133428009646, 'name': 'UPX1', 'virtual_size': '0x0004f000'}

description

A section with a high entropy has been found

entropy

0.9968354430379747

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)

Time & API	Arguments	Status	Return
1619364987.588751 LookupPrivilegeValueW	system_name: privilege_name: SeShutdownPrivilege	success	1
1619364987.588751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619364987.588751 LookupPrivilegeValueW	system_name: privilege_name: SeTcbPrivilege	success	1

The executable is compressed using UPX (3 个事件)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619364987.932751 SetWindowsHookExW	thread_identifier: 0 callback_function: 0x00407464 module_address: 0x00000000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	65977	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.33954266
FireEye	Generic.mg.28b568e034c39c67
ALYac	Trojan.GenericKD.33954266
Cylance	Unsafe
Zillya	Trojan.Larby.Win32.16
Sangfor	Malware
K7AntiVirus	Spyware ( 004cbce51 )
Alibaba	TrojanSpy:Win32/Larby.5da177fc
K7GW	Spyware ( 004cbce51 )
Cybereason	malicious.12fa6a
Arcabit	Trojan.Generic.D20619DA
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.Larby.vho
BitDefender	Trojan.GenericKD.33954266
NANO-Antivirus	Trojan.Win32.Lethic.hlidgk
Paloalto	generic.ml
Tencent	Win32.Trojan-spy.Larby.Htcn
Ad-Aware	Trojan.GenericKD.33954266
Emsisoft	Trojan.GenericKD.33954266 (B)
Comodo	TrojWare.Win32.TrojanDropper.Sysn.CH@5y3z3q
F-Secure	Trojan.TR/Spy.Agent.rulvc
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/Spy.Agent.rulvc
Antiy-AVL	Trojan[Spy]/Win32.Larby
Microsoft	Trojan:Win32/Bluteal!rfn
AegisLab	Trojan.Win32.Generic.mBL2
ZoneAlarm	HEUR:Trojan-Spy.Win32.Larby.vho
GData	Trojan.GenericKD.33954266
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Agent.R339085
Acronis	suspicious
McAfee	GenericRXAA-FA!28B568E034C3
MAX	malware (ai score=83)
VBA32	Trojan.WebPick
Malwarebytes	Backdoor.BabylonRAT
ESET-NOD32	a variant of Win32/Spy.Agent.OSD
Rising	Spyware.Agent!1.AD22 (TFE:5:b4G9epjNaiN)
Ikarus	Backdoor.Win32.Dodiw
Fortinet	W32/Agent.OSD!tr.spy
BitDefenderTheta	Gen:NN.ZexaF.34670.tmGfaKuj7Q
AVG	FileRepMalware
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Trojan.Spy.a38

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-02 17:43:01

Imports

Library ADVAPI32.dll:

• 0x4c1154 RegCloseKey

Library COMCTL32.dll:

• 0x4c115c InitCommonControlsEx

Library CRYPT32.dll:

• 0x4c1164 CryptUnprotectData

Library GDI32.dll:

• 0x4c116c GetDIBits

Library gdiplus.dll:

• 0x4c1174 GdipFree

Library KERNEL32.DLL:

• 0x4c117c LoadLibraryA

• 0x4c1180 ExitProcess

• 0x4c1184 GetProcAddress

• 0x4c1188 VirtualProtect

Library NETAPI32.dll:

• 0x4c1190 NetUserEnum

Library ole32.dll:

• 0x4c1198 CoInitialize

Library OLEAUT32.dll:

• 0x4c11a0 VariantInit

Library POWRPROF.dll:

• 0x4c11a8 SetSuspendState

Library PSAPI.DLL:

• 0x4c11b0 GetModuleBaseNameW

Library SHELL32.dll:

• 0x4c11b8 ShellExecuteW

Library SHLWAPI.dll:

• 0x4c11c0

Library urlmon.dll:

• 0x4c11c8 URLDownloadToFileW

Library USER32.dll:

• 0x4c11d0 GetDC

Library WS2_32.dll:

• 0x4c11d8 recv

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com		127.0.0.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.24.14

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.