SmartHawk

2.8

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

ce62b79e72ba1f651c7b2794ec9abad2edb1a82d0adf643f1b1b4ed1a29d1eb1

29a4b7badeb75d1d119b8c7538d31c98.exe

分析耗时

24s

最近分析

文件大小

533.0KB

静态报毒动态报毒 100% AHKINFOSTEAL AI SCORE=89 AIDETECT ATTRIBUTE CLOUD CONFIDENCE CRYPTINJECT DROPPERX ELDORADO ESPK FHE8Y4QQ7XO FSUC GENERICKDZ GENETIC GENKRYPTIK GULOADER HGCB HIGH CONFIDENCE HIGHCONFIDENCE HTCM HUVGZK HWOCSO8A KCLOUD KRYPTIK LOCKBIT MALICIOUS PE MALPE MALWARE1 MALWARE@#1OW0NNZNG14ZK R351020 SAVE SCORE SIGGEN10 STATIC AI STRALO SUSGEN TOFSEE TROJDOWNLOADER UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanDownloader:Win32/Stralo.cba84747	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:DropperX-gen [Drp]	20210301	21.1.5827.0
Kingsoft	Win32.TrojDownloader.Stralo.uu.(kcloud)	20210301	2017.9.26.565
McAfee	Lockbit-FSUC!29A4B7BADEB7	20210301	6.0.6.653
Tencent	Win32.Trojan.Agent.Htcm	20210301	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

The file contains an unknown PE resource name possibly indicative of a packer (5 个事件)

resource name	AFX_DIALOG_LAYOUT
resource name	HOSAXIY
resource name	SATEGESUXOTADOSOMUDUMOG
resource name	TUWUTAPUGAMOGIF
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620135362.997876 NtProtectVirtualMemory	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 446464 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x061ec000	success	0	0
1620135363.044876 NtAllocateVirtualMemory	process_identifier: 2476 region_size: 937984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x076d0000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.980204395045914

section

{'size_of_data': '0x00075c00', 'virtual_address': '0x00001000', 'entropy': 7.980204395045914, 'name': '.text', 'virtual_size': '0x00075a70'}

description

A section with a high entropy has been found

entropy

0.8853383458646616

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69992
FireEye	Generic.mg.29a4b7badeb75d1d
Qihoo-360	Win32/TrojanDownloader.Generic.HwoCSO8A
ALYac	Trojan.Agent.GuLoader
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2533273
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056e13a1 )
Alibaba	TrojanDownloader:Win32/Stralo.cba84747
K7GW	Trojan ( 0056e13a1 )
Cybereason	malicious.adeb75
Cyren	W32/Kryptik.BXK.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Tofsee-9755212-0
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Trojan.GenericKDZ.69992
NANO-Antivirus	Trojan.Win32.Stralo.huvgzk
Avast	Win32:DropperX-gen [Drp]
Rising	Trojan.Kryptik!1.CC4E (CLOUD)
Ad-Aware	Trojan.GenericKDZ.69992
Emsisoft	Trojan.GenericKDZ.69992 (B)
Comodo	Malware@#1ow0nnzng14zk
F-Secure	Trojan.TR/AD.AHKInfoSteal.AZ
DrWeb	Trojan.Siggen10.17407
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDownloader.Stralo.il
Webroot	W32.Trojan.Gen
Avira	TR/AD.AHKInfoSteal.AZ
MAX	malware (ai score=89)
Kingsoft	Win32.TrojDownloader.Stralo.uu.(kcloud)
Microsoft	TrojanDownloader:Win32/CryptInject!MSR
Gridinsoft	Trojan.Win32.Kryptik.oa
Arcabit	Trojan.Generic.D11168
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Trojan.GenericKDZ.69992
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_MalPe.R351020
Acronis	suspicious
McAfee	Lockbit-FSUC!29A4B7BADEB7
VBA32	TrojanDownloader.Stralo
Malwarebytes	Trojan.GuLoader
ESET-NOD32	a variant of Win32/Kryptik.HGCB
Tencent	Win32.Trojan.Agent.Htcm

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-04-19 21:19:18

Imports

Library KERNEL32.dll:

• 0x477008 SetVolumeLabelA

• 0x47700c CreateMutexW

• 0x477010 _llseek

• 0x477014 FindResourceExW

• 0x477018 BuildCommDCBAndTimeoutsA

• 0x47701c DeleteVolumeMountPointA

• 0x477020 ReadConsoleA

• 0x477024 InterlockedDecrement

• 0x477028 CompareFileTime

• 0x47702c CreateJobObjectW

• 0x477030 GlobalLock

• 0x477034 GetUserDefaultLCID

• 0x477038 ConnectNamedPipe

• 0x47703c CallNamedPipeW

• 0x477040 SetTapeParameters

• 0x477044 WriteFile

• 0x477048 FindActCtxSectionStringA

• 0x47704c SetProcessPriorityBoost

• 0x477050 GlobalAlloc

• 0x477054 GetConsoleMode

• 0x477058 GetPrivateProfileStructW

• 0x47705c SizeofResource

• 0x477060 GetConsoleWindow

• 0x477064 LeaveCriticalSection

• 0x477068 WritePrivateProfileStructW

• 0x47706c IsDBCSLeadByte

• 0x477070 GetBinaryTypeW

• 0x477074 lstrlenW

• 0x477078 ReleaseActCtx

• 0x47707c SetCurrentDirectoryA

• 0x477080 GetLastError

• 0x477084 GetProcAddress

• 0x477088 EnumResourceNamesW

• 0x47708c SetVolumeLabelW

• 0x477090 ReadFileEx

• 0x477094 DisableThreadLibraryCalls

• 0x477098 _hwrite

• 0x47709c OpenWaitableTimerA

• 0x4770a0 OpenMutexA

• 0x4770a4 WriteConsoleA

• 0x4770a8 GetExitCodeThread

• 0x4770ac AddAtomW

• 0x4770b0 SetFileApisToANSI

• 0x4770b4 BeginUpdateResourceA

• 0x4770b8 PostQueuedCompletionStatus

• 0x4770bc WriteProfileSectionW

• 0x4770c0 VirtualLock

• 0x4770c4 GlobalHandle

• 0x4770c8 GetTapeParameters

• 0x4770cc GetSystemInfo

• 0x4770d0 WaitForMultipleObjects

• 0x4770d4 SetSystemTime

• 0x4770d8 GlobalWire

• 0x4770dc EnumDateFormatsA

• 0x4770e0 GetThreadPriority

• 0x4770e4 GetModuleHandleA

• 0x4770e8 ScrollConsoleScreenBufferA

• 0x4770ec SetCalendarInfoA

• 0x4770f0 OpenSemaphoreW

• 0x4770f4 GetVersionExA

• 0x4770f8 GetSystemTime

• 0x4770fc TlsFree

• 0x477100 SuspendThread

• 0x477104 lstrcpyA

• 0x477108 CreateNamedPipeA

• 0x47710c FillConsoleOutputCharacterA

• 0x477110 GetStartupInfoW

• 0x477114 TerminateProcess

• 0x477118 GetCurrentProcess

• 0x47711c UnhandledExceptionFilter

• 0x477120 SetUnhandledExceptionFilter

• 0x477124 IsDebuggerPresent

• 0x477128 GetModuleHandleW

• 0x47712c Sleep

• 0x477130 ExitProcess

• 0x477134 GetStdHandle

• 0x477138 GetModuleFileNameA

• 0x47713c GetModuleFileNameW

• 0x477140 FreeEnvironmentStringsW

• 0x477144 GetEnvironmentStringsW

• 0x477148 GetCommandLineW

• 0x47714c SetHandleCount

• 0x477150 GetFileType

• 0x477154 GetStartupInfoA

• 0x477158 DeleteCriticalSection

• 0x47715c TlsGetValue

• 0x477160 TlsAlloc

• 0x477164 TlsSetValue

• 0x477168 InterlockedIncrement

• 0x47716c SetLastError

• 0x477170 GetCurrentThreadId

• 0x477174 HeapCreate

• 0x477178 VirtualFree

• 0x47717c HeapFree

• 0x477180 QueryPerformanceCounter

• 0x477184 GetTickCount

• 0x477188 GetCurrentProcessId

• 0x47718c GetSystemTimeAsFileTime

• 0x477190 SetFilePointer

• 0x477194 WideCharToMultiByte

• 0x477198 GetConsoleCP

• 0x47719c EnterCriticalSection

• 0x4771a0 GetCPInfo

• 0x4771a4 GetACP

• 0x4771a8 GetOEMCP

• 0x4771ac IsValidCodePage

• 0x4771b0 MultiByteToWideChar

• 0x4771b4 LoadLibraryA

• 0x4771b8 InitializeCriticalSectionAndSpinCount

• 0x4771bc HeapAlloc

• 0x4771c0 VirtualAlloc

• 0x4771c4 HeapReAlloc

• 0x4771c8 RtlUnwind

• 0x4771cc SetStdHandle

• 0x4771d0 GetConsoleOutputCP

• 0x4771d4 WriteConsoleW

• 0x4771d8 LCMapStringA

• 0x4771dc LCMapStringW

• 0x4771e0 GetStringTypeA

• 0x4771e4 GetStringTypeW

• 0x4771e8 GetLocaleInfoA

• 0x4771ec HeapSize

• 0x4771f0 CreateFileA

• 0x4771f4 CloseHandle

• 0x4771f8 FlushFileBuffers

Library GDI32.dll:

• 0x477000 GetBitmapBits

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	58368	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.