SmartHawk

6.0

高危

该样本未表现出任何异常！

重新分析

下载样本

b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf

2a02001df87e30cca1c88125646dbe4e.exe

分析耗时

129s

最近分析

文件大小

1.0MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

This executable has a PDB path (1 个事件)

pdb_path

C:\Users\W7H64\Desktop\VCSamples-master\VC2008Samples\crt\SecureCRT\before\Debug\SCRTbefore.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619381594.742374 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.00cfg

The executable uses a known packer (1 个事件)

packer

Microsoft Visual C++ V8.0 (Debug)

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619381597.538374 __exception__	stacktrace: 0x7134c3 0x720016 0x7221d3 0x715986 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 38596928 registers.edi: 38597068 registers.eax: 38596952 registers.ebp: 38596968 registers.edx: 39714816 registers.ebx: 38597208 registers.esi: 55574528 registers.ecx: 0 exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7 exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118 exception.instruction: movzx eax, word ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 209176 exception.address: 0x76373118	success	0	0

Connects to a Dynamic DNS Domain (1 个事件)

domain

boobsy.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619381563.101374 NtAllocateVirtualMemory	process_identifier: 428 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00330000	success	0	0
1619381604.413126 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004810000	success	0	0

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Creates an Alternate Data Stream (ADS) (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start

Installs itself for autorun at Windows startup (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\:Zone.Identifier

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-13 19:41:14

Imports

Library KERNEL32.dll:

• 0x4fd000 Sleep

• 0x4fd004 VirtualAlloc

• 0x4fd008 FreeConsole

• 0x4fd00c ReadConsoleW

• 0x4fd010 IsDebuggerPresent

• 0x4fd014 RaiseException

• 0x4fd018 MultiByteToWideChar

• 0x4fd01c WideCharToMultiByte

• 0x4fd020 UnhandledExceptionFilter

• 0x4fd024 SetUnhandledExceptionFilter

• 0x4fd028 GetCurrentProcess

• 0x4fd02c TerminateProcess

• 0x4fd030 IsProcessorFeaturePresent

• 0x4fd034 QueryPerformanceCounter

• 0x4fd038 GetCurrentProcessId

• 0x4fd03c GetCurrentThreadId

• 0x4fd040 GetSystemTimeAsFileTime

• 0x4fd044 InitializeSListHead

• 0x4fd048 GetStartupInfoW

• 0x4fd04c GetModuleHandleW

• 0x4fd050 GetLastError

• 0x4fd054 HeapAlloc

• 0x4fd058 HeapFree

• 0x4fd05c GetProcessHeap

• 0x4fd060 VirtualQuery

• 0x4fd064 FreeLibrary

• 0x4fd068 GetProcAddress

• 0x4fd06c RtlUnwind

• 0x4fd070 InterlockedPushEntrySList

• 0x4fd074 InterlockedFlushSList

• 0x4fd078 GetModuleFileNameW

• 0x4fd07c LoadLibraryExW

• 0x4fd080 SetLastError

• 0x4fd084 EncodePointer

• 0x4fd088 EnterCriticalSection

• 0x4fd08c LeaveCriticalSection

• 0x4fd090 DeleteCriticalSection

• 0x4fd094 InitializeCriticalSectionAndSpinCount

• 0x4fd098 TlsAlloc

• 0x4fd09c TlsGetValue

• 0x4fd0a0 TlsSetValue

• 0x4fd0a4 TlsFree

• 0x4fd0a8 CloseHandle

• 0x4fd0ac WriteFile

• 0x4fd0b0 GetConsoleCP

• 0x4fd0b4 GetConsoleMode

• 0x4fd0b8 GetModuleFileNameA

• 0x4fd0bc GetModuleHandleExW

• 0x4fd0c0 GetStdHandle

• 0x4fd0c4 ExitProcess

• 0x4fd0c8 GetCommandLineA

• 0x4fd0cc GetCommandLineW

• 0x4fd0d0 GetACP

• 0x4fd0d4 HeapValidate

• 0x4fd0d8 GetSystemInfo

• 0x4fd0dc GetDateFormatW

• 0x4fd0e0 GetTimeFormatW

• 0x4fd0e4 CompareStringW

• 0x4fd0e8 LCMapStringW

• 0x4fd0ec GetLocaleInfoW

• 0x4fd0f0 IsValidLocale

• 0x4fd0f4 GetUserDefaultLCID

• 0x4fd0f8 EnumSystemLocalesW

• 0x4fd0fc GetFileType

• 0x4fd100 GetCurrentThread

• 0x4fd104 SetStdHandle

• 0x4fd108 CreateFileW

• 0x4fd10c SetFilePointerEx

• 0x4fd110 WriteConsoleW

• 0x4fd114 OutputDebugStringA

• 0x4fd118 OutputDebugStringW

• 0x4fd11c WaitForSingleObjectEx

• 0x4fd120 CreateThread

• 0x4fd124 SetConsoleCtrlHandler

• 0x4fd128 FindClose

• 0x4fd12c FindFirstFileExA

• 0x4fd130 FindFirstFileExW

• 0x4fd134 FindNextFileA

• 0x4fd138 FindNextFileW

• 0x4fd13c IsValidCodePage

• 0x4fd140 GetOEMCP

• 0x4fd144 GetCPInfo

• 0x4fd148 GetEnvironmentStringsW

• 0x4fd14c FreeEnvironmentStringsW

• 0x4fd150 SetEnvironmentVariableA

• 0x4fd154 SetEnvironmentVariableW

• 0x4fd158 GetStringTypeW

• 0x4fd15c HeapReAlloc

• 0x4fd160 HeapSize

• 0x4fd164 HeapQueryInformation

• 0x4fd168 FlushFileBuffers

• 0x4fd16c SetEndOfFile

• 0x4fd170 ReadFile

• 0x4fd174 DecodePointer

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
boobsy.duckdns.org	A 192.169.69.26	192.169.69.26
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.