SmartHawk

5.4

中危

66 个模型检测该样本为恶意！

重新分析

下载样本

f6aee982edbff1d25f87abf9d1898d0391e8b171dcd059fa820c1d80a804b3b8

34f391e0d33e6eeb7c22daa85c211133.exe

分析耗时

15s

最近分析

文件大小

1022.2KB

静态报毒动态报毒 100% AEUC AI SCORE=100 AIDETECTVM AMMYY BADUR BAVE BUBLIK COBRA CONFIDENCE DGZLOGJ+SKTFSGXWPA ELDORADO EYKFYI GEN@24TBUS GENCIRC GENERICRXIB GENETIC HIGH HIGH CONFIDENCE KRYPTIK LXEV MALICIOUS PE MALWARE1 MUPX R002C0CF820 R257559 SCORE SLUGIN SMALL UNSAFE UPATRE WTQEKLPECZW YARWI ZBOT 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanDownloader:Win32/Upatre.34115e80	20190527	0.3.0.5
Avast	Win32:Adware-gen [Adw]	20200706	18.4.3895.0
Baidu	Win32.Trojan.Kryptik.mp	20190318	1.0.0.2
Kingsoft		20200707	2013.8.14.323
McAfee	GenericRXIB-GY!34F391E0D33E	20200707	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b07999	20200707	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345036.618148 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.imports

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345037.493148 __exception__	stacktrace: VariantToBoolean+0x6e8 PSPropertyBag_WriteBSTR-0x785 propsys+0x1b828 @ 0x7511b828 VariantToBoolean+0x88a PSPropertyBag_WriteBSTR-0x5e3 propsys+0x1b9ca @ 0x7511b9ca PSStringFromPropertyKey+0x4ab PropVariantGetElementCount-0x5f8 propsys+0x5186 @ 0x75105186 PropVariantToUInt32WithDefault+0x3d4c InitPropVariantFromStringAsVector-0x267b propsys+0x147e1 @ 0x751147e1 PropVariantToUInt32WithDefault+0x3cb8 InitPropVariantFromStringAsVector-0x270f propsys+0x1474d @ 0x7511474d ShellExecuteExW+0x1273 SHGetNameFromIDList-0x7997 shell32+0x230b9 @ 0x769030b9 SHCLSIDFromString+0x76c SHGetFolderLocation-0x1b83 shell32+0x8c495 @ 0x7696c495 SHGetKnownFolderPath+0x1ea ShellMessageBoxA-0x392d shell32+0xb4e8a @ 0x76994e8a SHCLSIDFromString+0x8ab SHGetFolderLocation-0x1a44 shell32+0x8c5d4 @ 0x7696c5d4 SHCLSIDFromString+0x95d SHGetFolderLocation-0x1992 shell32+0x8c686 @ 0x7696c686 ILFindLastID+0x811 ILCloneFirst-0x10a7 shell32+0xa35cd @ 0x769835cd SHCLSIDFromString+0x8f9 SHGetFolderLocation-0x19f6 shell32+0x8c622 @ 0x7696c622 SHCLSIDFromString+0x984 SHGetFolderLocation-0x196b shell32+0x8c6ad @ 0x7696c6ad SHRestricted+0x133a SHGetFolderPathEx-0x5243 shell32+0x8041d @ 0x7696041d SHRestricted+0x140f SHGetFolderPathEx-0x516e shell32+0x804f2 @ 0x769604f2 SHRestricted+0x1dd0 SHGetFolderPathEx-0x47ad shell32+0x80eb3 @ 0x76960eb3 SHRestricted+0xcb7 SHGetFolderPathEx-0x58c6 shell32+0x7fd9a @ 0x7695fd9a SHCLSIDFromString+0x326 SHGetFolderLocation-0x1fc9 shell32+0x8c04f @ 0x7696c04f DAD_AutoScroll+0xb06 SHParseDisplayName-0x478 shell32+0x87b0b @ 0x76967b0b SHParseDisplayName+0x1f08 SHGetKnownFolderIDList-0x412 shell32+0x89e8b @ 0x76969e8b SHParseDisplayName+0x1d0 SHGetKnownFolderIDList-0x214a shell32+0x88153 @ 0x76968153 DAD_AutoScroll+0xb06 SHParseDisplayName-0x478 shell32+0x87b0b @ 0x76967b0b SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x2271 shell32+0x8802c @ 0x7696802c SHCreateShellItemArrayFromIDLists+0x808 SHDefExtractIconW-0x1a4d shell32+0x654d1 @ 0x769454d1 SHCreateShellItemArrayFromIDLists+0x4ac SHDefExtractIconW-0x1da9 shell32+0x65175 @ 0x76945175 SHCreateShellItemArrayFromIDLists+0x33d SHDefExtractIconW-0x1f18 shell32+0x65006 @ 0x76945006 SHParseDisplayName+0x206d SHGetKnownFolderIDList-0x2ad shell32+0x89ff0 @ 0x76969ff0 SHParseDisplayName+0x1fbb SHGetKnownFolderIDList-0x35f shell32+0x89f3e @ 0x76969f3e ILFindChild+0x6d5 SHCLSIDFromString-0xee shell32+0x8bc3b @ 0x7696bc3b SHEvaluateSystemCommandTemplate+0xcfc SHCreateShellItemArrayFromIDLists-0x5d shell32+0x64c6c @ 0x76944c6c DAD_AutoScroll+0xb06 SHParseDisplayName-0x478 shell32+0x87b0b @ 0x76967b0b SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x2271 shell32+0x8802c @ 0x7696802c ShellExecuteExW+0x39c SHGetNameFromIDList-0x886e shell32+0x221e2 @ 0x769021e2 ShellExecuteExW+0x485 SHGetNameFromIDList-0x8785 shell32+0x222cb @ 0x769022cb PathResolve+0x23db SHSetInstanceExplorer-0x46 shell32+0x16772 @ 0x768f6772 ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x76901efa ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x76901e88 New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x75305f28 ShellExecuteW+0x77 PathResolve-0x6af shell32+0x13ce8 @ 0x768f3ce8 34f391e0d33e6eeb7c22daa85c211133+0x119f @ 0x33f119f 0x401269 0x401269 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8 GetClassLongW+0x27b LoadCursorW-0x2d4 user32+0x18623 @ 0x775a8623 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c CreateWindowExA+0x33 LoadCursorA-0x874 user32+0x1d261 @ 0x775ad261 0x401066 0x80 registers.esp: 836028 registers.edi: 260 registers.eax: 2147500037 registers.ebp: 836076 registers.edx: 837768 registers.ebx: 1 registers.esi: 836096 registers.ecx: 1 exception.instruction_r: fb ff ff e1 cb 6f ff b5 ec fb ff ff ff 15 a8 11 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: PSPropertyKeyFromString+0x54e1 PSCreateAdapterFromPropertyStore-0x83a8 propsys+0x421d9 exception.address: 0x751421d9	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619345037.493148
__exception__

stacktrace:

VariantToBoolean+0x6e8 PSPropertyBag_WriteBSTR-0x785 propsys+0x1b828 @ 0x7511b828
VariantToBoolean+0x88a PSPropertyBag_WriteBSTR-0x5e3 propsys+0x1b9ca @ 0x7511b9ca
PSStringFromPropertyKey+0x4ab PropVariantGetElementCount-0x5f8 propsys+0x5186 @ 0x75105186
PropVariantToUInt32WithDefault+0x3d4c InitPropVariantFromStringAsVector-0x267b propsys+0x147e1 @ 0x751147e1
PropVariantToUInt32WithDefault+0x3cb8 InitPropVariantFromStringAsVector-0x270f propsys+0x1474d @ 0x7511474d
ShellExecuteExW+0x1273 SHGetNameFromIDList-0x7997 shell32+0x230b9 @ 0x769030b9
SHCLSIDFromString+0x76c SHGetFolderLocation-0x1b83 shell32+0x8c495 @ 0x7696c495
SHGetKnownFolderPath+0x1ea ShellMessageBoxA-0x392d shell32+0xb4e8a @ 0x76994e8a
SHCLSIDFromString+0x8ab SHGetFolderLocation-0x1a44 shell32+0x8c5d4 @ 0x7696c5d4
SHCLSIDFromString+0x95d SHGetFolderLocation-0x1992 shell32+0x8c686 @ 0x7696c686
ILFindLastID+0x811 ILCloneFirst-0x10a7 shell32+0xa35cd @ 0x769835cd
SHCLSIDFromString+0x8f9 SHGetFolderLocation-0x19f6 shell32+0x8c622 @ 0x7696c622
SHCLSIDFromString+0x984 SHGetFolderLocation-0x196b shell32+0x8c6ad @ 0x7696c6ad
SHRestricted+0x133a SHGetFolderPathEx-0x5243 shell32+0x8041d @ 0x7696041d
SHRestricted+0x140f SHGetFolderPathEx-0x516e shell32+0x804f2 @ 0x769604f2
SHRestricted+0x1dd0 SHGetFolderPathEx-0x47ad shell32+0x80eb3 @ 0x76960eb3
SHRestricted+0xcb7 SHGetFolderPathEx-0x58c6 shell32+0x7fd9a @ 0x7695fd9a
SHCLSIDFromString+0x326 SHGetFolderLocation-0x1fc9 shell32+0x8c04f @ 0x7696c04f
DAD_AutoScroll+0xb06 SHParseDisplayName-0x478 shell32+0x87b0b @ 0x76967b0b
SHParseDisplayName+0x1f08 SHGetKnownFolderIDList-0x412 shell32+0x89e8b @ 0x76969e8b
SHParseDisplayName+0x1d0 SHGetKnownFolderIDList-0x214a shell32+0x88153 @ 0x76968153
DAD_AutoScroll+0xb06 SHParseDisplayName-0x478 shell32+0x87b0b @ 0x76967b0b
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x2271 shell32+0x8802c @ 0x7696802c
SHCreateShellItemArrayFromIDLists+0x808 SHDefExtractIconW-0x1a4d shell32+0x654d1 @ 0x769454d1
SHCreateShellItemArrayFromIDLists+0x4ac SHDefExtractIconW-0x1da9 shell32+0x65175 @ 0x76945175
SHCreateShellItemArrayFromIDLists+0x33d SHDefExtractIconW-0x1f18 shell32+0x65006 @ 0x76945006
SHParseDisplayName+0x206d SHGetKnownFolderIDList-0x2ad shell32+0x89ff0 @ 0x76969ff0
SHParseDisplayName+0x1fbb SHGetKnownFolderIDList-0x35f shell32+0x89f3e @ 0x76969f3e
ILFindChild+0x6d5 SHCLSIDFromString-0xee shell32+0x8bc3b @ 0x7696bc3b
SHEvaluateSystemCommandTemplate+0xcfc SHCreateShellItemArrayFromIDLists-0x5d shell32+0x64c6c @ 0x76944c6c
DAD_AutoScroll+0xb06 SHParseDisplayName-0x478 shell32+0x87b0b @ 0x76967b0b
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x2271 shell32+0x8802c @ 0x7696802c
ShellExecuteExW+0x39c SHGetNameFromIDList-0x886e shell32+0x221e2 @ 0x769021e2
ShellExecuteExW+0x485 SHGetNameFromIDList-0x8785 shell32+0x222cb @ 0x769022cb
PathResolve+0x23db SHSetInstanceExplorer-0x46 shell32+0x16772 @ 0x768f6772
ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x76901efa
ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x76901e88
New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x75305f28
ShellExecuteW+0x77 PathResolve-0x6af shell32+0x13ce8 @ 0x768f3ce8
34f391e0d33e6eeb7c22daa85c211133+0x119f @ 0x33f119f
0x401269
0x401269
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetClassLongW+0x27b LoadCursorW-0x2d4 user32+0x18623 @ 0x775a8623
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
UnregisterClassW+0xab8 LoadIconW-0x706 user32+0x1aa3c @ 0x775aaa3c
CreateWindowExA+0x33 LoadCursorA-0x874 user32+0x1d261 @ 0x775ad261
0x401066
0x80

registers.esp: 836028
registers.edi: 260
registers.eax: 2147500037
registers.ebp: 836076
registers.edx: 837768
registers.ebx: 1
registers.esi: 836096
registers.ecx: 1
exception.instruction_r: fb ff ff e1 cb 6f ff b5 ec fb ff ff ff 15 a8 11
exception.instruction: sti
exception.exception_code: 0xc0000096
exception.symbol: PSPropertyKeyFromString+0x54e1 PSCreateAdapterFromPropertyStore-0x83a8 propsys+0x421d9
exception.address: 0x751421d9

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619345036.649148 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 1118208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01d00000	success
1619345036.649148 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e10000	success
1619345037.368148 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x033f0000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\budha.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\budha.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.446804131643004

section

{'size_of_data': '0x00001c00', 'virtual_address': '0x0000a000', 'entropy': 7.446804131643004, 'name': 'UPX1', 'virtual_size': '0x00002000'}

description

A section with a high entropy has been found

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: f8cbd004ecf7b671fe3e4e9f65ac38d383084a82

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 个事件)

Bkav	W32.AIDetectVM.malware1
DrWeb	Trojan.DownLoad3.28161
MicroWorld-eScan	Trojan.Agent.BAVE
FireEye	Generic.mg.34f391e0d33e6eeb
CAT-QuickHeal	TrojanDownloader.Upatre
ALYac	Trojan.Agent.BAVE
Cylance	Unsafe
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Sangfor	Malware
K7AntiVirus	Trojan-Downloader ( 0040f6bd1 )
Alibaba	TrojanDownloader:Win32/Upatre.34115e80
K7GW	Trojan-Downloader ( 0040f6bd1 )
Cybereason	malicious.0d33e6
Arcabit	Trojan.Agent.BAVE
Invincea	heuristic
BitDefenderTheta	AI:Packer.A9C3AE891E
F-Prot	W32/Upatre.KZ.gen!Eldorado
Symantec	SMG.Heur!gen
ESET-NOD32	Win32/TrojanDownloader.Small.AAB
APEX	Malicious
Avast	Win32:Adware-gen [Adw]
ClamAV	Win.Downloader.Upatre-5744087-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.Agent.BAVE
NANO-Antivirus	Trojan.Win32.DownLoad3.eykfyi
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.lXEV
Rising	Spyware.Zbot!8.16B (TFE:dGZlOgJ+SkTFSgxWpA)
Ad-Aware	Trojan.Agent.BAVE
Emsisoft	Trojan.Agent.BAVE (B)
Comodo	Packed.Win32.MUPX.Gen@24tbus
F-Secure	Trojan.TR/Yarwi.AD.5
Baidu	Win32.Trojan.Kryptik.mp
VIPRE	Trojan.Win32.Generic.pak!cobra
TrendMicro	TROJ_GEN.R002C0CF820
Trapmine	malicious.high.ml.score
Sophos	Troj/Agent-AEUC
Ikarus	Trojan.Win32.Badur
Cyren	W32/Upatre.KZ.gen!Eldorado
Jiangmin	Trojan/Bublik.ggf
eGambit	RAT.Ammyy
Avira	TR/Yarwi.AD.5
MAX	malware (ai score=100)
Antiy-AVL	Virus/Win32.Slugin.a
Microsoft	TrojanDownloader:Win32/Upatre.A
Endgame	malicious (high confidence)
ViRobot	Trojan.Win32.Z.Upatre.1046774.A
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.Agent.BAVE
Cynet	Malicious (score: 100)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2004-09-03 14:07:40

Imports

Library KERNEL32.DLL:

• 0x4060f0 GetModuleHandleA

• 0x4060f4 GetProcAddress

• 0x4060f8 HeapCreate

• 0x4060fc HeapAlloc

• 0x406100 ExitProcess

• 0x406104 FreeLibrary

Library ADVAPI32.dll:

• 0x406250 RegQueryValueExA

• 0x406254 RegOpenKeyA

• 0x406258 GetUserNameA

• 0x40625c CopySid

• 0x406260 GetLengthSid

Library GDI32.dll:

• 0x406300 CreateBitmap

• 0x406304 IntersectClipRect

• 0x406308 ExcludeClipRect

• 0x40630c UpdateColors

• 0x406310 GetTextExtentPoint32A

• 0x406314 CreateCompatibleDC

• 0x406318 DeleteObject

• 0x40631c TextOutA

• 0x406320 SetBkColor

• 0x406324 SetTextColor

• 0x406328 Rectangle

• 0x40632c CreateSolidBrush

• 0x406330 GetStockObject

• 0x406334 CreateFontIndirectA

• 0x406338 GetTextExtentExPointA

• 0x40633c GetTextMetricsA

• 0x406340 CreateFontA

• 0x406344 RealizePalette

Library IMM32.dll:

• 0x4064a0 ImmGetCompositionStringW

• 0x4064a4 ImmSetCompositionFontA

• 0x4064a8 ImmGetContext

• 0x4064ac ImmSetCompositionWindow

Library Msacm32.dll:

• 0x406520 acmDriverID

• 0x406524 acmStreamOpen

Library user32.dll:

• 0x40618c GetMessageA

• 0x406190 DefWindowProcA

• 0x406194 PostQuitMessage

• 0x406198 GetDoubleClickTime

• 0x40619c UpdateWindow

• 0x4061a0 GetQueueStatus

• 0x4061a4 LoadIconA

• 0x4061a8 RegisterClassA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.