SmartHawk

4.6

中危

46 个模型检测该样本为恶意！

重新分析

下载样本

e5225b05d643d35cc253836f5ccbbeed22f6995f1a0c2a1b3277ba8bdc12d36e

38bd12138dfbb99c31e786fe8f80a75a.exe

分析耗时

75s

最近分析

文件大小

158.0KB

静态报毒动态报毒 100% 56JNTI AI SCORE=88 ARTEMIS BAZAR BAZDOR CONFIDENCE GENERICKD LMBL MALWARE@#38C8UWALY3VRZ MIKEY R066C0DIK20 R335395 SCORE SUSGEN TROJANX UNSAFE VPZOX XVWE ZUDOCHKA 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!38BD12138DFB	20201211	6.0.6.653
Alibaba	Trojan:Win64/Zudochka.68eafd0c	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win64:TrojanX-gen [Trj]	20201210	21.1.5827.0
Tencent	Win32.Trojan.Zudochka.Lmbl	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619345036.912641 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619345047.958641 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619345047.990641 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345036.568641 IsDebuggerPresent		failed	0	0

A process attempted to delay the analysis task. (1 个事件)

description

38bd12138dfbb99c31e786fe8f80a75a.exe tried to sleep 150 seconds, actually delayed analysis time by 30 seconds

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345049.662641 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

reg_value

C:\Windows\system32\userinit.exe,C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38bd12138dfbb99c31e786fe8f80a75a.exe

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619345052.240641 RegSetValueExA	key_handle: 0x0000000000000490 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619345052.240641 RegSetValueExA	key_handle: 0x0000000000000490 value: p=+V :× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619345052.240641 RegSetValueExA	key_handle: 0x0000000000000490 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619345052.255641 RegSetValueExW	key_handle: 0x0000000000000490 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619345052.255641 RegSetValueExA	key_handle: 0x00000000000004ac value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619345052.255641 RegSetValueExA	key_handle: 0x00000000000004ac value: p=+V :× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619345052.255641 RegSetValueExA	key_handle: 0x00000000000004ac value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619345052.318641 RegSetValueExW	key_handle: 0x000000000000048c value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)

MicroWorld-eScan	Trojan.GenericKD.34532965
FireEye	Generic.mg.38bd12138dfbb99c
Qihoo-360	Win64/Trojan.d15
McAfee	Artemis!38BD12138DFB
Cylance	Unsafe
Zillya	Trojan.Agent.Win64.5387
Sangfor	Malware
K7AntiVirus	Trojan ( 005649c91 )
Alibaba	Trojan:Win64/Zudochka.68eafd0c
K7GW	Trojan ( 005649c91 )
Cybereason	malicious.3fb2dc
Arcabit	Trojan.Generic.D20EEE65
Symantec	Trojan.Gen.2
APEX	Malicious
Avast	Win64:TrojanX-gen [Trj]
Kaspersky	HEUR:Backdoor.Win32.Bazdor.vho
BitDefender	Trojan.GenericKD.34532965
Paloalto	generic.ml
Tencent	Win32.Trojan.Zudochka.Lmbl
Ad-Aware	Trojan.GenericKD.34532965
Emsisoft	Trojan.GenericKD.34532965 (B)
Comodo	Malware@#38c8uwaly3vrz
F-Secure	Trojan.TR/Agent.vpzox
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R066C0DIK20
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Jiangmin	Trojan.Zudochka.fj
Avira	TR/Agent.vpzox
Antiy-AVL	Trojan/Win64.Zudochka
Microsoft	Trojan:Win64/Zudochka!MTB
AegisLab	Trojan.Win32.Mikey.4!c
ZoneAlarm	HEUR:Backdoor.Win32.Bazdor.vho
GData	Trojan.GenericKD.34532965
Cynet	Malicious (score: 90)
AhnLab-V3	Packed/Win64.RL_Suspicious.R335395
MAX	malware (ai score=88)
ESET-NOD32	a variant of Win64/Bazar.E
TrendMicro-HouseCall	TROJ_GEN.R066C0DIK20
Yandex	Trojan.Agent!XVwE/56jnTI
Ikarus	Trojan.Win64.Bazar
Fortinet	W64/Agent.XM!tr
AVG	Win64:TrojanX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)
MaxSecure	Trojan.Malware.74094704.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-01 12:34:03

Imports

Library KERNEL32.dll:

• 0x14001a000 HeapFree

• 0x14001a008 VirtualFree

• 0x14001a010 HeapSize

• 0x14001a018 HeapReAlloc

• 0x14001a020 HeapAlloc

• 0x14001a028 GetProcessHeap

• 0x14001a030 VirtualQuery

• 0x14001a038 FindClose

• 0x14001a040 CreateFileW

• 0x14001a048 WriteConsoleW

• 0x14001a050 FlushFileBuffers

• 0x14001a058 SetFilePointerEx

• 0x14001a060 GetConsoleMode

• 0x14001a068 GetConsoleCP

• 0x14001a070 QueryPerformanceCounter

• 0x14001a078 GetCurrentProcessId

• 0x14001a080 GetCurrentThreadId

• 0x14001a088 GetSystemTimeAsFileTime

• 0x14001a090 InitializeSListHead

• 0x14001a098 RtlCaptureContext

• 0x14001a0a0 RtlLookupFunctionEntry

• 0x14001a0a8 RtlVirtualUnwind

• 0x14001a0b0 IsDebuggerPresent

• 0x14001a0b8 UnhandledExceptionFilter

• 0x14001a0c0 SetUnhandledExceptionFilter

• 0x14001a0c8 GetStartupInfoW

• 0x14001a0d0 IsProcessorFeaturePresent

• 0x14001a0d8 GetModuleHandleW

• 0x14001a0e0 LocalFree

• 0x14001a0e8 GetLastError

• 0x14001a0f0 RtlUnwindEx

• 0x14001a0f8 RtlPcToFileHeader

• 0x14001a100 RaiseException

• 0x14001a108 SetLastError

• 0x14001a110 EncodePointer

• 0x14001a118 EnterCriticalSection

• 0x14001a120 LeaveCriticalSection

• 0x14001a128 DeleteCriticalSection

• 0x14001a130 InitializeCriticalSectionAndSpinCount

• 0x14001a138 TlsAlloc

• 0x14001a140 TlsGetValue

• 0x14001a148 TlsSetValue

• 0x14001a150 TlsFree

• 0x14001a158 FreeLibrary

• 0x14001a160 GetProcAddress

• 0x14001a168 LoadLibraryExW

• 0x14001a170 GetCurrentProcess

• 0x14001a178 TerminateProcess

• 0x14001a180 GetStdHandle

• 0x14001a188 WriteFile

• 0x14001a190 GetModuleFileNameA

• 0x14001a198 MultiByteToWideChar

• 0x14001a1a0 WideCharToMultiByte

• 0x14001a1a8 ExitProcess

• 0x14001a1b0 GetModuleHandleExW

• 0x14001a1b8 GetACP

• 0x14001a1c0 GetStringTypeW

• 0x14001a1c8 GetFileType

• 0x14001a1d0 LCMapStringW

• 0x14001a1d8 CloseHandle

• 0x14001a1e0 FindFirstFileExA

• 0x14001a1e8 FindNextFileA

• 0x14001a1f0 IsValidCodePage

• 0x14001a1f8 GetOEMCP

• 0x14001a200 GetCPInfo

• 0x14001a208 GetCommandLineA

• 0x14001a210 GetCommandLineW

• 0x14001a218 GetEnvironmentStringsW

• 0x14001a220 FreeEnvironmentStringsW

• 0x14001a228 SetStdHandle

Library OLEAUT32.dll:

• 0x14001a238 VariantInit

• 0x14001a240 SysFreeString

• 0x14001a248 SysAllocString

• 0x14001a250 VariantClear

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
forgame.bazar	A 127.0.0.1
bestgame.bazar	A 127.0.0.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	50537	51.254.25.115	53
192.168.56.101	51809	51.254.25.115	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.