SmartHawk

3.0

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

bf4627c3f55ef4f792dcaeda67d3645fa7bc0d89150b0c1874021e8d26c09f3b

3acf44ed949c2bea6e151450ea61fecb.exe

分析耗时

81s

最近分析

文件大小

943.0KB

静态报毒动态报毒 6YW@A0YVBGDI AGEN AI SCORE=96 AIDETECTVM ATTRIBUTE BUNDLER CLOUD CONFIDENCE CVLH CYMCM ELDORADO FMQRDX GENCIRC GENERICPMF GENETIC GENKRYPTIK GPFT GRAFTOR HIGH CONFIDENCE HIGHCONFIDENCE ISTARTSURF ISTARTSURFINSTALLER KRYPTIK LUDICROUZ MALICIOUS PE MALWARE2 PREPSCRAM PS@8C4M91 R255001 S5393615 SCORE SOFTWAREBUNDLER STARTSURF SUSGEN UNSAFE VITTALIA ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	PUP-HMN	20200704	6.0.6.653
Alibaba	Trojan:Win32/Kryptik.adebf958	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:StartSurf-B [Adw]	20200704	18.4.3895.0
Tencent	Malware.Win32.Gencirc.10b3e683	20200704	1.0.0.1
Kingsoft		20200704	2013.8.14.323
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.mmdd

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620740437.663375 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 806912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00520000	success	0	0
1620740437.678375 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 827392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f0000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.128024814059176

section

{'size_of_data': '0x0009ca00', 'virtual_address': '0x00053000', 'entropy': 7.128024814059176, 'name': '.reloc', 'virtual_size': '0x0009c87c'}

description

A section with a high entropy has been found

entropy

0.6650743099787686

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware2
MicroWorld-eScan	Application.Bundler.iStartSurf.AJB
FireEye	Generic.mg.3acf44ed949c2bea
CAT-QuickHeal	PUA.GenericPMF.S5393615
McAfee	PUP-HMN
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 005452bf1 )
Alibaba	Trojan:Win32/Kryptik.adebf958
K7GW	Trojan ( 00546d341 )
Cybereason	malicious.d949c2
Arcabit	Application.Bundler.iStartSurf.AJB
BitDefenderTheta	Gen:NN.ZexaF.34130.6yW@a0yvbgdi
Cyren	W32/S-52da07bc!Eldorado
Symantec	ML.Attribute.HighConfidence
Avast	Win32:StartSurf-B [Adw]
Kaspersky	not-a-virus:HEUR:AdWare.Win32.Generic
BitDefender	Application.Bundler.iStartSurf.AJB
NANO-Antivirus	Trojan.Win32.Vittalia.fmqrdx
APEX	Malicious
Tencent	Malware.Win32.Gencirc.10b3e683
Endgame	malicious (high confidence)
Emsisoft	Application.Bundler.iStartSurf.AJB (B)
Comodo	Application.Win32.IStartSurf.PS@8c4m91
F-Secure	Heuristic.HEUR/AGEN.1103295
DrWeb	Trojan.Vittalia.17867
Zillya	Trojan.Kryptik.Win32.1584504
Invincea	heuristic
Trapmine	suspicious.low.ml.score
Sophos	IStartSurfInstaller (PUA)
Ikarus	PUA.Win32.Prepscram
F-Prot	W32/S-52da07bc!Eldorado
Jiangmin	Trojan.Generic.cymcm
Webroot	W32.Adware.Gen
Avira	HEUR/AGEN.1103295
Antiy-AVL	Trojan/Win32.Ludicrouz
Microsoft	SoftwareBundler:Win32/Prepscram
AegisLab	Trojan.Win32.Graftor.4!c
ZoneAlarm	not-a-virus:HEUR:AdWare.Win32.Generic
GData	Win32.Trojan.Prepscram.G
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.IStartSurf.R255001
Acronis	suspicious
VBA32	Trojan.Vittalia
MAX	malware (ai score=96)
Ad-Aware	Application.Bundler.iStartSurf.AJB
Malwarebytes	Adware.IStartSurf
ESET-NOD32	a variant of Win32/Kryptik.GPFT
Rising	Trojan.Kryptik!8.8 (CLOUD)
Yandex	PUA.Agent!

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-02-05 16:59:19

Imports

Library KERNEL32.dll:

• 0x43b000 CloseHandle

• 0x43b004 ReleaseSemaphore

• 0x43b008 CreateSemaphoreA

• 0x43b00c GetProcessHeap

• 0x43b010 HeapFree

• 0x43b014 GetModuleHandleW

• 0x43b018 GetLastError

• 0x43b01c QueryPerformanceCounter

• 0x43b020 HeapAlloc

• 0x43b024 SetEvent

• 0x43b028 ResetEvent

• 0x43b02c WaitForSingleObjectEx

• 0x43b030 CreateEventA

• 0x43b034 OpenEventA

• 0x43b038 GetCurrentProcessId

• 0x43b03c GetCurrentThreadId

• 0x43b040 TlsAlloc

• 0x43b044 TlsGetValue

• 0x43b048 TlsSetValue

• 0x43b04c TlsFree

• 0x43b050 GetProcAddress

• 0x43b054 CreateFileW

• 0x43b058 WideCharToMultiByte

• 0x43b05c SetLastError

• 0x43b060 InitializeCriticalSectionAndSpinCount

• 0x43b064 CreateEventW

• 0x43b068 SwitchToThread

• 0x43b06c GetSystemTimeAsFileTime

• 0x43b070 EncodePointer

• 0x43b074 DecodePointer

• 0x43b078 EnterCriticalSection

• 0x43b07c LeaveCriticalSection

• 0x43b080 DeleteCriticalSection

• 0x43b084 MultiByteToWideChar

• 0x43b088 LCMapStringW

• 0x43b08c GetLocaleInfoW

• 0x43b090 GetStringTypeW

• 0x43b094 GetCPInfo

• 0x43b098 UnhandledExceptionFilter

• 0x43b09c SetUnhandledExceptionFilter

• 0x43b0a0 GetCurrentProcess

• 0x43b0a4 TerminateProcess

• 0x43b0a8 IsProcessorFeaturePresent

• 0x43b0ac IsDebuggerPresent

• 0x43b0b0 GetStartupInfoW

• 0x43b0b4 InitializeSListHead

• 0x43b0b8 RtlUnwind

• 0x43b0bc RaiseException

• 0x43b0c0 FreeLibrary

• 0x43b0c4 LoadLibraryExW

• 0x43b0c8 GetModuleHandleExW

• 0x43b0cc ExitProcess

• 0x43b0d0 GetModuleFileNameW

• 0x43b0d4 GetStdHandle

• 0x43b0d8 WriteFile

• 0x43b0dc GetFileType

• 0x43b0e0 IsValidLocale

• 0x43b0e4 GetUserDefaultLCID

• 0x43b0e8 EnumSystemLocalesW

• 0x43b0ec FlushFileBuffers

• 0x43b0f0 GetConsoleCP

• 0x43b0f4 GetConsoleMode

• 0x43b0f8 ReadFile

• 0x43b0fc ReadConsoleW

• 0x43b100 SetFilePointerEx

• 0x43b104 HeapReAlloc

• 0x43b108 FindClose

• 0x43b10c FindFirstFileExW

• 0x43b110 FindNextFileW

• 0x43b114 IsValidCodePage

• 0x43b118 GetACP

• 0x43b11c GetOEMCP

• 0x43b120 GetCommandLineA

• 0x43b124 GetCommandLineW

• 0x43b128 GetEnvironmentStringsW

• 0x43b12c FreeEnvironmentStringsW

• 0x43b130 SetStdHandle

• 0x43b134 HeapSize

• 0x43b138 WriteConsoleW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
alt.tubgiants.host
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
com.bushesstocking.icu
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49236	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.