SmartHawk

4.6

中危

43 个模型检测该样本为恶意！

重新分析

下载样本

c1674327bb311564153d7a76fdca4063d120d910e307c4b5d430a0c81dffc64a

3d40c751eb8e328a0396e196731b7e53.exe

分析耗时

80s

最近分析

文件大小

3.4MB

静态报毒动态报毒 AI SCORE=80 ARAB ARTEMIS ATTRIBUTE BLOCKER CONFIDENCE EIWMTSRDAMWP4OI6DKTDLG FUERY FYKHO GENERIC@ML GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE MALWARE@#1E61IVDXWL8NU NYMAIM PYTHON QVM10 R002C0WKN19 RDMK ROZENA SCORE SHELMA SUSPICIOUS PE SWRORT TIGGRE TQ1S UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!3D40C751EB8E	20200101	6.0.6.653
Alibaba	Trojan:Application/Rozena.5b5d59eb	20190527	0.3.0.5
Avast	Win32:Trojan-gen	20200102	18.4.3895.0
Tencent		20200102	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20200102	2013.8.14.323
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1620755570.753999 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008f0000	success
1620755570.753999 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00900000	success
1620755570.753999 NtProtectVirtualMemory	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00900000	success

Creates executable files on the filesystem (4 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\msvcp90.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\python27.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\msvcm90.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\msvcr90.dll

Drops an executable to the user AppData folder (9 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\unicodedata.pyd
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\bz2.pyd
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\msvcr90.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\msvcp90.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\_ctypes.pyd
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\python27.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\_hashlib.pyd
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\msvcm90.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI11762\select.pyd

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.420404164337895

section

{'size_of_data': '0x0000f800', 'virtual_address': '0x0003c000', 'entropy': 7.420404164337895, 'name': '.rsrc', 'virtual_size': '0x0000f68c'}

description

A section with a high entropy has been found

entropy

0.2594142259414226

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	47.240.45.183

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

47.240.45.183:60001

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 个事件)

MicroWorld-eScan	Trojan.GenericKD.42034879
CAT-QuickHeal	Trojan.Fuery
McAfee	Artemis!3D40C751EB8E
Sangfor	Malware
K7AntiVirus	Trojan ( 00546b711 )
Alibaba	Trojan:Application/Rozena.5b5d59eb
K7GW	Trojan ( 00546b711 )
Arcabit	Trojan.Generic.D28166BF
Invincea	heuristic
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_GEN.R002C0WKN19
Avast	Win32:Trojan-gen
Kaspersky	Trojan.Win32.Shelma.arab
BitDefender	Trojan.GenericKD.42034879
Paloalto	generic.ml
AegisLab	Trojan.Win32.Blocker.tq1S
Ad-Aware	Trojan.GenericKD.42034879
Sophos	Mal/Generic-S
Comodo	Malware@#1e61ivdxwl8nu
F-Secure	Trojan.TR/AD.Swrort.fykho
TrendMicro	TROJ_GEN.R002C0WKN19
McAfee-GW-Edition	BehavesLike.Win32.Nymaim.wc
FireEye	Generic.mg.3d40c751eb8e328a
Emsisoft	Trojan.GenericKD.42034879 (B)
Ikarus	Trojan.Python.Rozena
Avira	TR/AD.Swrort.fykho
Microsoft	Trojan:Win32/Tiggre!rfn
Endgame	malicious (high confidence)
ZoneAlarm	Trojan.Win32.Shelma.arab
GData	Trojan.GenericKD.42034879
ALYac	Trojan.GenericKD.42034879
MAX	malware (ai score=80)
Cylance	Unsafe
APEX	Malicious
ESET-NOD32	Python/Rozena.BC
Rising	Trojan.Generic@ML.100 (RDMK:eiWmTSRdAmWP4OI6dKtdlg)
SentinelOne	DFI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Rozena.BC!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	HEUR/QVM10.2.2A49.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-07-09 22:23:33

Imports

Library USER32.dll:

• 0x420178 MessageBoxW

• 0x42017c MessageBoxA

Library KERNEL32.dll:

• 0x420000 SystemTimeToTzSpecificLocalTime

• 0x420004 DecodePointer

• 0x420008 GetLastError

• 0x42000c SetDllDirectoryW

• 0x420010 GetModuleFileNameW

• 0x420014 GetProcAddress

• 0x420018 GetCommandLineW

• 0x42001c GetEnvironmentVariableW

• 0x420020 SetEnvironmentVariableW

• 0x420024 ExpandEnvironmentStringsW

• 0x420028 GetTempPathW

• 0x42002c WaitForSingleObject

• 0x420030 Sleep

• 0x420034 GetExitCodeProcess

• 0x420038 CreateProcessW

• 0x42003c GetStartupInfoW

• 0x420040 LoadLibraryExW

• 0x420044 GetShortPathNameW

• 0x420048 FormatMessageW

• 0x42004c LoadLibraryA

• 0x420050 MultiByteToWideChar

• 0x420054 WideCharToMultiByte

• 0x420058 SetEndOfFile

• 0x42005c HeapReAlloc

• 0x420060 UnhandledExceptionFilter

• 0x420064 SetUnhandledExceptionFilter

• 0x420068 GetCurrentProcess

• 0x42006c TerminateProcess

• 0x420070 IsProcessorFeaturePresent

• 0x420074 QueryPerformanceCounter

• 0x420078 GetCurrentProcessId

• 0x42007c GetCurrentThreadId

• 0x420080 GetSystemTimeAsFileTime

• 0x420084 InitializeSListHead

• 0x420088 IsDebuggerPresent

• 0x42008c GetModuleHandleW

• 0x420090 RtlUnwind

• 0x420094 SetLastError

• 0x420098 EnterCriticalSection

• 0x42009c LeaveCriticalSection

• 0x4200a0 DeleteCriticalSection

• 0x4200a4 InitializeCriticalSectionAndSpinCount

• 0x4200a8 TlsAlloc

• 0x4200ac TlsGetValue

• 0x4200b0 TlsSetValue

• 0x4200b4 TlsFree

• 0x4200b8 FreeLibrary

• 0x4200bc GetCommandLineA

• 0x4200c0 ReadFile

• 0x4200c4 CreateFileW

• 0x4200c8 GetDriveTypeW

• 0x4200cc GetFileType

• 0x4200d0 CloseHandle

• 0x4200d4 PeekNamedPipe

• 0x4200d8 RaiseException

• 0x4200dc FileTimeToSystemTime

• 0x4200e0 GetFullPathNameW

• 0x4200e4 GetFullPathNameA

• 0x4200e8 CreateDirectoryW

• 0x4200ec RemoveDirectoryW

• 0x4200f0 FindClose

• 0x4200f4 FindFirstFileExW

• 0x4200f8 FindNextFileW

• 0x4200fc SetStdHandle

• 0x420100 SetConsoleCtrlHandler

• 0x420104 DeleteFileW

• 0x420108 GetStdHandle

• 0x42010c WriteFile

• 0x420110 ExitProcess

• 0x420114 GetModuleHandleExW

• 0x420118 GetACP

• 0x42011c HeapFree

• 0x420120 HeapAlloc

• 0x420124 GetConsoleMode

• 0x420128 ReadConsoleW

• 0x42012c SetFilePointerEx

• 0x420130 GetConsoleCP

• 0x420134 CompareStringW

• 0x420138 LCMapStringW

• 0x42013c GetCurrentDirectoryW

• 0x420140 FlushFileBuffers

• 0x420144 SetEnvironmentVariableA

• 0x420148 GetFileAttributesExW

• 0x42014c IsValidCodePage

• 0x420150 GetOEMCP

• 0x420154 GetCPInfo

• 0x420158 GetEnvironmentStringsW

• 0x42015c FreeEnvironmentStringsW

• 0x420160 GetStringTypeW

• 0x420164 GetProcessHeap

• 0x420168 WriteConsoleW

• 0x42016c GetTimeZoneInformation

• 0x420170 HeapSize

Library WS2_32.dll:

• 0x420184 ntohl

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
update.googleapis.com	A 203.208.40.34	203.208.40.34
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49196	203.208.40.34 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900
192.168.56.101	49714	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.