SmartHawk

3.6

中危

49 个模型检测该样本为恶意！

重新分析

下载样本

0eb03b5ec21043635d2b4ce81f93d01c6fbb5734577a96d4d71399ab9050a192

3e49b009cede6a73a1186b19d694ab57.exe

分析耗时

91s

最近分析

文件大小

326.8KB

静态报毒动态报毒 100% AI SCORE=80 AIDETECTVM BSCOPE CONFIDENCE ELKD ENCPK FGIT GENCIRC GENERICRXKR GENETIC GENKRYPTIK GOZI KRYPTIK MALICIOUS PE MALWARE1 MALWARE@#3O329CM0I6IVE MINT QAKBOT QVM20 R + MAL R337622 REGOTET SCORE SMTHA SQABPK54RZP STATIC AI TROJANBANKER UNSAFE URSNIF YKCXT ZL5CIBWF9TO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Alibaba	TrojanSpy:Win32/Ursnif.747508b1	20190527	0.3.0.5
Kingsoft		20201211	2017.9.26.565
McAfee	GenericRXKR-BC!3E49B009CEDE	20201211	6.0.6.653
Tencent	Malware.Win32.Gencirc.10cdcb98	20201211	1.0.0.1

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384599.9225 GetComputerNameW	computer_name:	failed	0	0
1619384599.9225 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

IBC

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619384593.3905 NtAllocateVirtualMemory	process_identifier: 192 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success
1619384599.5945 NtAllocateVirtualMemory	process_identifier: 192 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00460000	success
1619384599.5945 NtProtectVirtualMemory	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)

Bkav	W32.AIDetectVM.malware1
MicroWorld-eScan	Gen:Heur.Mint.Regotet.1
ALYac	Gen:Heur.Mint.Regotet.1
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 005673821 )
K7GW	Trojan ( 005673821 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Trojan.FGIT-7475
Symantec	Trojan.Ursnif
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Packed.Regotet-7869380-0
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
Alibaba	TrojanSpy:Win32/Ursnif.747508b1
Rising	Trojan.Kryptik!8.8 (TFE:3:sqabpk54rzP)
Ad-Aware	Gen:Heur.Mint.Regotet.1
Emsisoft	Trojan-Spy.Ursnif (A)
Comodo	Malware@#3o329cm0i6ive
DrWeb	Trojan.Gozi.683
Zillya	Trojan.Ursnif.Win32.11382
TrendMicro	TrojanSpy.Win32.QAKBOT.SMTHA.hp
Sophos	Mal/Generic-R + Mal/EncPk-APV
Paloalto	generic.ml
Jiangmin	Trojan.Banker.Gozi.ant
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Ursnif.ykcxt
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Spy]/Win32.Ursnif
Gridinsoft	Malware.Win32.Gen.ba
Arcabit	Trojan.Mint.Regotet.1
AegisLab	Trojan.Win32.Mint.4!c
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
Microsoft	Trojan:Win32/Ursnif.MK!MSR
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Ursnif.R337622
McAfee	GenericRXKR-BC!3E49B009CEDE
VBA32	BScope.TrojanBanker.Gozi
Malwarebytes	Trojan.Injector
TrendMicro-HouseCall	TrojanSpy.Win32.QAKBOT.SMTHA.hp
Tencent	Malware.Win32.Gencirc.10cdcb98
Yandex	TrojanSpy.Ursnif!ZL5CibWF9To
SentinelOne	Static AI - Malicious PE
Fortinet	W32/GenKryptik.ELKD!tr
AVG	Win32:Malware-gen
Cybereason	malicious.9cede6
Panda	Trj/Genetic.gen
Qihoo-360	Generic/HEUR/QVM20.1.61BC.Malware.Gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-21 01:22:27

Imports

Library KERNEL32.dll:

• 0x44d320 GetModuleHandleA

• 0x44d324 VirtualAllocEx

• 0x44d328 LoadLibraryA

• 0x44d32c GetProcAddress

Library USER32.dll:

• 0x44d334 LoadIconA

• 0x44d338 IsWindowUnicode

• 0x44d33c GetDesktopWindow

• 0x44d340 GetMenu

• 0x44d344 GetWindowTextLengthA

• 0x44d348 DestroyWindow

• 0x44d34c GetKBCodePage

• 0x44d350 GetActiveWindow

• 0x44d354 CharNextA

• 0x44d358 EndMenu

• 0x44d35c DestroyCursor

• 0x44d360 CharNextW

• 0x44d364 IsCharLowerW

• 0x44d368 IsCharAlphaNumericW

• 0x44d36c IsMenu

• 0x44d370 GetDlgCtrlID

• 0x44d374 GetListBoxInfo

• 0x44d378 GetDoubleClickTime

• 0x44d37c IsClipboardFormatAvailable

• 0x44d380 GetCursor

• 0x44d384 GetMenuContextHelpId

• 0x44d388 GetKeyboardLayout

• 0x44d38c IsWindowEnabled

• 0x44d390 IsWindow

• 0x44d394 GetTopWindow

• 0x44d398 InSendMessage

• 0x44d39c GetClipboardSequenceNumber

• 0x44d3a0 CountClipboardFormats

• 0x44d3a4 CloseWindowStation

• 0x44d3a8 CharUpperW

• 0x44d3ac GetInputState

Library GDI32.dll:

• 0x44d3b4 EndPage

• 0x44d3b8 GetObjectType

• 0x44d3bc WidenPath

• 0x44d3c0 UnrealizeObject

• 0x44d3c4 GetTextCharacterExtra

• 0x44d3c8 EndDoc

• 0x44d3cc GetColorSpace

• 0x44d3d0 CancelDC

• 0x44d3d4 EndPath

• 0x44d3d8 SwapBuffers

• 0x44d3dc FillPath

• 0x44d3e0 CreateMetaFileA

• 0x44d3e4 CloseMetaFile

• 0x44d3e8 PathToRegion

• 0x44d3ec AddFontResourceW

Library COMDLG32.dll:

• 0x44d3f4 GetFileTitleA

Library ADVAPI32.dll:

• 0x44d3fc RegOpenKeyA

• 0x44d400 RegQueryValueExA

• 0x44d404 GetUserNameA

• 0x44d408 RegSetValueW

• 0x44d40c RegQueryValueExW

• 0x44d410 RegOpenKeyW

• 0x44d414 RegDeleteKeyW

• 0x44d418 RegCloseKey

Library ole32.dll:

• 0x44d420 OleUninitialize

• 0x44d424 OleInitialize

• 0x44d428 CoTaskMemFree

• 0x44d42c StringFromCLSID

Library MSVCRT.dll:

• 0x44d434 __p__commode

• 0x44d438 __p__fmode

• 0x44d43c __set_app_type

• 0x44d440 _controlfp

• 0x44d444 _adjust_fdiv

• 0x44d448 __setusermatherr

• 0x44d44c _initterm

• 0x44d450 __getmainargs

• 0x44d454 __initenv

• 0x44d458 exit

• 0x44d45c _cexit

• 0x44d460 _XcptFilter

• 0x44d464 _exit

• 0x44d468 _c_exit

• 0x44d46c _wcsnicmp

• 0x44d470 printf

• 0x44d474 _except_handler3

• 0x44d478 wcscpy

• 0x44d47c wcscat

• 0x44d480 fgetws

• 0x44d484 towupper

• 0x44d488 _iob

• 0x44d48c _putws

• 0x44d490 wcscmp

• 0x44d494 swprintf

• 0x44d498 malloc

• 0x44d49c free

• 0x44d4a0 _wcsicmp

• 0x44d4a4 wcschr

• 0x44d4a8 wcslen

• 0x44d4ac _get_osfhandle

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com A 216.58.200.238	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.