SmartHawk

3.8

中危

54 个模型检测该样本为恶意！

重新分析

下载样本

f5a1f7c993b2a258e76436dc03d2354953fd1c51ee9df262a97884e4174729fb

4703f08637609549aecbc3b7b7629602.exe

分析耗时

54s

最近分析

文件大小

764.5KB

静态报毒动态报毒 100% AGKY AI SCORE=91 ATTRIBUTE AUTORUNS BLUTEAL BOTNET BSCOPE CLOUD CONFIDENCE DMGUFLODB9E FGVBKU GENERICKDS GENERICS GHNT HGIASOOA HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MALWARE@#2VR3V8RAHBAOB MAUVAISE OWQAL PALN PAPRAS SAVE SCORE STATIC AI SUSGEN SUSPICIOUS PE UNSAFE URSNIFDROPPER VMKFAKC6FXGI WMJJ YAKES ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Yakes.c1913921	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0
Avast	Win32:Malware-gen	20210210	21.1.5827.0
Tencent	Win32.Trojan.Yakes.Paln	20210211	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20210211	2017.9.26.565
McAfee	Generic.dve	20210211	6.0.6.653

The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)

resource name	RCDATA
resource name	UTFILE

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619524531.519249 __exception__	stacktrace: midMessage+0x6dd0 wdmaud+0xef4a @ 0x7453ef4a wodMessage+0x8c widMessage-0x1a81 wdmaud+0x4b42 @ 0x74534b42 waveOutOpen+0x4b9 waveOutClose-0x196 winmm+0x49d7 @ 0x747949d7 waveOutWrite+0x58 midiOutGetNumDevs-0x9ab winmm+0x4fd3 @ 0x74794fd3 wodMessage+0x304 DriverProc-0xe35 msacm32+0x16ec @ 0x73ea16ec wodMessage+0xb6 DriverProc-0x1083 msacm32+0x149e @ 0x73ea149e waveOutOpen+0x4b9 waveOutClose-0x196 winmm+0x49d7 @ 0x747949d7 waveOutWrite+0x58 midiOutGetNumDevs-0x9ab winmm+0x4fd3 @ 0x74794fd3 4703f08637609549aecbc3b7b7629602+0x6fd0 @ 0x406fd0 4703f08637609549aecbc3b7b7629602+0x4eed5 @ 0x44eed5 4703f08637609549aecbc3b7b7629602+0x39624 @ 0x439624 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1629960 registers.edi: 10317824 registers.eax: 4096 registers.ebp: 1629972 registers.edx: 24576 registers.ebx: 0 registers.esi: 1630352 registers.ecx: 1656648 exception.instruction_r: 0f b6 19 01 5e 1c 03 d0 03 c8 3b 56 04 72 f1 5b exception.instruction: movzx ebx, byte ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: midMessage+0x8e6a wdmaud+0x10fe4 exception.address: 0x74540fe4	success	0	0
1619524531.816249 __exception__	stacktrace: midMessage+0x8c3b wdmaud+0x10db5 @ 0x74540db5 midMessage+0x8fa7 wdmaud+0x11121 @ 0x74541121 midMessage+0x7897 wdmaud+0xfa11 @ 0x7453fa11 midMessage+0x73a8 wdmaud+0xf522 @ 0x7453f522 midMessage+0x75a7 wdmaud+0xf721 @ 0x7453f721 midMessage+0x83e9 wdmaud+0x10563 @ 0x74540563 midMessage+0x85bb wdmaud+0x10735 @ 0x74540735 wodMessage+0x580 widMessage-0x158d wdmaud+0x5036 @ 0x74535036 modMessage+0x20d midMessage-0x61 wdmaud+0x8119 @ 0x74538119 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 60947812 registers.edi: 61476612 registers.eax: 1655198 registers.ebp: 60947820 registers.edx: 0 registers.ebx: 60947896 registers.esi: 1654782 registers.ecx: 104 exception.instruction_r: f3 a5 ff 24 95 b8 99 95 75 8a 06 88 07 8a 46 01 exception.symbol: memcpy+0x250 _ftol2-0x41 msvcrt+0x9b60 exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: msvcrt.dll exception.exception_code: 0xc0000005 exception.offset: 39776 exception.address: 0x75959b60	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619524531.519249
__exception__

stacktrace:

midMessage+0x6dd0 wdmaud+0xef4a @ 0x7453ef4a
wodMessage+0x8c widMessage-0x1a81 wdmaud+0x4b42 @ 0x74534b42
waveOutOpen+0x4b9 waveOutClose-0x196 winmm+0x49d7 @ 0x747949d7
waveOutWrite+0x58 midiOutGetNumDevs-0x9ab winmm+0x4fd3 @ 0x74794fd3
wodMessage+0x304 DriverProc-0xe35 msacm32+0x16ec @ 0x73ea16ec
wodMessage+0xb6 DriverProc-0x1083 msacm32+0x149e @ 0x73ea149e
waveOutOpen+0x4b9 waveOutClose-0x196 winmm+0x49d7 @ 0x747949d7
waveOutWrite+0x58 midiOutGetNumDevs-0x9ab winmm+0x4fd3 @ 0x74794fd3
4703f08637609549aecbc3b7b7629602+0x6fd0 @ 0x406fd0
4703f08637609549aecbc3b7b7629602+0x4eed5 @ 0x44eed5
4703f08637609549aecbc3b7b7629602+0x39624 @ 0x439624
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1629960
registers.edi: 10317824
registers.eax: 4096
registers.ebp: 1629972
registers.edx: 24576
registers.ebx: 0
registers.esi: 1630352
registers.ecx: 1656648
exception.instruction_r: 0f b6 19 01 5e 1c 03 d0 03 c8 3b 56 04 72 f1 5b
exception.instruction: movzx ebx, byte ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: midMessage+0x8e6a wdmaud+0x10fe4
exception.address: 0x74540fe4

success

1619524531.816249
__exception__

stacktrace:

midMessage+0x8c3b wdmaud+0x10db5 @ 0x74540db5
midMessage+0x8fa7 wdmaud+0x11121 @ 0x74541121
midMessage+0x7897 wdmaud+0xfa11 @ 0x7453fa11
midMessage+0x73a8 wdmaud+0xf522 @ 0x7453f522
midMessage+0x75a7 wdmaud+0xf721 @ 0x7453f721
midMessage+0x83e9 wdmaud+0x10563 @ 0x74540563
midMessage+0x85bb wdmaud+0x10735 @ 0x74540735
wodMessage+0x580 widMessage-0x158d wdmaud+0x5036 @ 0x74535036
modMessage+0x20d midMessage-0x61 wdmaud+0x8119 @ 0x74538119
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 60947812
registers.edi: 61476612
registers.eax: 1655198
registers.ebp: 60947820
registers.edx: 0
registers.ebx: 60947896
registers.esi: 1654782
registers.ecx: 104
exception.instruction_r: f3 a5 ff 24 95 b8 99 95 75 8a 06 88 07 8a 46 01
exception.symbol: memcpy+0x250 _ftol2-0x41 msvcrt+0x9b60
exception.instruction: movsd dword ptr es:[edi], dword ptr [esi]
exception.module: msvcrt.dll
exception.exception_code: 0xc0000005
exception.offset: 39776
exception.address: 0x75959b60

success

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619524529.301249 NtAllocateVirtualMemory	process_identifier: 1804 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00970000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.812542286019567

section

{'size_of_data': '0x000bc200', 'virtual_address': '0x00058000', 'entropy': 7.812542286019567, 'name': 'UPX1', 'virtual_size': '0x000bd000'}

description

A section with a high entropy has been found

entropy

0.9855926653569089

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Papras.3628
MicroWorld-eScan	Trojan.Autoruns.GenericKDS.30979403
CAT-QuickHeal	Trojan.Mauvaise.SL1
Qihoo-360	Win32/Botnet.Yakes.HgIASOoA
ALYac	Trojan.Autoruns.GenericKDS.30979403
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0053435f1 )
Alibaba	Trojan:Win32/Yakes.c1913921
K7GW	Trojan ( 0053435f1 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.34804.VmKfaKC6fxgi
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Yakes.wmjj
BitDefender	Trojan.Autoruns.GenericKDS.30979403
NANO-Antivirus	Trojan.Win32.Yakes.fgvbku
AegisLab	Trojan.Win32.Yakes.4!c
Tencent	Win32.Trojan.Yakes.Paln
Ad-Aware	Trojan.Autoruns.GenericKDS.30979403
Emsisoft	Trojan.Autoruns.GenericKDS.30979403 (B)
Comodo	Malware@#2vr3v8rahbaob
F-Secure	Trojan.TR/AD.UrsnifDropper.owqal
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Dropper.bc
FireEye	Generic.mg.4703f08637609549
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
GData	Trojan.Autoruns.GenericKDS.30979403
Jiangmin	Trojan.Yakes.agky
Webroot	W32.Trojan.Gen
Avira	TR/AD.UrsnifDropper.owqal
MAX	malware (ai score=91)
Antiy-AVL	Trojan/Win32.Yakes
Gridinsoft	Trojan.Win32.Kryptik.vb!s2
Arcabit	Trojan.Autoruns.GenericS.D1D8B54B
ZoneAlarm	Trojan.Win32.Yakes.wmjj
Microsoft	Trojan:Win32/Bluteal.B!rfn
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Generic.dve
VBA32	BScope.Trojan.Yakes
Malwarebytes	Malware.Heuristic.1003
ESET-NOD32	a variant of Win32/Kryptik.GHNT
Rising	Trojan.Kryptik!8.8 (CLOUD)
Yandex	Trojan.Yakes!dmGuFlOdb9E
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/Kryptik.GHNT!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2018-06-07 06:34:00

Imports

Library KERNEL32.DLL:

• 0x517860 LoadLibraryA

• 0x517864 GetProcAddress

• 0x517868 VirtualProtect

• 0x51786c VirtualAlloc

• 0x517870 VirtualFree

• 0x517874 ExitProcess

Library ADVAPI32.dll:

• 0x51787c RegOpenKeyA

Library AVICAP32.dll:

• 0x517884 capGetDriverDescriptionA

Library COMDLG32.dll:

• 0x51788c GetFileTitleA

Library CRYPT32.dll:

• 0x517894 CryptSIPRemoveProvider

Library GDI32.dll:

• 0x51789c LineTo

Library NETAPI32.dll:

• 0x5178a4 NetUserGetInfo

Library ole32.dll:

• 0x5178ac OleCreate

Library OLEACC.dll:

• 0x5178b4 LresultFromObject

Library OLEAUT32.dll:

• 0x5178bc LoadTypeLib

Library oledlg.dll:

• 0x5178c4

Library pdh.dll:

• 0x5178cc PdhCollectQueryData

Library SETUPAPI.dll:

• 0x5178d4 SetupDeleteErrorA

Library SHELL32.dll:

• 0x5178dc DragFinish

Library SHLWAPI.dll:

• 0x5178e4 PathIsUNCA

Library USER32.dll:

• 0x5178ec GetDC

Library UxTheme.dll:

• 0x5178f4 DrawThemeBackground

Library VERSION.dll:

• 0x5178fc VerQueryValueA

Library WINMM.dll:

• 0x517904 waveInOpen

Library WINSPOOL.DRV:

• 0x51790c OpenPrinterA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702
192.168.56.101	55369	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.