SmartHawk

3.4

中危

54 个模型检测该样本为恶意！

重新分析

下载样本

fcbce1c02e056db95b9ef0d44df62d73699f8387b698445de1a068d0bb11e5cc

4b28b1aed86c852780e729523e88bc0b.exe

分析耗时

75s

最近分析

文件大小

4.1MB

静态报毒动态报毒 100% 6KO03CTXJJ4 AI SCORE=83 AIDETECTVM ATTRIBUTE AUTORUNS CONFIDENCE CRYPTINJECT FABOOKIE GENERICKDS GENERICRXMK GENETIC HIGH CONFIDENCE HIGHCONFIDENCE MALICIOUS PE MALWARE1 MALWARE@#X97ASURRV246 MIMIKATZ MIQKQ PCSU PFRL QVM19 R002C0GIB20 R350905 RARTYQV94JJ SCORE UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXMK-FD!4B28B1AED86C	20201031	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201031	20.10.5736.0
Alibaba	Trojan:Win32/Fabookie.22806f40	20190527	0.3.0.5
Kingsoft		20201031	2013.8.14.323
Tencent	Win32.Trojan.Fabookie.Pcsu	20201031	1.0.0.1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.vmp0
section	.vmp1

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

YUYU

Foreign language identified in PE resource (3 个事件)

name

YUYU

language

LANG_CHINESE

offset

0x0067688c

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00033e00

name

YUYU

language

LANG_CHINESE

offset

0x0067688c

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00033e00

name

YUYU

language

LANG_CHINESE

offset

0x0067688c

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00033e00

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.913911257533873

section

{'size_of_data': '0x00417a00', 'virtual_address': '0x00220000', 'entropy': 7.913911257533873, 'name': '.vmp1', 'virtual_size': '0x00417810'}

description

A section with a high entropy has been found

entropy

0.9994037681850704

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 个事件)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.40.66
host	203.208.41.65

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Autoruns.GenericKDS.34465826
McAfee	GenericRXMK-FD!4B28B1AED86C
Malwarebytes	Trojan.Mimikatz
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Trojan ( 003e21f71 )
BitDefender	Trojan.Autoruns.GenericKDS.34465826
K7GW	Trojan ( 003e21f71 )
CrowdStrike	win/malicious_confidence_100% (W)
TrendMicro	TROJ_GEN.R002C0GIB20
Cyren	W32/Trojan.PFRL-7620
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Malware.Fabookie-9775083-0
Kaspersky	HEUR:Trojan.Win32.Fabookie.vho
Alibaba	Trojan:Win32/Fabookie.22806f40
AegisLab	Trojan.Win32.Fabookie.4!c
Rising	Trojan.Agent!8.B1E (TFE:5:RArTyqV94jJ)
Ad-Aware	Trojan.Autoruns.GenericKDS.34465826
Sophos	Mal/Generic-S
Comodo	Malware@#x97asurrv246
F-Secure	Trojan.TR/AD.Mimikatz.miqkq
Zillya	Trojan.Agent.Win32.1406674
Invincea	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Emsisoft	Trojan.Autoruns.GenericKDS.34465826 (B)
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.Fabookie.ep
Webroot	W32.Trojan.Gen
Avira	TR/AD.Mimikatz.miqkq
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Agent
Microsoft	Trojan:Win32/CryptInject!ml
Gridinsoft	Trojan.Win32.Agent.vb
Arcabit	Trojan.Generic
ZoneAlarm	HEUR:Trojan.Win32.Fabookie.vho
GData	Trojan.Autoruns.GenericKDS.34465826
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Infostealer.R350905
VBA32	Trojan.Fabookie
ALYac	Trojan.Autoruns.GenericKDS.34465826
Cylance	Unsafe
Panda	Trj/Genetic.gen
ESET-NOD32	a variant of Win32/Agent.UAW
TrendMicro-HouseCall	TROJ_GEN.R002C0GIB20
Tencent	Win32.Trojan.Fabookie.Pcsu
Yandex	Trojan.Agent!6Ko03cTXjj4
Ikarus	Trojan.Win32.Agent

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-02 11:29:28

Imports

Library KERNEL32.dll:

• 0x98d000 LoadResource

Library ADVAPI32.dll:

• 0x98d008 RegSetValueExW

Library SHELL32.dll:

• 0x98d010 ShellExecuteExA

Library MSVCP140.dll:

• 0x98d018 ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z

Library WINHTTP.dll:

• 0x98d020 WinHttpReceiveResponse

Library VCRUNTIME140.dll:

• 0x98d028 __std_exception_destroy

Library api-ms-win-crt-convert-l1-1-0.dll:

• 0x98d030 strtof

Library api-ms-win-crt-stdio-l1-1-0.dll:

• 0x98d038 __stdio_common_vsprintf

Library api-ms-win-crt-runtime-l1-1-0.dll:

• 0x98d040 _initialize_wide_environment

Library api-ms-win-crt-heap-l1-1-0.dll:

• 0x98d048 _callnewh

Library api-ms-win-crt-string-l1-1-0.dll:

• 0x98d050 strcat_s

Library api-ms-win-crt-filesystem-l1-1-0.dll:

• 0x98d058 _lock_file

Library api-ms-win-crt-math-l1-1-0.dll:

• 0x98d060 _dclass

Library api-ms-win-crt-locale-l1-1-0.dll:

• 0x98d068 _configthreadlocale

Library KERNEL32.dll:

• 0x98d070 LocalAlloc

• 0x98d074 LocalFree

• 0x98d078 GetModuleFileNameW

• 0x98d07c GetProcessAffinityMask

• 0x98d080 SetProcessAffinityMask

• 0x98d084 SetThreadAffinityMask

• 0x98d088 Sleep

• 0x98d08c ExitProcess

• 0x98d090 FreeLibrary

• 0x98d094 LoadLibraryA

• 0x98d098 GetModuleHandleA

• 0x98d09c GetProcAddress

Library USER32.dll:

• 0x98d0a4 GetProcessWindowStation

• 0x98d0a8 GetUserObjectInformationW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	59704	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.