3.4
中危
54 个模型检测该样本为恶意!
重新分析
更多

4aee79733f02aa31ced0b6a0672d67cc6b0e0f7e0fc8654b8981c529046d9b7c

4c420389998e16660acb61abc5665141.exe

分析耗时

83s

最近分析

文件大小

298.5KB
静态报毒 动态报毒 100% AI SCORE=87 ATTRIBUTE BSYMEM CLOUD CONFIDENCE DANABOT GDSDA GENERICKD HDVD HDVR HIGH CONFIDENCE HIGHCONFIDENCE HW32 KCIHK KRYPTIK MALPE MALWARE@#24H8Q37MY7JI3 MALWAREX PDWC PUPXEU QVM10 R339229 SCORE SIGGEN2 SODINOKIBI SODINORANSOM SQ0@AKOVIKHG STOP SUSGEN SUSPICIOUS PE THFAOBO UNSAFE WACATAC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.dx 20200616 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Trojan:Win32/Bsymem.af468da4 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20200616 18.4.3895.0
Tencent Win32.Trojan.Bsymem.Pdwc 20200616 1.0.0.1
Kingsoft 20200616 2013.8.14.323
静态指标
This executable has a PDB path (1 个事件)
pdb_path C:\wabidaroz2 tipero_zorezirejuvomiyu43-suzevovuha41_biwisabuzocah.pdb
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name WINECIKEPEDOPAZE
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619464131.49975
NtProtectVirtualMemory
process_identifier: 1888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01c4a000
success 0 0
1619464131.51575
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00310000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 6.87037925897494 section {'size_of_data': '0x0000cc00', 'virtual_address': '0x00001000', 'entropy': 6.87037925897494, 'name': '.text', 'virtual_size': '0x0000ca68'} description A section with a high entropy has been found
entropy 7.921034254865124 section {'size_of_data': '0x00023800', 'virtual_address': '0x0000e000', 'entropy': 7.921034254865124, 'name': '.rdata', 'virtual_size': '0x00023658'} description A section with a high entropy has been found
entropy 0.6487394957983194 description Overall entropy of this PE file is high
网络通信
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav HW32.Packed.
MicroWorld-eScan Trojan.GenericKD.43284063
FireEye Generic.mg.4c420389998e1666
CAT-QuickHeal Ransom.Stop.MP4
McAfee RDN/Generic.dx
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Bsymem.af468da4
K7GW Trojan ( 005680b41 )
K7AntiVirus Trojan ( 005680b41 )
Arcabit Trojan.Generic.D294765F
Invincea heuristic
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
GData Trojan.GenericKD.43284063
Kaspersky Trojan.Win32.Bsymem.qvh
BitDefender Trojan.GenericKD.43284063
Paloalto generic.ml
Tencent Win32.Trojan.Bsymem.Pdwc
Ad-Aware Trojan.GenericKD.43284063
Emsisoft Trojan.GenericKD.43284063 (B)
Comodo Malware@#24h8q37my7ji3
F-Secure Trojan.TR/AD.SodinoRansom.kcihk
DrWeb Trojan.PWS.Siggen2.49927
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.WACATAC.THFAOBO
McAfee-GW-Edition BehavesLike.Win32.PUPXEU.dc
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.Bsymem.vv
Avira TR/AD.SodinoRansom.kcihk
MAX malware (ai score=87)
Antiy-AVL Trojan/Win32.Bsymem
Microsoft Trojan:Win32/DanaBot.GB!MTB
Endgame malicious (high confidence)
ZoneAlarm Trojan.Win32.Bsymem.qvh
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MalPe.R339229
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.34128.sq0@aKOvIkhG
ALYac Trojan.Ransom.Sodinokibi
Malwarebytes Trojan.MalPack.GS
ESET-NOD32 a variant of Win32/Kryptik.HDVR
TrendMicro-HouseCall Trojan.Win32.WACATAC.THFAOBO
Rising Trojan.Kryptik!8.8 (CLOUD)
Ikarus Trojan.Win32.Crypt
eGambit Unsafe.AI_Score_64%
Fortinet W32/Kryptik.HDVD!tr
MaxSecure Trojan.Malware.300983.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-05-11 13:19:19

Imports

Library KERNEL32.dll:
0x40e014 GlobalLock
0x40e018 GetUserDefaultLCID
0x40e01c GetCommProperties
0x40e020 GetModuleHandleW
0x40e024 GetTickCount
0x40e028 WriteFile
0x40e02c GetUserGeoID
0x40e030 GetProcessTimes
0x40e034 TlsSetValue
0x40e038 GetConsoleMode
0x40e03c ReplaceFileW
0x40e040 IsBadStringPtrA
0x40e044 GlobalAddAtomA
0x40e048 GlobalUnfix
0x40e04c BackupRead
0x40e050 GetProcAddress
0x40e054 RemoveDirectoryA
0x40e05c CreateHardLinkW
0x40e060 OpenFileMappingW
0x40e064 BuildCommDCBA
0x40e068 VirtualProtect
0x40e06c GetCurrentProcessId
0x40e070 LocalFree
0x40e074 LoadResource
0x40e07c RtlCaptureContext
0x40e080 lstrlenA
0x40e088 SetConsoleTitleA
0x40e08c UnregisterWait
0x40e090 ExitProcess
0x40e094 DecodePointer
0x40e098 GetCommandLineA
0x40e09c HeapSetInformation
0x40e0a0 GetStartupInfoW
0x40e0a4 TerminateProcess
0x40e0a8 GetCurrentProcess
0x40e0b4 IsDebuggerPresent
0x40e0c8 EncodePointer
0x40e0cc GetLastError
0x40e0d0 LoadLibraryW
0x40e0d4 TlsAlloc
0x40e0d8 TlsGetValue
0x40e0dc TlsFree
0x40e0e4 SetLastError
0x40e0e8 GetCurrentThreadId
0x40e0f0 GetStdHandle
0x40e0f4 GetModuleFileNameW
0x40e0f8 GetModuleFileNameA
0x40e100 WideCharToMultiByte
0x40e108 SetHandleCount
0x40e10c GetFileType
0x40e110 HeapCreate
0x40e11c GetCPInfo
0x40e120 GetACP
0x40e124 GetOEMCP
0x40e128 IsValidCodePage
0x40e12c HeapFree
0x40e130 Sleep
0x40e134 HeapSize
0x40e138 RtlUnwind
0x40e13c LCMapStringW
0x40e140 MultiByteToWideChar
0x40e144 GetStringTypeW
0x40e148 HeapAlloc
0x40e14c HeapReAlloc
0x40e154 RaiseException
Library ADVAPI32.dll:
0x40e00c RegSetValueExW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.