SmartHawk

5.2

中危

46 个模型检测该样本为恶意！

重新分析

下载样本

b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb

5308aacaa532afd76767bb6dbece3d10.exe

分析耗时

80s

最近分析

文件大小

5.3MB

静态报毒动态报毒 +4FTT8N2B6G ABPS AI SCORE=82 AIDETECTVM ARTEMIS CLOUD CONFIDENCE DEEPSCAN FUW@AYQWNVJI GRAFTOR HFGJOU HIGH CONFIDENCE MALWARE2 MYTUBS OBLIQUE OBLIQUERAT OCCAMY RISKTOOL SRWY SUSGEN UNSAFE WACATAC XUAYV XVPD ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!5308AACAA532	20200827	6.0.6.653
Alibaba	Trojan:Win32/ObliqueRAT.05988521	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20200827	18.4.3895.0
Kingsoft		20200827	2013.8.14.323
Tencent	Win32.Backdoor.Agent.Srwy	20200827	1.0.0.1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619439126.884501 GlobalMemoryStatusEx		success	1	0

Creates executable files on the filesystem (3 个事件)

file	C:\Users\Public\Video\lphsi.exe
file	C:\Users\Public\Video\frame.exe
file	C:\Users\Public\Video\hrss.exe

Drops a binary and executes it (4 个事件)

file	C:\Users\Public\Video\frame.exe
file	C:\Users\Public\Video\movie.mp4
file	C:\Users\Public\Video\lphsi.exe
file	C:\Users\Public\Video\hrss.exe

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	185.117.73.222

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619439129.353124 RegSetValueExW	key_handle: 0x0000022c value: Qehcf 8@device:dmo:{2EEB4ADF-4578-4D10-BCA7-BB955F56320A}{57F2DB8B-E6BB-4513-9D43-DCD2A6593125}@device:dmo:{5210F8E4-B0BB-47C3-A8D9-7B2282CC79ED}{57F2DB8B-E6BB-4513-9D43-DCD2A6593125}@device:dmo:{874131CB-4ECC-443B-8948-746B89595D20}{57F2DB8B-E6BB-4513-9D43-DCD2A6593125}@device:dmo:{BBEEA841-0A63-4F52-A7AB-A9B3A84ED38A}{57F2DB8B-E6BB-4513-9D43-DCD2A6593125}@device:dmo:{2A11BAE2-FE6E-4249-864B-9E9ED6E8DBC2}{4A69B442-28BE-4991-969C-B500ADF5D8A8}@device:dmo:{7BAFB3B1-D8F4-4279-9253-27DA423108DE}{4A69B442-28BE-4991-969C-B500ADF5D8A8}@device:dmo:{82D353DF-90BD-4382-8BC2-3F6192B76E34}{4A69B442-28BE-4991-969C-B500ADF5D8A8}@device:dmo:{CBA9E78B-49A3-49EA-93D4-6BCBA8C4DE07}{4A69B442-28BE-4991-969C-B500ADF5D8A8}@device:dmo:{F371728A-6052-4D47-827C-D039335DFE0A}{4A69B442-28BE-4991-969C-B500ADF5D8A8}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{129D7E40-C10D-11D0-AFB9-00AA00B67A42}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{1643E180-90F5-11CE-97D5-00AA0055595A}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{187463A0-5BB7-11D3-ACBE-0080C75E246E}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{212690FB-83E5-4526-8FD7-74478B7939CD}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{280A3020-86CF-11D1-ABE6-00A0C905F375}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{301056D0-6DFF-11D2-9EEB-006008039E37}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{336475D0-942A-11CE-A870-00AA002FEAB5}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{370A1D5D-DDEB-418C-81CD-189E0D4FA443}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{3AE86B20-7BE8-11D1-ABE6-00A0C905F375}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{48025243-2D39-11CE-875D-00608CB78066}@device:sw:{083863F1-70DE-11D0-BD40-00A0C911CE86}\{4 regkey_r: 0 reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache\0	success	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

185.117.73.222:3344

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)

Bkav	W32.AIDetectVM.malware2
MicroWorld-eScan	DeepScan:Generic.Oblique.1.4ED7FC21
McAfee	Artemis!5308AACAA532
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1299816
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/ObliqueRAT.05988521
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	DeepScan:Generic.Oblique.1.4ED7FC21
Invincea	heuristic
Cyren	W32/Adware.XVPD-8724
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.ObliqueRAT-7591466-0
Kaspersky	Backdoor.Win32.Agent.mytubs
BitDefender	DeepScan:Generic.Oblique.1.4ED7FC21
NANO-Antivirus	Trojan.Win32.Graftor.hfgjou
ViRobot	Adware.Graftor.5575578
Avast	Win32:Trojan-gen
Rising	Trojan.ObliqueRAT!8.117AF (CLOUD)
Ad-Aware	DeepScan:Generic.Oblique.1.4ED7FC21
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Agent.xuayv
FireEye	Generic.mg.5308aacaa532afd7
Emsisoft	DeepScan:Generic.Oblique.1.4ED7FC21 (B)
Jiangmin	RiskTool.Generic.ptb
Avira	TR/Agent.xuayv
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Occamy.C
Endgame	malicious (high confidence)
AegisLab	Riskware.Win32.Generic.1!c
ZoneAlarm	Backdoor.Win32.Agent.mytubs
GData	DeepScan:Generic.Oblique.1.4ED7FC21
VBA32	Trojan.Wacatac
ALYac	DeepScan:Generic.Oblique.1.4ED7FC21
ESET-NOD32	a variant of Win32/Agent.ABPS
Tencent	Win32.Backdoor.Agent.Srwy
Yandex	Trojan.Agent!+4FtT8n2B6g
Ikarus	Trojan.Win32.Agent
MaxSecure	Trojan.Malware.11908787.susgen
Fortinet	Riskware/Generic
BitDefenderTheta	Gen:NN.ZexaF.34196.fuW@ayqWNvji
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
Qihoo-360	Win32/Virus.RiskTool.c0f

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-12-30 17:13:55

Imports

Library KERNEL32.dll:

• 0x40f000 CreateDirectoryA

• 0x40f004 CopyFileA

• 0x40f008 CreateFileW

• 0x40f00c WriteConsoleW

• 0x40f010 EncodePointer

• 0x40f014 DecodePointer

• 0x40f018 GetLastError

• 0x40f01c ExitProcess

• 0x40f020 GetModuleHandleExW

• 0x40f024 GetProcAddress

• 0x40f028 AreFileApisANSI

• 0x40f02c MultiByteToWideChar

• 0x40f030 WideCharToMultiByte

• 0x40f034 HeapAlloc

• 0x40f038 ReadFile

• 0x40f03c GetCommandLineA

• 0x40f040 IsDebuggerPresent

• 0x40f044 IsProcessorFeaturePresent

• 0x40f048 EnterCriticalSection

• 0x40f04c LeaveCriticalSection

• 0x40f050 GetStdHandle

• 0x40f054 GetFileType

• 0x40f058 DeleteCriticalSection

• 0x40f05c GetStartupInfoW

• 0x40f060 UnhandledExceptionFilter

• 0x40f064 SetUnhandledExceptionFilter

• 0x40f068 SetLastError

• 0x40f06c InitializeCriticalSectionAndSpinCount

• 0x40f070 Sleep

• 0x40f074 GetCurrentProcess

• 0x40f078 TerminateProcess

• 0x40f07c TlsAlloc

• 0x40f080 TlsGetValue

• 0x40f084 TlsSetValue

• 0x40f088 TlsFree

• 0x40f08c GetModuleHandleW

• 0x40f090 WriteFile

• 0x40f094 GetModuleFileNameW

• 0x40f098 HeapFree

• 0x40f09c LoadLibraryExW

• 0x40f0a0 IsValidCodePage

• 0x40f0a4 GetACP

• 0x40f0a8 GetOEMCP

• 0x40f0ac GetCPInfo

• 0x40f0b0 GetProcessHeap

• 0x40f0b4 SetFilePointerEx

• 0x40f0b8 RtlUnwind

• 0x40f0bc GetConsoleMode

• 0x40f0c0 ReadConsoleW

• 0x40f0c4 GetConsoleCP

• 0x40f0c8 CloseHandle

• 0x40f0cc GetCurrentThreadId

• 0x40f0d0 GetModuleFileNameA

• 0x40f0d4 QueryPerformanceCounter

• 0x40f0d8 GetCurrentProcessId

• 0x40f0dc GetSystemTimeAsFileTime

• 0x40f0e0 GetEnvironmentStringsW

• 0x40f0e4 FreeEnvironmentStringsW

• 0x40f0e8 OutputDebugStringW

• 0x40f0ec HeapSize

• 0x40f0f0 HeapReAlloc

• 0x40f0f4 LCMapStringW

• 0x40f0f8 GetStringTypeW

• 0x40f0fc SetStdHandle

• 0x40f100 FlushFileBuffers

• 0x40f104 SetEndOfFile

Library SHELL32.dll:

• 0x40f10c ShellExecuteA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.