SmartHawk

4.6

中危

52 个模型检测该样本为恶意！

重新分析

下载样本

86d6bdcbfdbe30de9c94b1b4ab010f17cf4c2b94f9cfc49c3d876a429202bf27

56eaa9679af695a9629e881191063942.exe

分析耗时

53s

最近分析

文件大小

74.5KB

静态报毒动态报毒 AI SCORE=87 AIDETECTVM CCNC CLASSIC COBALT COBALTSTRIKE CONFIDENCE DURMP EXEZJ EYW@A85TA9JI GDSDA HACKTOOL MALWARE2 R03BC0DHO20 ROZENA SCORE SUSPICIOUS PE SWRORT SYIK UMAL UNSAFE VEIL VIFLA@0 ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic.tfr	20200912	6.0.6.653
Alibaba	Trojan:Win32/Swrort.9271676c	20190527	0.3.0.5
Avast	Win32:Trojan-gen	20200912	18.4.3895.0
Tencent	Win32.Trojan.Generic.Syik	20200913	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20200913	2013.8.14.323
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

D:\c\daima\cpulstest\Release\cpulstest.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619445147.818625 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619445148.584625 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Communicates with host for which no DNS query was performed (2 个事件)

host	118.89.59.179
host	172.217.24.14

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619445151.178625 RegSetValueExA	key_handle: 0x00000348 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619445151.178625 RegSetValueExA	key_handle: 0x00000348 value: ~y:× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619445151.178625 RegSetValueExA	key_handle: 0x00000348 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619445151.178625 RegSetValueExW	key_handle: 0x00000348 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619445151.178625 RegSetValueExA	key_handle: 0x00000360 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619445151.178625 RegSetValueExA	key_handle: 0x00000360 value: ~y:× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619445151.178625 RegSetValueExA	key_handle: 0x00000360 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619445151.209625 RegSetValueExW	key_handle: 0x00000344 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

118.89.59.179:8123

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Bkav	W32.AIDetectVM.malware2
MicroWorld-eScan	Generic.Exploit.Shellcode.1.794C6C5E
FireEye	Generic.mg.56eaa9679af695a9
McAfee	RDN/Generic.tfr
Malwarebytes	Trojan.MalPack
Zillya	Trojan.Generic.Win32.1180993
Sangfor	Malware
K7AntiVirus	Trojan ( 004d2b341 )
Alibaba	Trojan:Win32/Swrort.9271676c
K7GW	Trojan ( 004d2b341 )
Cybereason	malicious.79af69
Arcabit	Generic.Exploit.Shellcode.1.794C6C5E
Invincea	Troj/Cobalt-F
BitDefenderTheta	Gen:NN.ZexaF.34216.eyW@a85TA9ji
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Trojan.CobaltStrike-7913051-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.Exploit.Shellcode.1.794C6C5E
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Rozena.76288
Tencent	Win32.Trojan.Generic.Syik
Ad-Aware	Generic.Exploit.Shellcode.1.794C6C5E
Comodo	TrojWare.Win32.UMal.vifla@0
F-Secure	Trojan.TR/Rozena.exezj
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R03BC0DHO20
Sophos	Troj/Cobalt-F
Ikarus	Trojan.Veil
Jiangmin	Trojan.Generic.durmp
Webroot	W32.Trojan.Gen
Avira	TR/Rozena.exezj
Microsoft	Trojan:Win32/Swrort.A
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Generic.Exploit.Shellcode.1.794C6C5E
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Rozena.C4186524
ALYac	Generic.Exploit.Shellcode.1.794C6C5E
MAX	malware (ai score=87)
ESET-NOD32	a variant of Win32/Rozena.PL
TrendMicro-HouseCall	TROJ_GEN.R03BC0DHO20
Rising	HackTool.Swrort!1.6477 (CLASSIC)
SentinelOne	DFI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Generic.F!tr
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-20 10:59:32

Imports

Library KERNEL32.dll:

• 0x40c000 VirtualAlloc

• 0x40c004 UnhandledExceptionFilter

• 0x40c008 SetUnhandledExceptionFilter

• 0x40c00c GetCurrentProcess

• 0x40c010 TerminateProcess

• 0x40c014 IsProcessorFeaturePresent

• 0x40c018 QueryPerformanceCounter

• 0x40c01c GetCurrentProcessId

• 0x40c020 GetCurrentThreadId

• 0x40c024 GetSystemTimeAsFileTime

• 0x40c028 InitializeSListHead

• 0x40c02c IsDebuggerPresent

• 0x40c030 GetStartupInfoW

• 0x40c034 GetModuleHandleW

• 0x40c038 RtlUnwind

• 0x40c03c GetLastError

• 0x40c040 SetLastError

• 0x40c044 EnterCriticalSection

• 0x40c048 LeaveCriticalSection

• 0x40c04c DeleteCriticalSection

• 0x40c050 InitializeCriticalSectionAndSpinCount

• 0x40c054 TlsAlloc

• 0x40c058 TlsGetValue

• 0x40c05c TlsSetValue

• 0x40c060 TlsFree

• 0x40c064 FreeLibrary

• 0x40c068 GetProcAddress

• 0x40c06c LoadLibraryExW

• 0x40c070 GetStdHandle

• 0x40c074 WriteFile

• 0x40c078 GetModuleFileNameA

• 0x40c07c MultiByteToWideChar

• 0x40c080 WideCharToMultiByte

• 0x40c084 ExitProcess

• 0x40c088 GetModuleHandleExW

• 0x40c08c GetCommandLineA

• 0x40c090 GetCommandLineW

• 0x40c094 GetACP

• 0x40c098 HeapFree

• 0x40c09c HeapAlloc

• 0x40c0a0 CloseHandle

• 0x40c0a4 FindClose

• 0x40c0a8 FindFirstFileExA

• 0x40c0ac FindNextFileA

• 0x40c0b0 IsValidCodePage

• 0x40c0b4 GetOEMCP

• 0x40c0b8 GetCPInfo

• 0x40c0bc GetEnvironmentStringsW

• 0x40c0c0 FreeEnvironmentStringsW

• 0x40c0c4 SetEnvironmentVariableA

• 0x40c0c8 CompareStringW

• 0x40c0cc LCMapStringW

• 0x40c0d0 SetStdHandle

• 0x40c0d4 GetFileType

• 0x40c0d8 GetStringTypeW

• 0x40c0dc GetProcessHeap

• 0x40c0e0 HeapSize

• 0x40c0e4 HeapReAlloc

• 0x40c0e8 FlushFileBuffers

• 0x40c0ec GetConsoleCP

• 0x40c0f0 GetConsoleMode

• 0x40c0f4 SetFilePointerEx

• 0x40c0f8 WriteConsoleW

• 0x40c0fc DecodePointer

• 0x40c100 CreateFileW

• 0x40c104 RaiseException

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.