SmartHawk

1.2

低危

63 个模型检测该样本为恶意！

重新分析

下载样本

1e564ef865771e9c658149dcbd64dcc6a9d53f049f27cf6d85de1b330d328abe

1e564ef865771e9c658149dcbd64dcc6a9d53f049f27cf6d85de1b330d328abe.exe

分析耗时

194s

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.04s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.67	Unknown	0.20s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	DDoS:Win32/StormAttack.3867db48	20190527	0.3.0.5
Avast	Win32:StormDDOS-B [Trj]	20200901	18.4.3895.0
Baidu	None	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Kingsoft	None	20200901	2013.8.14.323
McAfee	GenericR-KGL!594906CD6772	20200901	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b3b6d3	20200901	1.0.0.1

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2010-07-31 19:55:58

PE Imphash

ba23a556ac1d6444f7f76feafd6c8867

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x0000189a	0x00002000	5.131358637328581
.rdata	0x00003000	0x00000a98	0x00001000	3.7762129428964784
.data	0x00004000	0x00000520	0x00001000	1.05150611190183
.rsrc	0x00005000	0x00009c60	0x0000a000	5.783787910203029

Resources

Name	Offset	Size	Language	Sub-language	File type
DLL	0x00005060	0x00009c00	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	None

Imports

Library KERNEL32.dll:

• 0x403040 lstrcatA

• 0x403044 lstrcpyA

• 0x403048 GetEnvironmentVariableA

• 0x40304c GetShortPathNameA

• 0x403050 GetModuleFileNameA

• 0x403054 GetLastError

• 0x403058 SetFileAttributesA

• 0x40305c CopyFileA

• 0x403060 CloseHandle

• 0x403064 GetCurrentProcess

• 0x403068 CreateFileA

• 0x40306c GlobalFree

• 0x403070 LockResource

• 0x403074 GlobalAlloc

• 0x403078 LoadResource

• 0x40307c SizeofResource

• 0x403080 FindResourceA

• 0x403084 SetPriorityClass

• 0x403088 GetCurrentThread

• 0x40308c SetThreadPriority

• 0x403090 ResumeThread

• 0x403094 Sleep

• 0x403098 GetStartupInfoA

• 0x40309c CreateProcessA

• 0x4030a0 lstrlenA

• 0x4030a4 VirtualAllocEx

• 0x4030a8 WriteProcessMemory

• 0x4030ac GetModuleHandleA

• 0x4030b0 GetProcAddress

• 0x4030b4 CreateRemoteThread

• 0x4030b8 GetSystemWindowsDirectoryA

• 0x4030bc GetSystemDirectoryA

• 0x4030c0 WriteFile

Library USER32.dll:

• 0x403164 MessageBoxA

Library comdlg32.dll:

• 0x40316c GetFileTitleA

Library ADVAPI32.dll:

• 0x403000 CloseServiceHandle

• 0x403004 RegOpenKeyExA

• 0x403008 RegQueryValueExA

• 0x40300c StartServiceCtrlDispatcherA

• 0x403010 RegCreateKeyA

• 0x403014 RegisterServiceCtrlHandlerA

• 0x403018 SetServiceStatus

• 0x40301c RegOpenKeyA

• 0x403020 RegDeleteValueA

• 0x403024 RegSetValueExA

• 0x403028 RegCloseKey

• 0x40302c OpenServiceA

• 0x403030 CreateServiceA

• 0x403034 OpenSCManagerA

• 0x403038 StartServiceA

Library ole32.dll:

• 0x403174 CoUninitialize

• 0x403178 CoCreateGuid

• 0x40317c CoInitialize

Library MFC42.DLL:

• 0x4030c8 None

• 0x4030cc None

• 0x4030d0 None

• 0x4030d4 None

• 0x4030d8 None

Library MSVCRT.dll:

• 0x4030f4 _controlfp

• 0x4030f8 __set_app_type

• 0x4030fc __CxxFrameHandler

• 0x403100 _snprintf

• 0x403104 free

• 0x403108 fwrite

• 0x40310c fclose

• 0x403110 fread

• 0x403114 malloc

• 0x403118 ftell

• 0x40311c fseek

• 0x403120 fopen

• 0x403124 exit

• 0x403128 strstr

• 0x40312c strncmp

• 0x403130 _except_handler3

• 0x403134 __dllonexit

• 0x403138 _onexit

• 0x40313c _exit

• 0x403140 _XcptFilter

• 0x403144 _acmdln

• 0x403148 __getmainargs

• 0x40314c _initterm

• 0x403150 __setusermatherr

• 0x403154 _adjust_fdiv

• 0x403158 __p__commode

• 0x40315c __p__fmode

Library MSVCP60.dll:

• 0x4030e0 ??0_Winit@std@@QAE@XZ

• 0x4030e4 ??1_Winit@std@@QAE@XZ

• 0x4030e8 ??1Init@ios_base@std@@QAE@XZ

• 0x4030ec ??0Init@ios_base@std@@QAE@XZ

L!This program cannot be run in DOS mode.
`.rdata
@.data
SVD$\WP]
VWh|C@
D$TSUVWh
3|$$\$
L$ D$$D
D$ RPj
P_^]3[`
QR; @@
jeQD$(
d$ P$<
PQRhC@
L$lPQ\$
PD$pPj
r 3+t$L|$LhC@
3RQPPPPP$
PRPD$@D
D$HD$DD$L|$lfD$rD$tf|$p
PQB @@
jeQD$$
UV5d1@
3|$1D$0
T$0QL$ D$
t<L$ D$ (A@
QR3IQPQ
uChlD@
tBT$ D$
SUVWL$$D$(
YHUjh1@
hSVWe3
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
YY3%0@
{2EFAE6B9-5BBF-44d1-896E-0516FE2A7BD6}
GetSystemDirectoryA
GetSystemWindowsDirectoryA
CreateRemoteThread
GetProcAddress
GetModuleHandleA
WriteProcessMemory
VirtualAllocEx
lstrlenA
CreateProcessA
GetStartupInfoA
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetLastError
SetFileAttributesA
CopyFileA
CloseHandle
WriteFile
CreateFileA
GlobalFree
LockResource
GlobalAlloc
LoadResource
SizeofResource
FindResourceA
KERNEL32.dll
MessageBoxA
USER32.dll
GetFileTitleA
comdlg32.dll
RegCloseKey
RegSetValueExA
RegDeleteValueA
RegOpenKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
RegCreateKeyA
StartServiceCtrlDispatcherA
RegQueryValueExA
RegOpenKeyExA
CloseServiceHandle
StartServiceA
OpenServiceA
CreateServiceA
OpenSCManagerA
ADVAPI32.dll
CoUninitialize
CoCreateGuid
CoInitialize
ole32.dll
MFC42.DLL
__CxxFrameHandler
_snprintf
fwrite
fclose
malloc
strstr
strncmp
_except_handler3
MSVCRT.dll
__dllonexit
_onexit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
MSVCP60.dll
StormServer.dll
Storm ddos Server
Welcome to use storm ddos
Thank you
Program Files\Internet Explorer
calc.exe
notepad.exe
iexplore.exe
Kernel32
LoadLibraryA
ServiceDLL
SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
%SystemRoot%\System32\
 > nul
 /c  del 
COMSPEC
{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}
stubpath
SOFTWARE\Microsoft\Active Setup\Installed Components\
Description
SYSTEM\CurrentControlSet\Services\
L!This program cannot be run in DOS mode.
N\;&J\
N\Rich
@.reloc
192.168.1.2
Storm ddos DNS
Welcome to use storm ddos
Thank you
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
STORM:%d|%s|%s|%s|%s
GlobalMemoryStatusEx
kernel32.dll
~%u MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
WinVista
Win2K3
%%%c%c%%%c%c
setsockopt Error!
%d.%d.%d.%d
i..c5.Ffp.36U
192.168.1.244
 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
 HTTP/1.1
Content-Type: text/html
Host: 
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)
Referer: http://
:80/http://
Connection: Close
Cache-Control: no-cache
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/8.0
>CLICK OPEN PAGE
Connection: Keep-Alive
Cookie:
 expires
 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: 
User-Agent:Mozilla/4.0 (compatible; MSIE 7.00; Windows NT 5.1; MyIE 3.01)
xq1986
Cache-Control: no-cache
Referer: http://www.google.com
iexplore.exe
SeShutdownPrivilege
log off
ServiceDLL
SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
%SystemRoot%\System32\srvsvc.dll
stubpath
Software\Microsoft\Active Setup\Installed Components\
URLDownloadToFileA
wininet.dll
urlmon.dll
gethostbyname
WSOCK32.DLL
Strom attack
PEPEPWh
P|UEUj
WQRPcT
(VW3}j
OuT~Pj
YEARhp
OuuMu)P
EEPfE3h
fEfEEE
fEfEPfu
3f!EEf5
RYfEEYj
_^[USVW}
~%SSSh"
SSShq"
SS_^[]U
3f!Euh
RxYfEEYj
_^[USVW}
~%SSSh"
SSShq"
SS_^[]U
_^USVW}
~%SSSh(
SSShq"
SS_^[]U
_[USVW}
~%SSSh+*
SSShq"
SS_^[]U
_^[USVW}
~%SSSh+
SSShq"
SS_^[]U
_^[USVW}
~%SSSh]-
SSShq"
SS_^[]U VW
PVuEPW
_^USVW}
~%SSSh.
SSShq"
SS_^[]UX
3f[3}SVVh
j(EEEf]
]EP ]fEEj
_^[USVW}
~%SSSh0
SSShq"
SS_^[]UX
3f[3}SVVh
j(EEEf]
 ]fEEj
_^[USVW}
~%SSSh3
SSShq"
SS_^[]U\
3f[3}SVVh
j(EEEf]
_^[USVW}
~%SSSh6
SSShq"
SS_^[]U
IIII\=
_^[USVW}
~%SSShQ:
SSShq"
SS_^[]U
_USVW}
~%SSSh
SSShq"
SS_^[]U
_USVW}
~%SSSh=
SSShq"
SS_^[]U
EP%YYPEh
EP:YYPEh
EPYYPEh
EPwYYPEh
3SSShOK
3PPPhOK
@MPEPG$
EPYYPEVPE
@MPEPJ"
EPYYPEVPE
PEPE$!
EPYYPEh
~%SSSh?
SSShq"
~%SSSh'C
SSShq"
~%SSShA
SSShq"
SS_^[]
~%SSShI
SSShq"
~%SSSh>E
SSShq"
~%SSSh;G
SSShq"
QSUVWt$
3D$(|$,
3PPPhOK
RRRhOK
L$(D$(
RRRhq"
~%SSShQ
SSShq"
jA3Y3]=
9]wV5D
_^[UVWjA
~%VVVh^
VVVhq"
^USVW}
~%SSSh@`
|SSShq"
SS_^[]U
~%SSSha
SSShq"
SS_^[]U
Y3Ij@Y
t<EVP3h
VVEVPVuE
t<EVP3h
VVEVPVuE
t<EVP3h
VVEVPVuE
EPPEPWh
Y}3}fEPh@
Ej#P3j
SVWj@fE3Y3j@fY3f}
3Y}EED
PEPSSj SSSSP
SV@WPh
}u)V;t"
ESM@@PS
33VVVPC
HtKHt9Ht,Ht
u?PPl 
u?PQPB 
tqHtdHt
PPPP)S
ea[S9SYOu
YHYu@D$
YY=u9d
u7WPSt
u&WVSu
MMMMME
MdM\MTMLMDM<M4M,M$M
MMMMMMMMMMM{
MM|MtMlMdM\MTMLMDM<M4M,M$M
MMMMMMMMMMMMM|
MM|MtMlMdM\MTMLMDM<M4M,M$M
MMMMMMMMMM
MMMMM|MtMlMdM\MTMLMDM<M4M,M$M
MMMMMMMMMMMMMM~
MMxMpMhM`MXMPMHM@M8
MFC42.DLL
__CxxFrameHandler
printf
strstr
sprintf
strtok
malloc
MSVCRT.dll
__dllonexit
_onexit
_initterm
_adjust_fdiv
GetProcAddress
LoadLibraryA
lstrcpyA
GetVersionExA
GetSystemDefaultUILanguage
ExitThread
CreateThread
GetTickCount
OutputDebugStringA
GetCurrentProcess
SetFileAttributesA
GetModuleFileNameA
DeleteFileA
CreateProcessA
GetSystemDirectoryA
ExitProcess
GetLastError
CreateMutexA
KERNEL32.dll
wsprintfA
MessageBoxA
ExitWindowsEx
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
DeleteService
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegDeleteValueA
RegOpenKeyA
RegDeleteKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WSASocketA
WS2_32.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
DLL.dll
HrCg@b
111w;;;;;
<N<<<<;=E=c=========
>S>>>>>>>F???????
1K111Z2r2
222222222
3L3_3d3m3v3|333333384?4E4K4d4~444444444
5+525B5G5^5n55555555555
636:6B6_6u666666
7@7J7R7[7h7n7t77777777
8(8.848B8H8R8\8c8m8{8888888
969?9E9K9V9h9x9999999999
:G:h:q:x:::::::::
;,;B;W;a;f;n;t;~;;;;;;;;;;;
<<%<A<L<R<[<n<~<<<<<<
=#=-=4=>=F=P=n=u=}========
>>(>;>K>r>>>>>>>>>>>>>
?-?6?=?N?j?p?????????
0 0*0/070=0G0Q0X0b0j0t0000000-13181J1c11112222222
3&383B3H3R3\3c3m3u3
333333
484>4C4U4n44445555555
626D6N6T6^6h6o6y66666666
7D7I7Z7`7y77777&8<8k8r888a9p9v9|9999999
:!:(:2:::D:i:{::::::
;$;0;E;U;|;;;;;;;;;;;;; <(</<7<h<u<z<<<<<<<<<<
=;=Q=f=p=u={===========
>/>:>C>I>O>[>l>|>>>>>>>>>>
?6?S?e?v???????????
0'0F1O1T1m1t1|1111111111
3#3(3V3s3x333333334
5!5(505:5?5m5555555555566
7"7-777<7o7777777777
8/8R9d9i99999999
;2;9;A;K;P;k;t;y;~;;;;a<f<
<<<<<<<<
==-=5=;=F=c=}======
>!>=>C>H>M>R>W>d>???
0;0A0F0K0P0U011111
22$2>2E2M2S2X2]2h22=3J3O3x3333333
4-4B4L4Q4Y4_4i4s4z4444444.5:5@5M5S5z5555555555555
6/6;6K6r66666666666666(7D7s7
777777777
8#8*848<8F8j8888888
9*979H9]9g9l9t9z999999999
:I:X:]:e:k:x:~::::::::::
;";,;Y;d;j;r;|;;;;;;;;
<3<H<T<b<~<<<<<<<<
=)=7=?=F=o=======
>$>9>C>H>P>V>`>j>q>{>>>>>>>
?C?J?c?s???????????
0"0*040A0Y0g0p0u000000000
1#151=1`1j1p1z111111111
292B2H2M2W2b2o2
22222222
3!3+333=33344444444#5(50585D5W5^5n5u555555555
66/666U6^6p66666666
7767A7F7P7e7n7x7777777728]8b8x88888
9$989C9M9X9i9u9999999999
:%:+:;:::::
_1g1m1x1}1111111111111111
2 2&2,22282>2D2J2
3y33333333333333
4/4A44444
5d55E66E77-8I99999
:1:M:a:u::::::::
;$;,;4;<;D;P;l;t;|;;;;;;;;;;;;;;
<$<,<4<<<D<L<X<t<|<<<<<<<<<<<<<<<
=$=,=4=<=D=L=T=\=d=l=t===============
>4><>D>L>T>\>d>l>t>|>>>>>>>>>>>>>>
?$?,?4?<?D?L?T?\?d?l?t?|??????????????
0$000L0T0`0|000000000
1 1<1D1P1l1x11111
VS_VERSION_INFO
StringFileInfo
080404b0
Comments
CompanyName
FileDescription
Storm DDOS Server
FileVersion
InternalName
Storm Ser DLL
LegalCopyright
 (C) 2009
LegalTrademarks
OriginalFilename
Storm Ser DLL
PrivateBuild
ProductName
Storm Ser DLL
ProductVersion
SpecialBuild
VarFileInfo
Translation

Hosts

IP
114.114.114.114
8.8.8.8

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255 A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	58485	8.8.8.8	53
192.168.56.101	57665	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.

ALYac	Trojan.Rincux.AW
APEX	Malicious
AVG	Win32:StormDDOS-B [Trj]
Acronis	suspicious
Ad-Aware	Trojan.Rincux.AW
AhnLab-V3	Trojan/Win32.StormAttack.R266571
Alibaba	DDoS:Win32/StormAttack.3867db48
Antiy-AVL	Trojan[Rootkit]/Win32.TDSS
Arcabit	Trojan.Rincux.AW
Avast	Win32:StormDDOS-B [Trj]
Avira	TR/Agent.gnje
BitDefender	Trojan.Rincux.AW
BitDefenderTheta	AI:Packer.427BA3361F
Bkav	W32.FamVT.AxVDb.Trojan
CAT-QuickHeal	Trojan.Injector.26488
ClamAV	Win.Trojan.Rincux-6417593-0
Comodo	TrojWare.Win32.Magania.~AAC@f80ur
CrowdStrike	win/malicious_confidence_100% (W)
Cybereason	malicious.d6772e
Cylance	Unsafe
Cynet	Malicious (score: 100)
Cyren	W32/StormAttack.A.gen!Eldorado
DrWeb	DDoS.Storm.156
ESET-NOD32	a variant of Win32/TrojanDropper.Agent.PIH
Elastic	malicious (high confidence)
F-Secure	Trojan.TR/Agent.gnje
FireEye	Generic.mg.594906cd6772e883
Fortinet	W32/ServStart.AS!tr
GData	Trojan.Rincux.AW
Ikarus	Trojan-Downloader.Win32.Pangu
Invincea	heuristic
Jiangmin	TrojanDDoS.StormAttack.a
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Kaspersky	Trojan-DDoS.Win32.StormAttack.b
MAX	malware (ai score=81)
Malwarebytes	DDoSTool.Agent
MaxSecure	Trojan.DDoS.StormAttack.a
McAfee	GenericR-KGL!594906CD6772
MicroWorld-eScan	Trojan.Rincux.AW
Microsoft	DDoS:Win32/Stormser.A
NANO-Antivirus	Trojan.Win32.StormAttack.fnqayj
Paloalto	generic.ml
Panda	Trj/Genetic.gen
Qihoo-360	Win32/Backdoor.Storm.A
Rising	Dropper.Agent!1.C6A3 (CLASSIC)
SUPERAntiSpyware	Trojan.Agent/Gen-StormDOS
Sangfor	Malware
SentinelOne	DFI - Malicious PE
Sophos	Troj/Agent-AYJG

host	114.114.114.114
host	8.8.8.8