SmartHawk

4.8

中危

49 个模型检测该样本为恶意！

重新分析

下载样本

15b48c99f182348d0da0842b696ef5f886c53f48a99169629d791b3462c194ac

5d992580c7dcf360b05d0aca7551bd4b.exe

分析耗时

84s

最近分析

文件大小

898.5KB

静态报毒动态报毒 100% 4YW@AM4UCFEI AI SCORE=83 AIDETECTVM ATTRIBUTE CHAPAK CHAPAKGEN CONFIDENCE CRYPTO DOWNLOADER27 ELDORADO FUERYPMF FV@85TS6V GEN2 GENETIC GOGZ GRAYWARE GSME HIGH CONFIDENCE HIGHCONFIDENCE ISTARTSURF ISTARTSURFINSTALLER KRYPTIK MALICIOUS PE MALWARE1 N6JZMUFOKYL PREPSCRAM QVM19 R266804 S6006407 SCORE SOFTWAREBUNDLER STARTSURF UNSAFE XPACK ZEXAF ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	IStartSurf	20200902	6.0.6.653
Alibaba		20190527	0.3.0.5
Avast	Win32:Adware-gen [Adw]	20200902	18.4.3895.0
Baidu		20190318	1.0.0.2
Kingsoft		20200902	2013.8.14.323
Tencent		20200902	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.ata
section	.lll

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620948615.11 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 806912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01ed0000	success	0	0
1620948615.11 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 827392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fa0000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.3175035261011665

section

{'size_of_data': '0x0009ea00', 'virtual_address': '0x00001000', 'entropy': 7.3175035261011665, 'name': '.text', 'virtual_size': '0x0009e882'}

description

A section with a high entropy has been found

entropy

0.7069637883008356

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

52.84.227.149:80

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader27.60149
MicroWorld-eScan	Gen:Variant.Zusy.306920
FireEye	Generic.mg.5d992580c7dcf360
CAT-QuickHeal	Trojan.FueryPMF.S6006407
McAfee	IStartSurf
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
Sangfor	Malware
K7AntiVirus	Trojan ( 0054ea9e1 )
K7GW	Trojan ( 0054cb6b1 )
Cybereason	malicious.0c7dcf
Arcabit	Trojan.Zusy.D4AEE8
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZexaF.34196.4yW@am4uCfei
Cyren	W32/S-e4e51dd9!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Adware-gen [Adw]
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Zusy.306920
Rising	Trojan.Crypto!8.364 (TFE:1:N6jZMUFOkyL)
Ad-Aware	Gen:Variant.Zusy.306920
Comodo	Application.Win32.Prepscram.FV@85ts6v
Zillya	Trojan.ChapakGen.Win32.4
Sophos	IStartSurfInstaller (PUA)
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.Chapak.cvq
Avira	TR/Crypt.XPACK.Gen2
MAX	malware (ai score=83)
Antiy-AVL	GrayWare[AdWare]/Win32.StartSurf
Microsoft	SoftwareBundler:Win32/Prepscram
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Zusy.306920
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.StartSurf.R266804
Acronis	suspicious
ALYac	Gen:Variant.Zusy.306920
VBA32	Trojan.Chapak
Malwarebytes	Adware.IStartSurf
ESET-NOD32	a variant of Win32/Kryptik.GSME
Ikarus	Trojan.Crypt
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Kryptik.GOGZ!tr
Webroot	W32.Adware.Gen
AVG	Win32:Adware-gen [Adw]
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	HEUR/QVM19.1.A6BB.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-04-24 19:26:29

Imports

Library KERNEL32.dll:

• 0x4a2010 SetFilePointerEx

• 0x4a2014 CreateFileW

• 0x4a2018 CloseHandle

• 0x4a201c WriteConsoleW

• 0x4a2020 GetModuleHandleW

• 0x4a2024 GetConsoleMode

• 0x4a2028 GetConsoleCP

• 0x4a202c FlushFileBuffers

• 0x4a2030 UnhandledExceptionFilter

• 0x4a2034 SetUnhandledExceptionFilter

• 0x4a2038 GetCurrentProcess

• 0x4a203c TerminateProcess

• 0x4a2040 IsProcessorFeaturePresent

• 0x4a2044 QueryPerformanceCounter

• 0x4a2048 GetCurrentProcessId

• 0x4a204c GetCurrentThreadId

• 0x4a2050 GetSystemTimeAsFileTime

• 0x4a2054 InitializeSListHead

• 0x4a2058 IsDebuggerPresent

• 0x4a205c GetStartupInfoW

• 0x4a2060 RtlUnwind

• 0x4a2064 GetLastError

• 0x4a2068 SetLastError

• 0x4a206c EncodePointer

• 0x4a2070 EnterCriticalSection

• 0x4a2074 LeaveCriticalSection

• 0x4a2078 DeleteCriticalSection

• 0x4a207c InitializeCriticalSectionAndSpinCount

• 0x4a2080 TlsAlloc

• 0x4a2084 TlsGetValue

• 0x4a2088 TlsSetValue

• 0x4a208c TlsFree

• 0x4a2090 FreeLibrary

• 0x4a2094 GetProcAddress

• 0x4a2098 LoadLibraryExW

• 0x4a209c RaiseException

• 0x4a20a0 GetStdHandle

• 0x4a20a4 WriteFile

• 0x4a20a8 GetModuleFileNameW

• 0x4a20ac ExitProcess

• 0x4a20b0 GetModuleHandleExW

• 0x4a20b4 HeapAlloc

• 0x4a20b8 HeapFree

• 0x4a20bc FindClose

• 0x4a20c0 FindFirstFileExW

• 0x4a20c4 FindNextFileW

• 0x4a20c8 IsValidCodePage

• 0x4a20cc GetACP

• 0x4a20d0 GetOEMCP

• 0x4a20d4 GetCPInfo

• 0x4a20d8 GetCommandLineA

• 0x4a20dc GetCommandLineW

• 0x4a20e0 MultiByteToWideChar

• 0x4a20e4 WideCharToMultiByte

• 0x4a20e8 GetEnvironmentStringsW

• 0x4a20ec FreeEnvironmentStringsW

• 0x4a20f0 SetStdHandle

• 0x4a20f4 GetFileType

• 0x4a20f8 GetStringTypeW

• 0x4a20fc LCMapStringW

• 0x4a2100 GetProcessHeap

• 0x4a2104 HeapSize

• 0x4a2108 HeapReAlloc

• 0x4a210c DecodePointer

Library USER32.dll:

• 0x4a2120 GetRegisteredRawInputDevices

• 0x4a2124 GetUpdatedClipboardFormats

Library GDI32.dll:

• 0x4a2000 CreateSolidBrush

• 0x4a2004 CreateMetaFileW

• 0x4a2008 CreateHalftonePalette

Library SHELL32.dll:

• 0x4a2114

• 0x4a2118

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
d1hq9wbcfo7dcl.cloudfront.net	A 52.84.227.90 A 52.84.227.120 A 52.84.227.122 A 52.84.227.149	52.84.227.90
my.sodadirt.info
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.