SmartHawk

3.4

中危

44 个模型检测该样本为恶意！

重新分析

下载样本

8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313

5fa617ebb00ea5ddb642f6a7f49e76c1.exe

分析耗时

74s

最近分析

文件大小

2.7MB

静态报毒动态报毒 100% AAPK AIDETECT ATRAPS ATTRIBUTE CONFIDENCE DOWNLOADER34 DROPPERX EMZT GENCIRC GENERICRXMU HGIASOCA HIGH CONFIDENCE HIGHCONFIDENCE HSNXQB JOHNNIE KCLOUD MALICIOUS PE MALWARE1 MALWARE@#1GA0FN1Q8ROJR NETWIRE QNNIHXNLJ6U RNKBEND SAVE SCORE SO3@AEX6AIPO SOLMYR STATIC AI UNSAFE YDCUN YMACCO ZEVBAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0
Baidu		20190318	1.0.0.2
Avast		20210226	21.1.5827.0
Alibaba	TrojanSpy:Win32/Solmyr.9d4d1b12	20190527	0.3.0.5
Kingsoft	Win32.Troj.Solmyr.bg.(kcloud)	20210226	2017.9.26.565
McAfee	GenericRXMU-PN!5FA617EBB00E	20210226	6.0.6.653
Tencent	Malware.Win32.Gencirc.11b15de6	20210226	1.0.0.1

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

CUSTOM

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513306.649307 __exception__	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 registers.esp: 1636480 registers.edi: 5535384 registers.eax: 1636480 registers.ebp: 1636560 registers.edx: 0 registers.ebx: 5535384 registers.esi: 5535384 registers.ecx: 2 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x778eb727	success	0	0
1619513306.665307 __exception__	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 registers.esp: 1636796 registers.edi: 1636984 registers.eax: 1636796 registers.ebp: 1636876 registers.edx: 0 registers.ebx: 5535384 registers.esi: 1636984 registers.ecx: 2 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x778eb727	success	0	0

Foreign language identified in PE resource (3 个事件)

name

RT_STRING

language

LANG_LITHUANIAN

offset

0x000bfc20

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

size

0x00000034

name

RT_STRING

language

LANG_LITHUANIAN

offset

0x000bfc20

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

size

0x00000034

name

RT_STRING

language

LANG_LITHUANIAN

offset

0x000bfc20

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

size

0x00000034

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513305.759307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x01e20000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.0490894414727165

section

{'size_of_data': '0x00046000', 'virtual_address': '0x00001000', 'entropy': 7.0490894414727165, 'name': '.text', 'virtual_size': '0x0004543c'}

description

A section with a high entropy has been found

entropy

0.3723404255319149

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Johnnie.269299
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056cbd31 )
K7GW	Trojan ( 0056cbd31 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZevbaF.34590.So3@aeX6aipO
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EMZT
APEX	Malicious
Kaspersky	Trojan-Spy.Win32.Solmyr.bg
Alibaba	TrojanSpy:Win32/Solmyr.9d4d1b12
NANO-Antivirus	Trojan.Win32.Solmyr.hsnxqb
Ad-Aware	Gen:Variant.Johnnie.269299
Emsisoft	Gen:Variant.Johnnie.269299 (B)
Comodo	Malware@#1ga0fn1q8rojr
DrWeb	Trojan.DownLoader34.26251
Zillya	Trojan.Injector.Win32.763915
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Sophos	Mal/Generic-S
Ikarus	Trojan.Dropper
Jiangmin	TrojanSpy.Solmyr.d
Avira	TR/ATRAPS.ydcun
Antiy-AVL	Trojan/Win32.NetWire
Kingsoft	Win32.Troj.Solmyr.bg.(kcloud)
Microsoft	Trojan:Win32/Ymacco.AA81
Gridinsoft	Trojan.Win32.Agent.oa
Arcabit	Trojan.Johnnie.D41BF3
AhnLab-V3	Trojan/Win32.Agent.C3309501
Cynet	Malicious (score: 100)
McAfee	GenericRXMU-PN!5FA617EBB00E
Malwarebytes	Trojan.VBCrypt
Panda	Trj/RnkBend.A
Tencent	Malware.Win32.Gencirc.11b15de6
Yandex	Trojan.Injector!QNNIHxNlJ6U
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.AAPK!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.bb00ea
Paloalto	generic.ml
Qihoo-360	Win32/TrojanDropper.Generic.HgIASOcA

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-18 14:50:07

Imports

Library MSVBVM60.DLL:

• 0x401000

• 0x401004 __vbaStrI2

• 0x401008

• 0x40100c _CIcos

• 0x401010 _adj_fptan

• 0x401014 __vbaStrI4

• 0x401018

• 0x40101c __vbaAryMove

• 0x401020 __vbaFreeVar

• 0x401024 __vbaStrVarMove

• 0x401028 __vbaLineInputStr

• 0x40102c __vbaLenBstr

• 0x401030 __vbaPut3

• 0x401034 __vbaFreeVarList

• 0x401038 __vbaEnd

• 0x40103c _adj_fdiv_m64

• 0x401040 __vbaRaiseEvent

• 0x401044 __vbaFreeObjList

• 0x401048

• 0x40104c __vbaR8Sgn

• 0x401050

• 0x401054 _adj_fprem1

• 0x401058

• 0x40105c __vbaCopyBytes

• 0x401060 __vbaStrCat

• 0x401064 __vbaSetSystemError

• 0x401068 __vbaHresultCheckObj

• 0x40106c __vbaVargVarCopy

• 0x401070 _adj_fdiv_m32

• 0x401074 __vbaAryVar

• 0x401078

• 0x40107c

• 0x401080 __vbaAryDestruct

• 0x401084 __vbaExitProc

• 0x401088

• 0x40108c

• 0x401090

• 0x401094 __vbaI4Abs

• 0x401098

• 0x40109c __vbaOnError

• 0x4010a0

• 0x4010a4 __vbaObjSet

• 0x4010a8 _adj_fdiv_m16i

• 0x4010ac __vbaObjSetAddref

• 0x4010b0 _adj_fdivr_m16i

• 0x4010b4

• 0x4010b8 __vbaBoolVar

• 0x4010bc

• 0x4010c0 __vbaFPFix

• 0x4010c4 __vbaBoolVarNull

• 0x4010c8 __vbaVargVar

• 0x4010cc _CIsin

• 0x4010d0

• 0x4010d4 __vbaErase

• 0x4010d8

• 0x4010dc

• 0x4010e0 __vbaVargVarMove

• 0x4010e4 __vbaChkstk

• 0x4010e8 __vbaFileClose

• 0x4010ec

• 0x4010f0 EVENT_SINK_AddRef

• 0x4010f4

• 0x4010f8

• 0x4010fc __vbaGenerateBoundsError

• 0x401100 __vbaGet3

• 0x401104 __vbaStrCmp

• 0x401108 __vbaAryConstruct2

• 0x40110c __vbaObjVar

• 0x401110 __vbaVarLikeVar

• 0x401114

• 0x401118 __vbaI2I4

• 0x40111c DllFunctionCall

• 0x401120

• 0x401124 __vbaLbound

• 0x401128 _adj_fpatan

• 0x40112c __vbaLateIdCallLd

• 0x401130 __vbaRedim

• 0x401134 EVENT_SINK_Release

• 0x401138 __vbaNew

• 0x40113c __vbaUI1I2

• 0x401140 _CIsqrt

• 0x401144 __vbaObjIs

• 0x401148 EVENT_SINK_QueryInterface

• 0x40114c __vbaExceptHandler

• 0x401150

• 0x401154 __vbaStrToUnicode

• 0x401158 _adj_fprem

• 0x40115c _adj_fdivr_m64

• 0x401160

• 0x401164 __vbaI2Str

• 0x401168

• 0x40116c

• 0x401170 __vbaFPException

• 0x401174

• 0x401178 __vbaStrVarVal

• 0x40117c __vbaUbound

• 0x401180 __vbaVarCat

• 0x401184

• 0x401188

• 0x40118c

• 0x401190

• 0x401194 _CIlog

• 0x401198 __vbaErrorOverflow

• 0x40119c __vbaFileOpen

• 0x4011a0 __vbaR8Str

• 0x4011a4 __vbaVar2Vec

• 0x4011a8

• 0x4011ac __vbaInStr

• 0x4011b0 __vbaNew2

• 0x4011b4

• 0x4011b8 _adj_fdiv_m32i

• 0x4011bc _adj_fdivr_m32i

• 0x4011c0 __vbaStrCopy

• 0x4011c4 __vbaI4Str

• 0x4011c8

• 0x4011cc __vbaVarNot

• 0x4011d0 __vbaFreeStrList

• 0x4011d4

• 0x4011d8 _adj_fdivr_m32

• 0x4011dc __vbaR8Var

• 0x4011e0 __vbaPowerR8

• 0x4011e4 _adj_fdiv_r

• 0x4011e8

• 0x4011ec

• 0x4011f0 __vbaVarSetVar

• 0x4011f4 __vbaI4Var

• 0x4011f8 __vbaLateMemCall

• 0x4011fc __vbaAryLock

• 0x401200 __vbaVarDup

• 0x401204 __vbaStrToAnsi

• 0x401208

• 0x40120c __vbaVarCopy

• 0x401210 __vbaVarLateMemCallLd

• 0x401214

• 0x401218 __vbaFpI4

• 0x40121c __vbaLateMemCallLd

• 0x401220 _CIatan

• 0x401224 __vbaAryCopy

• 0x401228 __vbaI2ErrVar

• 0x40122c __vbaStrMove

• 0x401230

• 0x401234 __vbaCastObj

• 0x401238 __vbaR8IntI4

• 0x40123c __vbaStrVarCopy

• 0x401240 _allmul

• 0x401244 __vbaLateIdSt

• 0x401248 _CItan

• 0x40124c __vbaAryUnlock

• 0x401250 _CIexp

• 0x401254 __vbaFreeStr

• 0x401258 __vbaFreeObj

• 0x40125c

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.