SmartHawk

6.4

高危

8 个模型检测该样本为恶意！

重新分析

下载样本

d369aee1a5f2ad372781b48e02251f9cef1e58e5ad73cb3d3e5b1bb83cf200ab

66954def9ced63d6a0d7ac68e7bd105c.exe

分析耗时

81s

最近分析

文件大小

1.3MB

静态报毒动态报毒 AIDETECTVM AUTOIT CONFIDENCE DAPATO DYREZA GENERIC ML PUA HUPIGON MALWARE2 SCORE UNSAFE UPATRE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20201012	6.0.6.653
Avast		20201013	18.4.3895.0
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20201013	2013.8.14.323
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620946606.763486 IsDebuggerPresent		failed	0	0
1620946606.778486 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620946607.122486 GlobalMemoryStatusEx		success	1	0

The executable uses a known packer (1 个事件)

packer

KGB SFX

Creates an autorun.inf file (1 个事件)

file	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 个事件)

Bkav	W32.AIDetectVM.malware2
Cybereason	malicious.793a2e
APEX	Malicious
Invincea	Generic ML PUA (PUA)
Cynet	Malicious (score: 100)
VBA32	Trojan.Autoit.F
eGambit	Unsafe.AI_Score_88%
CrowdStrike	win/malicious_confidence_60% (W)

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.926604853186757

section

{'size_of_data': '0x0003f400', 'virtual_address': '0x0006a000', 'entropy': 7.926604853186757, 'name': 'UPX1', 'virtual_size': '0x00040000'}

description

A section with a high entropy has been found

entropy

0.9787234042553191

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	C:\Windows\System32\zh-CN\Licenses\OEM\HomeBasicE
file	C:\Windows\System32\zh-CN\Licenses\eval\HomeBasicE
file	C:\Windows\System32\zh-CN\Licenses\_Default\HomeBasicE

Creates known Dapato Trojan files, registry keys and/or mutexes (1 个事件)

file	C:\Windows\debug\PASSWD.LOG

Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 个事件)

file	C:\Windows\System32\mfcsubs.dll

Creates known Hupigon files, registry keys and/or mutexes (1 个事件)

file	C:\Windows\bootstat.dat

Creates known Upatre files, registry keys and/or mutexes (1 个事件)

file	C:\Windows\System32\qcap.dll

Detects VirtualBox through the presence of a file (5 个事件)

file	C:\Windows\System32\VBoxMRXNP.dll
file	C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_980b85158a5cdcbf\VBoxControl.exe
file	C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_980b85158a5cdcbf\VBoxTray.exe
file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf
file	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\VBoxMouse.cat

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2008-12-24 17:00:07

Imports

Library KERNEL32.DLL:

• 0x4ab330 LoadLibraryA

• 0x4ab334 GetProcAddress

• 0x4ab338 VirtualProtect

• 0x4ab33c VirtualAlloc

• 0x4ab340 VirtualFree

• 0x4ab344 ExitProcess

Library ADVAPI32.dll:

• 0x4ab34c AddAce

Library COMCTL32.dll:

• 0x4ab354 ImageList_Remove

Library COMDLG32.dll:

• 0x4ab35c GetSaveFileNameW

Library GDI32.dll:

• 0x4ab364 BitBlt

Library MPR.dll:

• 0x4ab36c WNetGetConnectionW

Library ole32.dll:

• 0x4ab374 CoInitialize

Library OLEAUT32.dll:

• 0x4ab37c VariantTimeToSystemTime

Library PSAPI.DLL:

• 0x4ab384 EnumProcesses

Library SHELL32.dll:

• 0x4ab38c DragFinish

Library USER32.dll:

• 0x4ab394 GetDC

Library USERENV.dll:

• 0x4ab39c LoadUserProfileW

Library VERSION.dll:

• 0x4ab3a4 VerQueryValueW

Library WININET.dll:

• 0x4ab3ac FtpOpenFileW

Library WINMM.dll:

• 0x4ab3b4 timeGetTime

Library WSOCK32.dll:

• 0x4ab3bc recv

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702
192.168.56.101	55369	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	63432	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.