SmartHawk

3.6

中危

52 个模型检测该样本为恶意！

重新分析

下载样本

dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb

6998ca30e81c5ae0fda8e67ced0e2cbd.exe

分析耗时

47s

最近分析

文件大小

686.5KB

静态报毒动态报毒 A VARIANT OF GENERIK AI SCORE=80 AIDETECTVM ARTEMIS ATTRIBUTE CONFIDENCE GDSDA GENERIC@ML GENERIK HIGH CONFIDENCE HIGHCONFIDENCE HRYZUH KCLOUD LYREJPJ MALWARE1 MALWARE@#2RST0E0K48F3P NETWIRED NETWIREDRC NIJXNP8FTRIYPUQRKXMHYW QY0@AOB7R RAZY RDML SCORE SUSGEN THJOHBO TRICKBOT UJRYH UNSAFE WQNG ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!6998CA30E81C	20201228	6.0.6.653
Alibaba	Backdoor:Win32/NetWiredRC.f0fc3bcb	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201228	21.1.5827.0
Tencent	Win32.Backdoor.Netwiredrc.Wqng	20201228	1.0.0.1
Kingsoft	Win32.Hack.NetWiredRC.l.(kcloud)	20201228	2017.9.26.565

Allocates read-write-execute memory (usually to unpack itself) (5 个事件)

Time & API	Arguments	Status	Return
1619626450.00475 NtAllocateVirtualMemory	process_identifier: 2868 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00020000	success	0
1619626450.00475 NtAllocateVirtualMemory	process_identifier: 2868 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d0000	success	0
1619626462.77075 NtAllocateVirtualMemory	process_identifier: 2868 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00400000	failed	3221225505
1619626462.77075 NtAllocateVirtualMemory	process_identifier: 2868 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00500000	success	0
1619626462.83275 NtProtectVirtualMemory	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.729696
FireEye	Generic.mg.6998ca30e81c5ae0
Qihoo-360	Win32/Backdoor.bee
McAfee	Artemis!6998CA30E81C
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Backdoor:Win32/NetWiredRC.f0fc3bcb
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Razy.DB2260
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Backdoor.Win32.NetWiredRC.lem
BitDefender	Gen:Variant.Razy.729696
NANO-Antivirus	Trojan.Win32.NetWiredRC.hryzuh
Paloalto	generic.ml
Tencent	Win32.Backdoor.Netwiredrc.Wqng
Ad-Aware	Gen:Variant.Razy.729696
Emsisoft	Gen:Variant.Razy.729696 (B)
Comodo	Malware@#2rst0e0k48f3p
F-Secure	Trojan.TR/AD.NetWiredRc.ujryh
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Backdoor.Win32.NETWIRED.THJOHBO
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Trojan.NetWiredRC
Avira	TR/AD.NetWiredRc.ujryh
Antiy-AVL	Trojan/Win32.Generic
Kingsoft	Win32.Hack.NetWiredRC.l.(kcloud)
Gridinsoft	Malware.Win32.NetWiredRC.oa
Microsoft	Trojan:Win32/Trickbot.GN
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	Backdoor.Win32.NetWiredRC.lem
GData	Gen:Variant.Razy.729696
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZexaF.34700.Qy0@aOB7R!ii
ALYac	Gen:Variant.Razy.729696
MAX	malware (ai score=80)
VBA32	Backdoor.NetWiredRC
ESET-NOD32	a variant of Generik.LYREJPJ
TrendMicro-HouseCall	Backdoor.Win32.NETWIRED.THJOHBO
Rising	Trojan.Generic@ML.80 (RDML:nIjxnp8FtrIypuqrkXmhYw)
eGambit	Unsafe.AI_Score_98%
Fortinet	W32/Generik.LYREJPJ!tr
AVG	Win32:Malware-gen
Cybereason	malicious.0e81c5

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2017-05-03 05:22:55

Imports

Library GLU32.dll:

• 0x46201c gluBeginTrim

• 0x462020 gluBeginSurface

• 0x462024 gluNurbsCurve

• 0x462028 gluNurbsProperty

• 0x46202c gluDeleteNurbsRenderer

• 0x462030 gluTessEndPolygon

• 0x462034 gluQuadricNormals

• 0x462038 gluBuild2DMipmaps

• 0x46203c gluOrtho2D

• 0x462040 gluPwlCurve

• 0x462044 gluGetString

Library KERNEL32.dll:

• 0x46204c GlobalSize

• 0x462050 GetNumberFormatA

• 0x462054 GetModuleHandleA

• 0x462058 WaitForMultipleObjects

• 0x46205c GetUserDefaultLangID

• 0x462060 VirtualProtect

• 0x462064 HeapCreate

• 0x462068 IsBadWritePtr

• 0x46206c HeapAlloc

• 0x462070 HeapFree

• 0x462074 GetProcessHeap

• 0x462078 LocalFree

• 0x46207c FreeConsole

• 0x462080 SetEndOfFile

• 0x462084 WriteConsoleW

• 0x462088 HeapReAlloc

• 0x46208c HeapSize

• 0x462090 GetCurrentDirectoryW

• 0x462094 GetFileSizeEx

• 0x462098 CloseHandle

• 0x46209c CreateFileW

• 0x4620a0 GetStringTypeW

• 0x4620a4 SetStdHandle

• 0x4620a8 SetEnvironmentVariableW

• 0x4620ac FreeEnvironmentStringsW

• 0x4620b0 GetEnvironmentStringsW

• 0x4620b4 GetCPInfo

• 0x4620b8 GetOEMCP

• 0x4620bc GetACP

• 0x4620c0 IsValidCodePage

• 0x4620c4 FindNextFileW

• 0x4620c8 FindFirstFileExW

• 0x4620cc FindClose

• 0x4620d0 DeleteCriticalSection

• 0x4620d4 LocalFlags

• 0x4620d8 HeapUnlock

• 0x4620dc GlobalReAlloc

• 0x4620e0 VirtualQueryEx

• 0x4620e4 GetProcAddress

• 0x4620e8 VirtualAlloc

• 0x4620ec QueryPerformanceCounter

• 0x4620f0 GetCurrentProcessId

• 0x4620f4 GetCurrentThreadId

• 0x4620f8 GetSystemTimeAsFileTime

• 0x4620fc InitializeSListHead

• 0x462100 IsDebuggerPresent

• 0x462104 UnhandledExceptionFilter

• 0x462108 SetUnhandledExceptionFilter

• 0x46210c GetStartupInfoW

• 0x462110 IsProcessorFeaturePresent

• 0x462114 GetModuleHandleW

• 0x462118 GetCurrentProcess

• 0x46211c TerminateProcess

• 0x462120 RtlUnwind

• 0x462124 GetLastError

• 0x462128 SetLastError

• 0x46212c EnterCriticalSection

• 0x462130 LeaveCriticalSection

• 0x462134 InitializeCriticalSectionAndSpinCount

• 0x462138 TlsAlloc

• 0x46213c TlsGetValue

• 0x462140 TlsSetValue

• 0x462144 TlsFree

• 0x462148 FreeLibrary

• 0x46214c LoadLibraryExW

• 0x462150 RaiseException

• 0x462154 ReadFile

• 0x462158 GetFullPathNameW

• 0x46215c GetStdHandle

• 0x462160 WriteFile

• 0x462164 GetModuleFileNameW

• 0x462168 ExitProcess

• 0x46216c GetModuleHandleExW

• 0x462170 GetCommandLineA

• 0x462174 GetCommandLineW

• 0x462178 FlushFileBuffers

• 0x46217c GetConsoleCP

• 0x462180 GetConsoleMode

• 0x462184 GetFileType

• 0x462188 SetFilePointerEx

• 0x46218c ReadConsoleW

• 0x462190 GetDriveTypeW

• 0x462194 MultiByteToWideChar

• 0x462198 WideCharToMultiByte

• 0x46219c CompareStringW

• 0x4621a0 LCMapStringW

• 0x4621a4 DecodePointer

Library NETAPI32.dll:

• 0x4621ac NetGetJoinInformation

• 0x4621b0 NetGetJoinableOUs

• 0x4621b4 NetAuditWrite

• 0x4621b8 NetAuditRead

• 0x4621bc NetAuditClear

• 0x4621c0 NetConfigSet

• 0x4621c4 NetConfigGetAll

• 0x4621c8 NetConfigGet

• 0x4621cc NetErrorLogWrite

• 0x4621d0 Netbios

• 0x4621d4 NetErrorLogClear

• 0x4621d8 NetFileGetInfo

• 0x4621dc NetFileEnum

• 0x4621e0 NetFileClose

• 0x4621e4 NetConnectionEnum

• 0x4621e8 NetGetAnyDCName

• 0x4621ec NetGetDCName

• 0x4621f0 NetGroupAddUser

• 0x4621f4 NetGroupAdd

• 0x4621f8 NetErrorLogRead

Library CRYPT32.dll:

• 0x462000 CryptStringToBinaryA

Library CRYPTUI.dll:

• 0x462008 CryptUIWizDigitalSign

• 0x46200c CryptUIWizExport

• 0x462010 CryptUIWizImport

• 0x462014 CryptUIDlgViewContext

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com		127.0.0.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	172.217.160.78

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.