SmartHawk

6.6

高危

50 个模型检测该样本为恶意！

重新分析

下载样本

c29bf5ebc03df180ab4f64969e84574bfe14e85d4c847a7ca3a06c0369ec2607

708870a6ca376d2c2730b1f424d34103.exe

分析耗时

22s

最近分析

文件大小

833.5KB

静态报毒动态报毒 AFRK AI SCORE=84 AIDETECTVM ATTRIBUTE BADJOKE CLASSIC COBALTSTRIKE CONFIDENCE DOWNLOADER34 GDCMY GDSDA HACKTOOL HIGHCONFIDENCE HTJKRH IXKW MALWARE2 R03BC0DHN20 ROZENA SCORE SWRORT TROJANX UNCLASSIFIEDMALWARE@0 UNSAFE ZIOQH 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0
Alibaba	Trojan:Win32/Swrort.eba71387	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20200912	18.4.3895.0
Baidu		20190318	1.0.0.2
Kingsoft		20200912	2013.8.14.323
McAfee	RDN/Generic.grp	20200912	6.0.6.653
Tencent	Win32.Trojan.Generic.Afrk	20200912	1.0.0.1

This executable has a PDB path (1 个事件)

pdb_path

C:\Users\13774\source\repos\ConsoleApplication1\Debug\bp360.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	.textbss
section	.msvcjmc
section	.00cfg

The executable uses a known packer (1 个事件)

packer

Microsoft Visual C++ V8.0 (Debug)

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619615408.358501 NtTerminateProcess	status_code: 0x00000000 process_identifier: 2104 process_handle: 0x0000003c	failed	0	0
1619615408.358501 NtTerminateProcess	status_code: 0x00000000 process_identifier: 2104 process_handle: 0x0000003c	success	0	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	212.64.87.3

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619615403.280501 NtAllocateVirtualMemory	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000003c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 created a remote thread in non-child process 2104
1619615403.295501 CreateRemoteThread	thread_identifier: 0 process_identifier: 2104 function_address: 0x000b0000 flags: 0 process_handle: 0x0000003c parameter: 0x00000000 stack_size: 0	success	68	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 manipulating memory of non-child process 2104
1619615403.280501 NtAllocateVirtualMemory	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000003c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 injected into non-child 2104
1619615403.280501 WriteProcessMemory	process_identifier: 2104 buffer: üè`å1ÒdR0RRr(·J&1ÿ1À¬<a\|, ÁÏ ÇâðRWRB<Ð@xÀtJÐPHX Óã<I4Ö1ÿ1À¬ÁÏ Ç8àuô}ø;}$uâXX$ÓfKXÓÐD$$[[aYZQÿàX_Zë]hnethwiniThLw&ÿÕ1ÿWWWWWh:Vy§ÿÕé[1ÉQQjQQh»SPhWÆÿÕëp[1ÒRh@RRRSRPhëU.;ÿÕÆÃP1ÿWWjÿSVh-{ÿÕÀÃ1ÿötùë hªÅâ]ÿÕÁhE!^1ÿÕ1ÿWjQVPh·WàÿÕ¿/9Çt·1ÿééÉèÿÿÿ/efEL÷É¥ÁÁô8úÈÂFãÉ/6»#ÌnØc¬ÅÙ\|à0ñO/#Ö_NÆÓ<ÇEmGZ÷9´VÛ]øf)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser) ñÌQp°µu/TVRÏâæf/0É(puñö;_Uá´ÆdE×7çÒèjÞnHøÏ¬)7p"ë"ì ¦Ä¾&³Å"Ô¸gÈ=maþºZ_ÓW pâKú4´ÁO·Â QçJkØ´* êØ.khðiëÀ»ÀU}ìåRáJ/_Yðqë3¥C{·/(²²¨ý"°öªB/;G Ý«UzÇ¶ [¥~úI4x¸hðµ¢VÿÕj@hh@WhX¤SåÿÕ¹ÙQSçWh SVhâÿÕÀtÆÃÀuåXÃè©ýÿÿ212.64.87.3oªQÃ process_handle: 0x0000003c base_address: 0x000b0000	success	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Bkav	W32.AIDetectVM.malware2
DrWeb	Trojan.DownLoader34.32514
MicroWorld-eScan	Generic.Exploit.Shellcode.1.BCAC1C1E
FireEye	Generic.mg.708870a6ca376d2c
ALYac	Trojan.Agent.Swrort
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
CrowdStrike	win/malicious_confidence_80% (W)
Alibaba	Trojan:Win32/Swrort.eba71387
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Generic.Exploit.Shellcode.1.BCAC1C1E
Invincea	Troj/Swrort-BY
BitDefenderTheta	AI:Packer.572C2C2E1F
Cyren	W32/Trojan.IXKW-8431
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_GEN.R03BC0DHN20
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-7913051-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.Exploit.Shellcode.1.BCAC1C1E
NANO-Antivirus	Trojan.Win32.Swrort.htjkrh
Paloalto	generic.ml
Rising	HackTool.Swrort!1.6477 (CLASSIC)
Ad-Aware	Generic.Exploit.Shellcode.1.BCAC1C1E
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/Swrort.zioqh
Zillya	Trojan.Rozena.Win32.102035
TrendMicro	TROJ_GEN.R03BC0DHN20
Sophos	Troj/Swrort-BY
Ikarus	Trojan.Win32.BadJoke
Jiangmin	Trojan.Generic.gdcmy
Avira	TR/Swrort.zioqh
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Swrort
Microsoft	Trojan:Win32/Swrort.A
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Generic.Exploit.Shellcode.1.BCAC1C1E
Cynet	Malicious (score: 85)
AhnLab-V3	Malware/Win32.Generic.C4193780
McAfee	RDN/Generic.grp
VBA32	Malware-Cryptor.Inject.gen
APEX	Malicious
ESET-NOD32	a variant of Win32/Rozena.AVU
Tencent	Win32.Trojan.Generic.Afrk
Fortinet	W32/Generic!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Generic/Trojan.de0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	212.64.87.3:443
dead_host	192.168.56.101:49174

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-18 17:42:07

Imports

Library KERNEL32.dll:

• 0x518000 WaitForSingleObject

• 0x518004 TerminateProcess

• 0x518008 GetExitCodeProcess

• 0x51800c CreateRemoteThread

• 0x518010 CreateProcessW

• 0x518014 GetSystemDirectoryW

• 0x518018 VirtualAllocEx

• 0x51801c WriteProcessMemory

• 0x518020 lstrcatW

• 0x518024 GetCurrentThreadId

• 0x518028 IsDebuggerPresent

• 0x51802c RaiseException

• 0x518030 MultiByteToWideChar

• 0x518034 WideCharToMultiByte

• 0x518038 UnhandledExceptionFilter

• 0x51803c SetUnhandledExceptionFilter

• 0x518040 GetCurrentProcess

• 0x518044 IsProcessorFeaturePresent

• 0x518048 QueryPerformanceCounter

• 0x51804c GetCurrentProcessId

• 0x518050 GetSystemTimeAsFileTime

• 0x518054 InitializeSListHead

• 0x518058 GetStartupInfoW

• 0x51805c GetModuleHandleW

• 0x518060 GetLastError

• 0x518064 HeapAlloc

• 0x518068 HeapFree

• 0x51806c GetProcessHeap

• 0x518070 VirtualQuery

• 0x518074 FreeLibrary

• 0x518078 GetProcAddress

• 0x51807c CreateFileW

• 0x518080 InterlockedPushEntrySList

• 0x518084 InterlockedFlushSList

• 0x518088 GetModuleFileNameW

• 0x51808c LoadLibraryExW

• 0x518090 RtlUnwind

• 0x518094 SetLastError

• 0x518098 EnterCriticalSection

• 0x51809c LeaveCriticalSection

• 0x5180a0 DeleteCriticalSection

• 0x5180a4 InitializeCriticalSectionAndSpinCount

• 0x5180a8 TlsAlloc

• 0x5180ac TlsGetValue

• 0x5180b0 TlsSetValue

• 0x5180b4 TlsFree

• 0x5180b8 EncodePointer

• 0x5180bc GetModuleHandleExW

• 0x5180c0 GetStdHandle

• 0x5180c4 WriteFile

• 0x5180c8 ExitProcess

• 0x5180cc GetCommandLineA

• 0x5180d0 GetCommandLineW

• 0x5180d4 HeapValidate

• 0x5180d8 GetSystemInfo

• 0x5180dc GetDateFormatW

• 0x5180e0 GetTimeFormatW

• 0x5180e4 CompareStringW

• 0x5180e8 LCMapStringW

• 0x5180ec GetLocaleInfoW

• 0x5180f0 IsValidLocale

• 0x5180f4 GetUserDefaultLCID

• 0x5180f8 EnumSystemLocalesW

• 0x5180fc GetFileType

• 0x518100 GetCurrentThread

• 0x518104 OutputDebugStringW

• 0x518108 WriteConsoleW

• 0x51810c SetConsoleCtrlHandler

• 0x518110 FindClose

• 0x518114 FindFirstFileExW

• 0x518118 FindNextFileW

• 0x51811c IsValidCodePage

• 0x518120 GetACP

• 0x518124 GetOEMCP

• 0x518128 GetCPInfo

• 0x51812c GetEnvironmentStringsW

• 0x518130 FreeEnvironmentStringsW

• 0x518134 SetEnvironmentVariableW

• 0x518138 SetStdHandle

• 0x51813c GetStringTypeW

• 0x518140 HeapReAlloc

• 0x518144 HeapSize

• 0x518148 HeapQueryInformation

• 0x51814c FlushFileBuffers

• 0x518150 GetConsoleCP

• 0x518154 GetConsoleMode

• 0x518158 GetFileSizeEx

• 0x51815c SetFilePointerEx

• 0x518160 CloseHandle

• 0x518164 ReadFile

• 0x518168 ReadConsoleW

• 0x51816c DecodePointer

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	60124	239.255.255.250	3702
192.168.56.101	62194	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.