SmartHawk

2.8

中危

62 个模型检测该样本为恶意！

重新分析

下载样本

0d0d2e77dd103a8e6078dc957ed79f14d41326deee8bd2de3646840e179f9242

7668cabb5a3fe98787fdbb7081541ccf.exe

分析耗时

16s

最近分析

文件大小

171.5KB

静态报毒动态报毒 100% AI SCORE=100 AIDETECTVM CLOUD COINMINERX CONFIDENCE CRYPMOD CXWEE ELDORADO EVERBE FSEV GANDCRAB GDSDA GENCIRC GENERICKD GLUPTEBA HDGI HIGH CONFIDENCE KQ0@AODJGSFG KRYPTIK MALPE MALWARE1 MALWARE@#1TF1N2SCVZFNM PAYMEN45 PHOBOSRANSOM RACK SCORE SUSGEN SUSPICIOUS PE UNSAFE WACATAC X2065 ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Trojan-FSEV!7668CABB5A3F	20200808	6.0.6.653
Alibaba	Ransom:Win32/Gandcrab.16c1f70e	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:CoinminerX-gen [Trj]	20200808	18.4.3895.0
Tencent	Malware.Win32.Gencirc.116ef760	20200808	1.0.0.1
Kingsoft		20200808	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

This executable has a PDB path (1 个事件)

pdb_path

C:\socicepi75_vecesakalimubefebe-yirafenuxahesi-hayixofojuzokoxa29 r.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649223.703567 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0096a000	success	0	0
1619649223.735567 NtAllocateVirtualMemory	process_identifier: 912 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00380000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.568195272702581

section

{'size_of_data': '0x0000f600', 'virtual_address': '0x00001000', 'entropy': 7.568195272702581, 'name': '.text', 'virtual_size': '0x0000f5f0'}

description

A section with a high entropy has been found

entropy

0.36070381231671556

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)

Bkav	W32.AIDetectVM.malware1
ClamAV	Win.Malware.Glupteba-7784061-1
CAT-QuickHeal	TrojanRansom.Rack
McAfee	Trojan-FSEV!7668CABB5A3F
Cylance	Unsafe
Zillya	Trojan.Crypmod.Win32.1325
Sangfor	Malware
K7AntiVirus	Trojan ( 005668281 )
Alibaba	Ransom:Win32/Gandcrab.16c1f70e
K7GW	Trojan ( 005668281 )
Cybereason	malicious.cd3d46
TrendMicro	Ransom.Win32.EVERBE.D
F-Prot	W32/GandCrab.BD.gen!Eldorado
Symantec	Packed.Generic.525
ESET-NOD32	a variant of Win32/Kryptik.HDGI
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
Cynet	Malicious (score: 100)
GData	Trojan.GenericKD.33822217
Kaspersky	Trojan-Ransom.Win32.Rack.ixz
BitDefender	Trojan.GenericKD.33822217
ViRobot	Trojan.Win32.S.Ransom.175616.C
MicroWorld-eScan	Trojan.GenericKD.33822217
Tencent	Malware.Win32.Gencirc.116ef760
Ad-Aware	Trojan.GenericKD.33822217
Sophos	Mal/GandCrab-G
Comodo	Malware@#1tf1n2scvzfnm
F-Secure	Trojan.TR/AD.PhobosRansom.cxwee
DrWeb	Trojan.Encoder.31793
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.7668cabb5a3fe987
Emsisoft	Trojan.GenericKD.33822217 (B)
Paloalto	generic.ml
Cyren	W32/Trojan.DFCF-3660
Jiangmin	Trojan.Crypmod.yd
eGambit	Unsafe.AI_Score_98%
Avira	TR/AD.PhobosRansom.cxwee
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.Wacatac
Endgame	malicious (high confidence)
Arcabit	Trojan.Generic.D2041609
ZoneAlarm	Trojan-Ransom.Win32.Rack.ixz
Microsoft	Ransom:Win32/Gandcrab.AHB!MTB
AhnLab-V3	Trojan/Win.MalPe.X2065
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34152.kq0@aOdJGsfG
ALYac	Trojan.Ransom.Paymen45
TACHYON	Ransom/W32.Paymen45.175616

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-08-15 10:29:15

Imports

Library KERNEL32.dll:

• 0x411008 GlobalAlloc

• 0x41100c GetLocaleInfoW

• 0x411010 FormatMessageW

• 0x411014 GetExitCodeProcess

• 0x411018 GetFileAttributesW

• 0x41101c ReadFile

• 0x411020 lstrlenW

• 0x411024 IsBadStringPtrA

• 0x411028 WritePrivateProfileStringW

• 0x41102c GetCurrencyFormatW

• 0x411030 LCMapStringA

• 0x411034 FindFirstFileExA

• 0x411038 GetLastError

• 0x41103c GetProcAddress

• 0x411040 RemoveDirectoryA

• 0x411044 OpenWaitableTimerA

• 0x411048 GetPrivateProfileSectionA

• 0x41104c GetCurrentProcessId

• 0x411050 SetCommTimeouts

• 0x411054 GetModuleHandleW

• 0x411058 SleepEx

• 0x41105c CreateHardLinkA

• 0x411060 HeapAlloc

• 0x411064 GetDriveTypeW

• 0x411068 FindResourceA

• 0x41106c GetNamedPipeHandleStateW

• 0x411070 CreateFileA

• 0x411074 Sleep

• 0x411078 ExitProcess

• 0x41107c GetStartupInfoW

• 0x411080 TerminateProcess

• 0x411084 GetCurrentProcess

• 0x411088 UnhandledExceptionFilter

• 0x41108c SetUnhandledExceptionFilter

• 0x411090 IsDebuggerPresent

• 0x411094 TlsGetValue

• 0x411098 TlsAlloc

• 0x41109c TlsSetValue

• 0x4110a0 TlsFree

• 0x4110a4 InterlockedIncrement

• 0x4110a8 SetLastError

• 0x4110ac GetCurrentThreadId

• 0x4110b0 InterlockedDecrement

• 0x4110b4 WriteFile

• 0x4110b8 GetStdHandle

• 0x4110bc GetModuleFileNameA

• 0x4110c0 DeleteCriticalSection

• 0x4110c4 LeaveCriticalSection

• 0x4110c8 EnterCriticalSection

• 0x4110cc LoadLibraryA

• 0x4110d0 InitializeCriticalSectionAndSpinCount

• 0x4110d4 GetModuleFileNameW

• 0x4110d8 FreeEnvironmentStringsW

• 0x4110dc GetEnvironmentStringsW

• 0x4110e0 GetCommandLineW

• 0x4110e4 SetHandleCount

• 0x4110e8 GetFileType

• 0x4110ec GetStartupInfoA

• 0x4110f0 HeapCreate

• 0x4110f4 VirtualFree

• 0x4110f8 HeapFree

• 0x4110fc QueryPerformanceCounter

• 0x411100 GetTickCount

• 0x411104 GetSystemTimeAsFileTime

• 0x411108 GetCPInfo

• 0x41110c GetACP

• 0x411110 GetOEMCP

• 0x411114 IsValidCodePage

• 0x411118 HeapSize

• 0x41111c RtlUnwind

• 0x411120 GetLocaleInfoA

• 0x411124 WideCharToMultiByte

• 0x411128 VirtualAlloc

• 0x41112c HeapReAlloc

• 0x411130 GetStringTypeA

• 0x411134 MultiByteToWideChar

• 0x411138 GetStringTypeW

• 0x41113c LCMapStringW

Library ADVAPI32.dll:

• 0x411000 LookupAccountNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.