SmartHawk

2.4

中危

58 个模型检测该样本为恶意！

重新分析

下载样本

3a971cb00b359b0a9a86157d6e19e2710e7f42098eb4fdd3f8d46f5333cdbf45

78a53e535e229dfeaf3c57f0c83a47c0.exe

分析耗时

80s

最近分析

文件大小

3.4MB

静态报毒动态报毒 100% AI SCORE=86 AIDETECT AJLT ATTRIBUTE CERT CLOUD CONFIDENCE DANGEROUSSIG ELDORADO ENCPK EPACK EUVD FALSESIGN GEN2 GENETIC HACKTOOL HFMH HIGH CONFIDENCE HIGHCONFIDENCE HRPXLL KCLOUD KRAP KRYPTIK LKMC MALCERT MALWARE2 MALWARE@#3BG4EE24HLLL9 PINKSBOT QAKBOT QBOT R + MAL R347713 SAVE SCORE STATIC AI SUSGEN SUSPICIOUS PE UNSAFE XPX@A4E3OQF ZENPAK ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Qakbot.3771f594	20190527	0.3.0.5
Avast	Win32:DangerousSig [Trj]	20210317	21.1.5827.0
Tencent	Win32.Trojan.Falsesign.Ajlt	20210318	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Undef.(kcloud)	20210318	2017.9.26.565
McAfee	W32/PinkSbot-GZ!78A53E535E22	20210318	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

This executable is signed

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649223.590857 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00760000	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	BackDoor.Qbot.536
MicroWorld-eScan	Trojan.Agent.EUVD
FireEye	Generic.mg.78a53e535e229dfe
ALYac	Trojan.Agent.EUVD
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2593947
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056c68d1 )
Alibaba	Trojan:Win32/Qakbot.3771f594
K7GW	Trojan ( 0056c68d1 )
Cybereason	malicious.35e229
BitDefenderTheta	Gen:NN.ZexaF.34628.xpX@a4E3OQf
Cyren	W32/Qbot.Q.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DangerousSig [Trj]
ClamAV	Win.Packed.Qakbot-9514843-0
Kaspersky	HEUR:Trojan.Win32.Zenpak.pef
BitDefender	Trojan.Agent.EUVD
NANO-Antivirus	Trojan.Win32.Zenpak.hrpxll
Paloalto	generic.ml
AegisLab	Hacktool.Win32.Krap.lKMc
Tencent	Win32.Trojan.Falsesign.Ajlt
Ad-Aware	Trojan.Agent.EUVD
Sophos	Mal/Generic-R + Mal/EncPk-APV
Comodo	Malware@#3bg4ee24hlll9
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Backdoor.Win32.QAKBOT.SMF
McAfee-GW-Edition	W32/PinkSbot-GZ!78A53E535E22
Emsisoft	MalCert.A (A)
SentinelOne	Static AI - Suspicious PE
GData	Trojan.Agent.EUVD
Jiangmin	Trojan.Zenpak.ctx
MaxSecure	Trojan.Malware.73712734.susgen
Avira	TR/Crypt.EPACK.Gen2
MAX	malware (ai score=86)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
ZoneAlarm	HEUR:Trojan.Win32.Zenpak.pef
Microsoft	Trojan:Win32/Qakbot.VD!Cert
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Qakbot.R347713
Acronis	suspicious
McAfee	W32/PinkSbot-GZ!78A53E535E22
VBA32	Trojan.Inject
Malwarebytes	Backdoor.Qbot
ESET-NOD32	a variant of Win32/Kryptik.HFMH
TrendMicro-HouseCall	Backdoor.Win32.QAKBOT.SMF

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1983-02-08 09:45:22

Imports

Library KERNEL32.dll:

• 0x75e42c GetModuleHandleA

• 0x75e430 GetModuleFileNameA

• 0x75e434 QueryPerformanceCounter

• 0x75e438 GetProcAddress

• 0x75e43c QueryPerformanceFrequency

• 0x75e440 LoadLibraryA

• 0x75e444 EnumSystemLocalesW

• 0x75e448 lstrcat

• 0x75e44c ReadFile

• 0x75e450 WritePrivateProfileStructA

• 0x75e454 InitializeCriticalSectionAndSpinCount

• 0x75e458 GetModuleHandleW

• 0x75e45c VirtualAllocEx

• 0x75e460 GetLastError

• 0x75e464 Sleep

Library USER32.dll:

• 0x75e46c HideCaret

• 0x75e470 InsertMenuItemW

• 0x75e474 GetCursor

• 0x75e478 IMPGetIMEW

• 0x75e47c BroadcastSystemMessageA

• 0x75e480 RemoveMenu

• 0x75e484 DrawIcon

• 0x75e488 LoadIconA

• 0x75e48c GetAsyncKeyState

• 0x75e490 WindowFromDC

• 0x75e494 GetClipboardData

• 0x75e498 ReleaseCapture

• 0x75e49c IsCharLowerA

• 0x75e4a0 GetInputState

• 0x75e4a4 GetThreadDesktop

• 0x75e4a8 DestroyWindow

• 0x75e4ac GetListBoxInfo

• 0x75e4b0 GetTopWindow

• 0x75e4b4 CharNextA

• 0x75e4b8 EndMenu

• 0x75e4bc CloseDesktop

• 0x75e4c0 GetDlgCtrlID

Library GDI32.dll:

• 0x75e4c8 GetCharABCWidthsFloatA

• 0x75e4cc EngDeleteSurface

• 0x75e4d0 GdiEntry15

• 0x75e4d4 XLATEOBJ_piVector

• 0x75e4d8 EnumFontFamiliesA

• 0x75e4dc CreateMetaFileA

• 0x75e4e0 FONTOBJ_pxoGetXform

• 0x75e4e4 GetGlyphOutlineWow

• 0x75e4e8 DrawEscape

• 0x75e4ec PATHOBJ_bEnum

• 0x75e4f0 ChoosePixelFormat

• 0x75e4f4 GetWindowExtEx

• 0x75e4f8 GdiDllInitialize

• 0x75e4fc GetStockObject

• 0x75e500 GetEnhMetaFileW

• 0x75e504 GetDCBrushColor

• 0x75e508 GetDCPenColor

• 0x75e50c CloseFigure

• 0x75e510 CreateCompatibleDC

• 0x75e514 GetMapMode

• 0x75e518 PathToRegion

• 0x75e51c SetMetaRgn

• 0x75e520 GetTextCharacterExtra

• 0x75e524 GetStretchBltMode

• 0x75e528 GetPixelFormat

• 0x75e52c GetSystemPaletteUse

• 0x75e530 DeleteMetaFile

Library ADVAPI32.dll:

• 0x75e538 RegOpenKeyExA

• 0x75e53c RegQueryValueExA

• 0x75e540 RegCloseKey

• 0x75e544 RegOpenKeyW

• 0x75e548 GetUserNameA

Library SHELL32.dll:

• 0x75e550 ShellExecuteEx

• 0x75e554 SHGetSpecialFolderPathA

• 0x75e558 SHFreeNameMappings

• 0x75e55c DuplicateIcon

• 0x75e560 ShellExecuteW

• 0x75e564 DragQueryFileW

• 0x75e568 ExtractAssociatedIconExW

• 0x75e56c SHBrowseForFolderA

• 0x75e570 SHFileOperationA

• 0x75e574 CommandLineToArgvW

• 0x75e578 ShellAboutW

• 0x75e57c ShellHookProc

• 0x75e580 CheckEscapesW

• 0x75e584 SHQueryRecycleBinW

• 0x75e588 SHFileOperationW

• 0x75e58c SHBrowseForFolder

• 0x75e590 ShellExecuteExA

• 0x75e594 Shell_NotifyIcon

• 0x75e598 DragQueryFileAorW

• 0x75e59c SHGetFileInfoA

• 0x75e5a0 SHGetFileInfoW

• 0x75e5a4 SHCreateDirectoryExW

• 0x75e5a8 SHGetFolderLocation

• 0x75e5ac SHQueryRecycleBinA

• 0x75e5b0 SHInvokePrinterCommandW

• 0x75e5b4 SHBindToParent

• 0x75e5b8 SHGetPathFromIDListA

• 0x75e5bc DoEnvironmentSubstA

Library SHLWAPI.dll:

• 0x75e5c4 StrChrIW

• 0x75e5c8 StrStrA

• 0x75e5cc StrChrA

• 0x75e5d0 StrStrIW

• 0x75e5d4 StrChrIA

• 0x75e5d8 StrCmpNA

• 0x75e5dc StrRChrA

• 0x75e5e0 StrRChrIA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	51811	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.