SmartHawk

8.2

高危

56 个模型检测该样本为恶意！

重新分析

下载样本

c4d2bbc3c3b3adae600631e9ab22124ce0b92588af7fabe69183469e0644cd4b

7985fe8e502b2cf4ae79603bd030f600.exe

分析耗时

95s

最近分析

文件大小

2.5MB

静态报毒动态报毒 AI SCORE=100 AIDETECTVM AJBX ARTEMIS ATTRIBUTE BANBRA BANKERX BEHAVIOR BSCOPE BUERAK CCNC CLOUD CONFIDENCE ENIGMA GNHPI HIGH CONFIDENCE HIGHCONFIDENCE JDXU MALWARE1 MALWARE@#3QDIC5QXJ8FOP OCCAMY POSSIBLETHREAT QVM19 R003C0WE920 SCORE SIGGEN9 SUSPICIOUS PE SYMMI THEMIDA TROJANBANKER UNSAFE WACATAC 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!7985FE8E502B	20200811	6.0.6.653
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0
Alibaba	TrojanDownloader:Win32/Buerak.9b3aa2c1	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:BankerX-gen [Trj]	20200811	18.4.3895.0
Kingsoft		20200811	2013.8.14.323
Tencent	Win32.Trojan-downloader.Buerak.Ajbx	20200811	1.0.0.1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section
section	.themida
section	.boot

One or more processes crashed (6 个事件)

Time & API	Arguments	Status
1620773331.022249 __exception__	stacktrace: 7985fe8e502b2cf4ae79603bd030f600+0x381e62 @ 0x400b1e62 7985fe8e502b2cf4ae79603bd030f600+0x2b8e4c @ 0x3ffe8e4c registers.esp: 3603848 registers.edi: 1071071232 registers.eax: 3603848 registers.ebp: 3603928 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2010805291 registers.ecx: 360513536 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x778eb727	success
1620773331.100249 __exception__	stacktrace: registers.esp: 3603968 registers.edi: 3747338 registers.eax: 1750617430 registers.ebp: 1071071232 registers.edx: 22614 registers.ebx: 0 registers.esi: 13 registers.ecx: 20 exception.instruction_r: ed e9 48 73 00 00 34 f5 dd 53 00 5d 00 e5 3b 01 exception.symbol: 7985fe8e502b2cf4ae79603bd030f600+0x3b0fb3 exception.instruction: in eax, dx exception.module: 7985fe8e502b2cf4ae79603bd030f600.exe exception.exception_code: 0xc0000096 exception.offset: 3870643 exception.address: 0x400e0fb3	success
1620773331.100249 __exception__	stacktrace: registers.esp: 3603968 registers.edi: 3747338 registers.eax: 1447909480 registers.ebp: 1071071232 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10 exception.instruction_r: ed e9 12 4b 02 00 c3 e9 2c 78 03 00 4a 6a 4a 40 exception.symbol: 7985fe8e502b2cf4ae79603bd030f600+0x3824c2 exception.instruction: in eax, dx exception.module: 7985fe8e502b2cf4ae79603bd030f600.exe exception.exception_code: 0xc0000096 exception.offset: 3679426 exception.address: 0x400b24c2	success
1620773392.647124 __exception__	stacktrace: errorresponder+0x381e62 @ 0x3f701e62 errorresponder+0x2b8e4c @ 0x3f638e4c registers.esp: 3079936 registers.edi: 1060913152 registers.eax: 3079936 registers.ebp: 3080016 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2010805291 registers.ecx: 3932160000 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x778eb727	success
1620773392.725124 __exception__	stacktrace: registers.esp: 3080056 registers.edi: 5713385 registers.eax: 1750617430 registers.ebp: 1060913152 registers.edx: 22614 registers.ebx: 0 registers.esi: 13 registers.ecx: 20 exception.instruction_r: ed e9 48 73 00 00 34 f5 dd 53 00 5d 00 e5 3b 01 exception.symbol: errorresponder+0x3b0fb3 exception.instruction: in eax, dx exception.module: errorResponder.exe exception.exception_code: 0xc0000096 exception.offset: 3870643 exception.address: 0x3f730fb3	success
1620773392.725124 __exception__	stacktrace: registers.esp: 3080056 registers.edi: 5713385 registers.eax: 1447909480 registers.ebp: 1060913152 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10 exception.instruction_r: ed e9 12 4b 02 00 c3 e9 2c 78 03 00 4a 6a 4a 40 exception.symbol: errorresponder+0x3824c2 exception.instruction: in eax, dx exception.module: errorResponder.exe exception.exception_code: 0xc0000096 exception.offset: 3679426 exception.address: 0x3f7024c2	success

Allocates read-write-execute memory (usually to unpack itself) (12 个事件)

Time & API	Arguments	Status
1620773331.022249 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620773331.022249 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620773331.132249 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3fd37000	success
1620773331.132249 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3fd37000	success
1620773331.132249 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3fd37000	success
1620773331.147249 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3fd37000	success
1620773392.647124 NtProtectVirtualMemory	process_identifier: 324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620773392.647124 NtProtectVirtualMemory	process_identifier: 324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620773392.741124 NtProtectVirtualMemory	process_identifier: 324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3f387000	success
1620773392.741124 NtProtectVirtualMemory	process_identifier: 324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3f387000	success
1620773392.741124 NtProtectVirtualMemory	process_identifier: 324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3f387000	success
1620773392.772124 NtProtectVirtualMemory	process_identifier: 324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x3f387000	success

Creates executable files on the filesystem (1 个事件)

file	C:\ProgramData\ErrorResponder\errorResponder.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7985fe8e502b2cf4ae79603bd030f600.exe

The binary likely contains encrypted or compressed data indicative of a packer (7 个事件)

entropy

7.957099783187681

section

{'size_of_data': '0x00003800', 'virtual_address': '0x00001000', 'entropy': 7.957099783187681, 'name': ' ', 'virtual_size': '0x00005f94'}

description