SmartHawk

2.8

中危

57 个模型检测该样本为恶意！

重新分析

下载样本

7b14eac735e20d77a117775f411f64b2f19ad0a03314d90afb3a939dcd9eff48

79ebc423a1913a44329f904470b765a5.exe

分析耗时

76s

最近分析

文件大小

326.9KB

静态报毒动态报毒 100% A + MAL AI SCORE=81 AIDETECTVM BSCOPE CONFIDENCE EHLS ELKD ENCPK FGIT GENCIRC GENERICRXKR GENETIC GENKRYPTIK GOZI GRAYWARE HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE1 MALWARE@#5XXERX4JZHO5 MINT QAKBOT R337622 REGOTET SCORE SMTHA SQABPK54RZP STATIC AI TROJANBANKER UNSAFE URSNIF YKCXT ZL5CIBWF9TO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKR-BC!79EBC423A191	20201211	6.0.6.653
Alibaba	TrojanSpy:Win32/Ursnif.6abaa3de	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10cdcb98	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649232.971241 GetComputerNameW	computer_name:	failed	0	0
1619649232.971241 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

IBC

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619649223.737241 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01c40000	success
1619649232.705241 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01c90000	success
1619649232.705241 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Regotet.1
FireEye	Generic.mg.79ebc423a1913a44
McAfee	GenericRXKR-BC!79EBC423A191
Cylance	Unsafe
Zillya	Trojan.Ursnif.Win32.11382
Sangfor	Malware
K7AntiVirus	Trojan ( 005673821 )
Alibaba	TrojanSpy:Win32/Ursnif.6abaa3de
K7GW	Trojan ( 005673821 )
Cybereason	malicious.3a1913
Arcabit	Trojan.Mint.Regotet.1
BitDefenderTheta	AI:Packer.630236191F
Cyren	W32/Trojan.FGIT-7475
Symantec	Trojan.Ursnif
TrendMicro-HouseCall	TrojanSpy.Win32.QAKBOT.SMTHA.hp
Paloalto	generic.ml
ClamAV	Win.Packed.Regotet-7869380-0
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
BitDefender	Gen:Heur.Mint.Regotet.1
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10cdcb98
Ad-Aware	Gen:Heur.Mint.Regotet.1
Emsisoft	Trojan-Spy.Ursnif (A)
Comodo	Malware@#5xxerx4jzho5
F-Secure	Trojan.TR/Spy.Ursnif.ykcxt
DrWeb	Trojan.Gozi.683
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.QAKBOT.SMTHA.hp
McAfee-GW-Edition	GenericRXKR-BC!79EBC423A191
Sophos	ML/PE-A + Mal/EncPk-APV
APEX	Malicious
Jiangmin	Trojan.Banker.Gozi.ant
Avira	TR/Spy.Ursnif.ykcxt
MAX	malware (ai score=81)
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Gridinsoft	Trojan.Win32.Kryptik.dd!s1
Microsoft	Trojan:Win32/Ursnif.MK!MSR
AegisLab	Trojan.Win32.Mint.4!c
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
GData	Gen:Heur.Mint.Regotet.1
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Ursnif.R337622
VBA32	BScope.TrojanBanker.Gozi
Malwarebytes	Trojan.Injector
Ikarus	Trojan-Spy.Agent
ESET-NOD32	Win32/Spy.Ursnif.CZ
Rising	Trojan.Kryptik!8.8 (TFE:3:sqabpk54rzP)
Yandex	TrojanSpy.Ursnif!ZL5CibWF9To

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-21 01:22:27

Imports

Library KERNEL32.dll:

• 0x44d320 GetModuleHandleA

• 0x44d324 VirtualAllocEx

• 0x44d328 LoadLibraryA

• 0x44d32c GetProcAddress

Library USER32.dll:

• 0x44d334 LoadIconA

• 0x44d338 IsWindowUnicode

• 0x44d33c GetDesktopWindow

• 0x44d340 GetMenu

• 0x44d344 GetWindowTextLengthA

• 0x44d348 DestroyWindow

• 0x44d34c GetKBCodePage

• 0x44d350 GetActiveWindow

• 0x44d354 CharNextA

• 0x44d358 EndMenu

• 0x44d35c DestroyCursor

• 0x44d360 CharNextW

• 0x44d364 IsCharLowerW

• 0x44d368 IsCharAlphaNumericW

• 0x44d36c IsMenu

• 0x44d370 GetDlgCtrlID

• 0x44d374 GetListBoxInfo

• 0x44d378 GetDoubleClickTime

• 0x44d37c IsClipboardFormatAvailable

• 0x44d380 GetCursor

• 0x44d384 GetMenuContextHelpId

• 0x44d388 GetKeyboardLayout

• 0x44d38c IsWindowEnabled

• 0x44d390 IsWindow

• 0x44d394 GetTopWindow

• 0x44d398 InSendMessage

• 0x44d39c GetClipboardSequenceNumber

• 0x44d3a0 CountClipboardFormats

• 0x44d3a4 CloseWindowStation

• 0x44d3a8 CharUpperW

• 0x44d3ac GetInputState

Library GDI32.dll:

• 0x44d3b4 EndPage

• 0x44d3b8 GetObjectType

• 0x44d3bc WidenPath

• 0x44d3c0 UnrealizeObject

• 0x44d3c4 GetTextCharacterExtra

• 0x44d3c8 EndDoc

• 0x44d3cc GetColorSpace

• 0x44d3d0 CancelDC

• 0x44d3d4 EndPath

• 0x44d3d8 SwapBuffers

• 0x44d3dc FillPath

• 0x44d3e0 CreateMetaFileA

• 0x44d3e4 CloseMetaFile

• 0x44d3e8 PathToRegion

• 0x44d3ec AddFontResourceW

Library COMDLG32.dll:

• 0x44d3f4 GetFileTitleA

Library ADVAPI32.dll:

• 0x44d3fc RegOpenKeyA

• 0x44d400 RegQueryValueExA

• 0x44d404 GetUserNameA

• 0x44d408 RegSetValueW

• 0x44d40c RegQueryValueExW

• 0x44d410 RegOpenKeyW

• 0x44d414 RegDeleteKeyW

• 0x44d418 RegCloseKey

Library ole32.dll:

• 0x44d420 OleUninitialize

• 0x44d424 OleInitialize

• 0x44d428 CoTaskMemFree

• 0x44d42c StringFromCLSID

Library MSVCRT.dll:

• 0x44d434 __p__commode

• 0x44d438 __p__fmode

• 0x44d43c __set_app_type

• 0x44d440 _controlfp

• 0x44d444 _adjust_fdiv

• 0x44d448 __setusermatherr

• 0x44d44c _initterm

• 0x44d450 __getmainargs

• 0x44d454 __initenv

• 0x44d458 exit

• 0x44d45c _cexit

• 0x44d460 _XcptFilter

• 0x44d464 _exit

• 0x44d468 _c_exit

• 0x44d46c _wcsnicmp

• 0x44d470 printf

• 0x44d474 _except_handler3

• 0x44d478 wcscpy

• 0x44d47c wcscat

• 0x44d480 fgetws

• 0x44d484 towupper

• 0x44d488 _iob

• 0x44d48c _putws

• 0x44d490 wcscmp

• 0x44d494 swprintf

• 0x44d498 malloc

• 0x44d49c free

• 0x44d4a0 _wcsicmp

• 0x44d4a4 wcschr

• 0x44d4a8 wcslen

• 0x44d4ac _get_osfhandle

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.