SmartHawk

2.8

中危

58 个模型检测该样本为恶意！

重新分析

下载样本

2b648f76aaae28bfbe8e9e4be3db323aefd3933a60ad6ec4d1847b78d8282a3f

8a523867c27c8ce224cc290c5de2f943.exe

分析耗时

75s

最近分析

文件大小

1.2MB

静态报毒动态报毒 100% AI SCORE=83 AIDETECTVM BUNITU CLOUD COBRA CONFIDENCE EBGS ENCPK GENERICKD GENETIC GOZI HACKTOOL HECU HIGH CONFIDENCE JCAQR KRAP KRYPT KRYPTIK LKMC MALCERT MALICIOUS PE MALWARE2 MALWARE@#5ARWGBVCEE18 MR1@A4NRDINI MULTIPMF QAKBOT QBOT QVM20 S13141076 SCORE SUSGEN SUSPIG16 THEOIBO TROJANX UNSAFE URSNIF URSNIFDROPPER WACATAC WLKA ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:Win32/Ursnif.a66b6c9c	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20200702	18.4.3895.0
Baidu		20190318	1.0.0.2
Kingsoft		20200703	2013.8.14.323
Tencent	Win32.Trojan-banker.Gozi.Ebgs	20200703	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686135.078205 GetComputerNameW	computer_name:	failed	0	0
1619686135.078205 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

MUI

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619686134.016205 NtAllocateVirtualMemory	process_identifier: 648 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01d70000	success
1619686134.750205 NtAllocateVirtualMemory	process_identifier: 648 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01d80000	success
1619686134.750205 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Bkav	W32.AIDetectVM.malware2
DrWeb	Trojan.Gozi.661
MicroWorld-eScan	Trojan.GenericKD.43104966
CAT-QuickHeal	Trojan.MultiPMF.S13141076
ALYac	Spyware.Ursnif
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic.pak!cobra
Sangfor	Malware
K7AntiVirus	Trojan ( 005661981 )
BitDefender	Trojan.GenericKD.43104966
K7GW	Trojan ( 005661981 )
Arcabit	Trojan.Generic.D291BAC6
TrendMicro	TrojanSpy.Win32.URSNIF.THEOIBO
BitDefenderTheta	Gen:NN.ZexaF.34130.mr1@a4nrDIni
Cyren	W32/Trojan.WLKA-1285
Symantec	Packed.Generic.459
ESET-NOD32	a variant of Win32/Kryptik.HECU
TrendMicro-HouseCall	Backdoor.Win32.QAKBOT.SME
Paloalto	generic.ml
ClamAV	Win.Dropper.Ursnif-7761145-0
GData	Trojan.GenericKD.43104966
Kaspersky	HEUR:Trojan-Banker.Win32.Gozi.pef
Alibaba	TrojanSpy:Win32/Ursnif.a66b6c9c
AegisLab	Hacktool.Win32.Krap.lKMc
Avast	Win32:TrojanX-gen [Trj]
Rising	Trojan.Kryptik!1.C60B (CLOUD)
Ad-Aware	Trojan.GenericKD.43104966
Emsisoft	MalCert.A (A)
Comodo	Malware@#5arwgbvcee18
F-Secure	Trojan.TR/AD.UrsnifDropper.jcaqr
Zillya	Trojan.Kryptik.Win32.2012063
Invincea	heuristic
FireEye	Generic.mg.8a523867c27c8ce2
Sophos	Mal/EncPk-APV
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.Banker.Gozi.ani
Webroot	W32.Trojan.Gen
Avira	TR/AD.UrsnifDropper.jcaqr
Antiy-AVL	Trojan[Banker]/Win32.Gozi
Microsoft	TrojanSpy:Win32/Ursnif.ARJ!MTB
Endgame	malicious (high confidence)
ZoneAlarm	HEUR:Trojan-Banker.Win32.Gozi.pef
Cynet	Malicious (score: 85)
AhnLab-V3	Win-Trojan/Suspig16.Exp
Acronis	suspicious
VBA32	Trojan.Wacatac
MAX	malware (ai score=83)
Malwarebytes	Trojan.Bunitu
APEX	Malicious
Tencent	Win32.Trojan-banker.Gozi.Ebgs

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-05 02:59:51

Imports

Library KERNEL32.dll:

• 0x5290d4 LoadLibraryA

• 0x5290d8 GetProcAddress

• 0x5290dc GetModuleHandleA

• 0x5290e0 GetLastError

• 0x5290e4 lstrcmpiA

• 0x5290e8 LocalFree

• 0x5290ec LocalAlloc

• 0x5290f0 GetACP

• 0x5290f4 Sleep

• 0x5290f8 VirtualFree

• 0x5290fc VirtualAlloc

• 0x529100 GetSystemInfo

• 0x529104 GetVersion

• 0x529108 GetCurrentThreadId

• 0x52910c VirtualQuery

• 0x529110 WideCharToMultiByte

• 0x529114 MultiByteToWideChar

• 0x529118 lstrlenW

• 0x52911c lstrcpynW

• 0x529120 LoadLibraryExW

• 0x529124 IsValidLocale

• 0x529128 GetSystemDefaultUILanguage

• 0x52912c GetStartupInfoA

• 0x529130 GetModuleHandleW

• 0x529134 GetModuleFileNameW

• 0x529138 GetUserDefaultUILanguage

• 0x52913c GetLocaleInfoW

• 0x529140 GetCommandLineW

• 0x529144 FreeLibrary

• 0x529148 FindFirstFileW

• 0x52914c FindClose

• 0x529150 ExitProcess

• 0x529154 WriteFile

• 0x529158 UnhandledExceptionFilter

• 0x52915c RtlUnwind

• 0x529160 RaiseException

• 0x529164 GetStdHandle

• 0x529168 DeleteCriticalSection

• 0x52916c LeaveCriticalSection

• 0x529170 EnterCriticalSection

• 0x529174 InitializeCriticalSection

• 0x529178 CloseHandle

• 0x52917c TlsSetValue

• 0x529180 TlsGetValue

• 0x529184 WaitForSingleObject

• 0x529188 VirtualQueryEx

• 0x52918c UnmapViewOfFile

• 0x529190 SwitchToThread

• 0x529194 SignalObjectAndWait

• 0x529198 SetLastError

• 0x52919c SetFilePointer

• 0x5291a0 SetEvent

• 0x5291a4 SetEndOfFile

• 0x5291a8 ResetEvent

• 0x5291ac ReadFile

• 0x5291b0 OpenFileMappingW

• 0x5291b4 MoveFileW

• 0x5291b8 MapViewOfFile

• 0x5291bc LoadLibraryExA

• 0x5291c0 LCMapStringW

• 0x5291c4 GetVersionExW

• 0x5291c8 GetThreadLocale

• 0x5291cc GetShortPathNameA

• 0x5291d0 GetShortPathNameW

• 0x5291d4 GetLocalTime

• 0x5291d8 GetFullPathNameW

• 0x5291dc GetFileAttributesW

• 0x5291e0 GetDiskFreeSpaceW

• 0x5291e4 GetDateFormatW

• 0x5291e8 GetCurrentProcess

• 0x5291ec GetCPInfo

• 0x5291f0 InterlockedExchangeAdd

• 0x5291f4 InterlockedExchange

• 0x5291f8 InterlockedCompareExchange

• 0x5291fc FormatMessageW

• 0x529200 EnumCalendarInfoW

• 0x529204 DeleteFileW

• 0x529208 CreateFileW

• 0x52920c CreateEventW

• 0x529210 CopyFileW

• 0x529214 CompareStringW

• 0x529218 GetNumberOfConsoleInputEvents

• 0x52921c GetTapeParameters

• 0x529220 EnumResourceTypesW

• 0x529224 GetHandleInformation

• 0x529228 GetProcessHeaps

• 0x52922c ExitThread

• 0x529230 SetConsoleOutputCP

• 0x529234 CompareStringA

• 0x529238 MoveFileExA

• 0x52923c GetVersionExA

• 0x529240 FatalAppExitA

Library USER32.dll:

• 0x529248 GetListBoxInfo

• 0x52924c GetKeyState

• 0x529250 LoadIconA

• 0x529254 CharNextA

• 0x529258 CharNextW

• 0x52925c LoadCursorW

• 0x529260 LoadStringW

• 0x529264 MessageBoxA

• 0x529268 CreateWindowExW

• 0x52926c TranslateMessage

• 0x529270 SendMessageW

• 0x529274 RegisterClassW

• 0x529278 PostQuitMessage

• 0x52927c PostMessageW

• 0x529280 PeekMessageW

• 0x529284 MessageBoxW

• 0x529288 GetSystemMetrics

• 0x52928c DispatchMessageW

• 0x529290 DefWindowProcW

• 0x529294 CharUpperBuffW

• 0x529298 PeekMessageA

• 0x52929c WINNLSGetIMEHotkey

• 0x5292a0 IsRectEmpty

• 0x5292a4 EnumWindows

• 0x5292a8 GetScrollPos

• 0x5292ac EnumWindowStationsW

• 0x5292b0 LoadMenuW

• 0x5292b4 DdeSetUserHandle

• 0x5292b8 GetSysColorBrush

• 0x5292bc LoadAcceleratorsW

• 0x5292c0 CloseClipboard

• 0x5292c4 MapVirtualKeyExW

• 0x5292c8 SetWindowsHookExA

• 0x5292cc DdeUninitialize

• 0x5292d0 GetAncestor

• 0x5292d4 DialogBoxIndirectParamW

• 0x5292d8 MoveWindow

• 0x5292dc GetDC

Library GDI32.dll:

• 0x5292e4 GetStockObject

• 0x5292e8 GetStretchBltMode

• 0x5292ec GetEnhMetaFileA

• 0x5292f0 DeleteMetaFile

• 0x5292f4 CreateMetaFileA

• 0x5292f8 StrokePath

• 0x5292fc bMakePathNameW

• 0x529300 GetBkMode

• 0x529304 EngStretchBltROP

• 0x529308 DrawEscape

• 0x52930c GetOutlineTextMetricsW

• 0x529310 UnloadNetworkFonts

• 0x529314 SelectClipPath

• 0x529318 GetSystemPaletteEntries

• 0x52931c Pie

Library COMDLG32.dll:

• 0x529324 GetSaveFileNameW

Library ADVAPI32.dll:

• 0x52932c RegOpenKeyA

• 0x529330 GetUserNameA

• 0x529334 RegQueryValueExW

• 0x529338 RegOpenKeyExW

• 0x52933c RegCloseKey

Library SHELL32.dll:

• 0x529344 DuplicateIcon

• 0x529348 ShellExecuteExA

• 0x52934c SHGetInstanceExplorer

• 0x529350 SHPathPrepareForWriteA

• 0x529354 SHGetFileInfoW

• 0x529358 SHInvokePrinterCommandW

• 0x52935c SHBrowseForFolderA

• 0x529360 ShellExecuteExW

Library SHLWAPI.dll:

• 0x529368 StrChrW

• 0x52936c PathCombineA

Library COMCTL32.dll:

• 0x529374 ImageList_Add

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 51.105.208.173 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	123	51.105.208.173 time.windows.com	123
192.168.56.101	56539	8.8.8.8	53
192.168.56.101	65004	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.